Edit tour

Windows Analysis Report
New Order #60-23095840024.exe

Overview

General Information

Sample name:	New Order #60-23095840024.exe
Analysis ID:	1522472
MD5:	64dbde73e410165a5e6566ed2b2282b6
SHA1:	7635298f794a9c7a68ac7675ca33574a765b8fb7
SHA256:	4d7b9bb02299bcc46d95f2df772d152d3ebb8445c04e6255040c61fb5ea46312
Tags:	exeFormbookSPAM-ITAuser-JAMESWT_MHT
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to resolve many domain names, but no domain seems valid

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Uncommon Svchost Parent Process

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

New Order #60-23095840024.exe (PID: 6892 cmdline: "C:\Users\user\Desktop\New Order #60-23095840024.exe" MD5: 64DBDE73E410165A5E6566ED2B2282B6)

svchost.exe (PID: 7100 cmdline: "C:\Users\user\Desktop\New Order #60-23095840024.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

explorer.exe (PID: 2260 cmdline: "C:\Windows\SysWOW64\explorer.exe" MD5: DD6597597673F72E10C9DE7901FBA0A8)

cmd.exe (PID: 5472 cmdline: /c del "C:\Windows\SysWOW64\svchost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.orsaperevod.online/e62s/"], "decoy": ["ellinksa.shop", "uckyspinph.xyz", "owdark.net", "arriage-therapy-72241.bond", "w7ijko4rv4p97b.top", "heirbuzzwords.buzz", "aspart.shop", "ctivemail5-kagoya-com.info", "shacertification9.shop", "zitcd65k3.buzz", "llkosoi.info", "ru8.info", "rhgtrdjdjykyetrdjftd.buzz", "yschoollist.kiwi", "oftfolio.online", "rograma-de-almacen-2.online", "oudoarms.top", "mwquas.xyz", "orjagaucha.website", "nlinechat-mh.online", "nlinebankingrates.net", "3llyb.vip", "42du394dr.autos", "ahealthcaretrends2.bond", "gbox.net", "anatanwater.net", "amearcade.shop", "ighrane.online", "01599.xyz", "ams.zone", "-mart.vip", "42bet.xyz", "6snf.shop", "nitycacao.shop", "arageflooringepoxynearme1.today", "c7qkaihvsc.top", "amingacor.click", "airosstudio.tech", "iktokonline.pro", "homasotooleboxing.net", "ashforhouse24.online", "1539.app", "atangtoto4.click", "ndex.autos", "atorengineered.tech", "angkalantogel.company", "ajudepo777.top", "jacksontimepiece.net", "gstudio-ai.homes", "unter-saaaa.buzz", "atageneral.sbs", "ingston-saaab.buzz", "i5t3.christmas", "ampanyaak.click", "dneshima.today", "angbaojia.top", "ubuz.net", "pp-games-delearglu.xyz", "insgw.bond", "7f243xb.skin", "roliig.top", "wdie3162.vip", "reechagroup.vip", "op-phone-deal.today"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.1854401835.0000000002F00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.1854401835.0000000002F00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1854401835.0000000002F00000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000001.00000002.1854401835.0000000002F00000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.1854401835.0000000002F00000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x99cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x148b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x959a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17819:$sqlite3step: 68 34 1C 7B E1 0x1792c:$sqlite3step: 68 34 1C 7B E1 0x17848:$sqlite3text: 68 38 2A 90 C5 0x1796d:$sqlite3text: 68 38 2A 90 C5 0x1785b:$sqlite3blob: 68 53 D8 7F 8C 0x17983:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.4129273306.0000000002F60000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.4129273306.0000000002F60000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.4129273306.0000000002F60000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000002.4129273306.0000000002F60000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.4129273306.0000000002F60000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.1854342454.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.1854342454.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1854342454.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000001.00000002.1854342454.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.1854342454.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.4129224342.0000000002F30000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.4129224342.0000000002F30000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.4129224342.0000000002F30000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000002.4129224342.0000000002F30000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.4129224342.0000000002F30000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.4129000762.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.4129000762.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.4129000762.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000002.4129000762.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.4129000762.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: svchost.exe PID: 7100	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2cc30:$a1: 3C 30 50 4F 53 54 74 09 40 0x649c9:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: explorer.exe PID: 2260	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x3792c:$a1: 3C 30 50 4F 53 54 74 09 40 0x15bede:$a1: 3C 30 50 4F 53 54 74 09 40 0x194315:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 27 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.svchost.exe.26d0000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.svchost.exe.26d0000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.26d0000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
1.2.svchost.exe.26d0000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bafa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.svchost.exe.26d0000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a19:$sqlite3step: 68 34 1C 7B E1 0x17b2c:$sqlite3step: 68 34 1C 7B E1 0x17a48:$sqlite3text: 68 38 2A 90 C5 0x17b6d:$sqlite3text: 68 38 2A 90 C5 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C 0x17b83:$sqlite3blob: 68 53 D8 7F 8C

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\New Order #60-23095840024.exe", CommandLine: "C:\Users\user\Desktop\New Order #60-23095840024.exe", CommandLine|base64offset|contains: :^, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\New Order #60-23095840024.exe", ParentImage: C:\Users\user\Desktop\New Order #60-23095840024.exe, ParentProcessId: 6892, ParentProcessName: New Order #60-23095840024.exe, ProcessCommandLine: "C:\Users\user\Desktop\New Order #60-23095840024.exe", ProcessId: 7100, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\New Order #60-23095840024.exe", CommandLine: "C:\Users\user\Desktop\New Order #60-23095840024.exe", CommandLine|base64offset|contains: :^, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\New Order #60-23095840024.exe", ParentImage: C:\Users\user\Desktop\New Order #60-23095840024.exe, ParentProcessId: 6892, ParentProcessName: New Order #60-23095840024.exe, ProcessCommandLine: "C:\Users\user\Desktop\New Order #60-23095840024.exe", ProcessId: 7100, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000001.00000002.1854401835.0000000002F00000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.orsaperevod.online/e62s/"], "decoy": ["ellinksa.shop", "uckyspinph.xyz", "owdark.net", "arriage-therapy-72241.bond", "w7ijko4rv4p97b.top", "heirbuzzwords.buzz", "aspart.shop", "ctivemail5-kagoya-com.info", "shacertification9.shop", "zitcd65k3.buzz", "llkosoi.info", "ru8.info", "rhgtrdjdjykyetrdjftd.buzz", "yschoollist.kiwi", "oftfolio.online", "rograma-de-almacen-2.online", "oudoarms.top", "mwquas.xyz", "orjagaucha.website", "nlinechat-mh.online", "nlinebankingrates.net", "3llyb.vip", "42du394dr.autos", "ahealthcaretrends2.bond", "gbox.net", "anatanwater.net", "amearcade.shop", "ighrane.online", "01599.xyz", "ams.zone", "-mart.vip", "42bet.xyz", "6snf.shop", "nitycacao.shop", "arageflooringepoxynearme1.today", "c7qkaihvsc.top", "amingacor.click", "airosstudio.tech", "iktokonline.pro", "homasotooleboxing.net", "ashforhouse24.online", "1539.app", "atangtoto4.click", "ndex.autos", "atorengineered.tech", "angkalantogel.company", "ajudepo777.top", "jacksontimepiece.net", "gstudio-ai.homes", "unter-saaaa.buzz", "atageneral.sbs", "ingston-saaab.buzz", "i5t3.christmas", "ampanyaak.click", "dneshima.today", "angbaojia.top", "ubuz.net", "pp-games-delearglu.xyz", "insgw.bond", "7f243xb.skin", "roliig.top", "wdie3162.vip", "reechagroup.vip", "op-phone-deal.today"]}

Multi AV Scanner detection for domain / URL

Source: http://www.mwquas.xyz/e62s/

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for submitted file

Source: New Order #60-23095840024.exe	Virustotal: Detection: 34%			Perma Link
Source: New Order #60-23095840024.exe	ReversingLabs: Detection: 31%

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.26d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1854401835.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4129273306.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1854342454.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4129224342.0000000002F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4129000762.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: New Order #60-23095840024.exe

Joe Sandbox ML: detected

Source: New Order #60-23095840024.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: explorer.pdbUGP source: svchost.exe, 00000001.00000003.1852485207.0000000005500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1847496501.0000000005000000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4127541703.0000000000560000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: svchost.exe, 00000001.00000003.1733134504.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1734410173.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1856513403.0000000004AFA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4129912257.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4129912257.0000000004E3E000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1854348814.000000000494A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000001.00000003.1733134504.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1734410173.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, explorer.exe, 00000003.00000003.1856513403.0000000004AFA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4129912257.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4129912257.0000000004E3E000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1854348814.000000000494A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: explorer.pdb source: svchost.exe, 00000001.00000003.1852485207.0000000005500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1847496501.0000000005000000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4127541703.0000000000560000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000002.00000002.4142331969.0000000010F2F000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4130448150.00000000051EF000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4129331723.0000000002FCB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: explorer.exe, 00000002.00000002.4142331969.0000000010F2F000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4130448150.00000000051EF000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4129331723.0000000002FCB000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then pop esi		1_2_026E72F1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4x nop then pop esi		3_2_02CC72F1

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.orsaperevod.online/e62s/

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: www.angbaojia.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.atangtoto4.click replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.zitcd65k3.buzz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.roliig.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.orsaperevod.online replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ighrane.online replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.6snf.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.wdie3162.vip replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.oftfolio.online replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.heirbuzzwords.buzz replaycode: Name error (3)

Source: unknown	DNS traffic detected: query: www.angbaojia.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.atangtoto4.click replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.zitcd65k3.buzz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.roliig.top replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.orsaperevod.online replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ighrane.online replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.6snf.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.wdie3162.vip replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.oftfolio.online replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.heirbuzzwords.buzz replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: www.wdie3162.vip
Source: global traffic	DNS traffic detected: DNS query: www.orsaperevod.online
Source: global traffic	DNS traffic detected: DNS query: www.oftfolio.online
Source: global traffic	DNS traffic detected: DNS query: www.angbaojia.top
Source: global traffic	DNS traffic detected: DNS query: www.6snf.shop
Source: global traffic	DNS traffic detected: DNS query: www.roliig.top
Source: global traffic	DNS traffic detected: DNS query: www.zitcd65k3.buzz
Source: global traffic	DNS traffic detected: DNS query: www.heirbuzzwords.buzz
Source: global traffic	DNS traffic detected: DNS query: www.atangtoto4.click
Source: global traffic	DNS traffic detected: DNS query: www.ighrane.online

Source: explorer.exe, 00000002.00000003.3114244868.0000000009836000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4134179394.0000000009837000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1739278087.0000000009837000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1737633478.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000002.00000003.3114244868.0000000009836000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4134179394.0000000009837000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1739278087.0000000009837000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1737633478.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000002.00000003.3114244868.0000000009836000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4134179394.0000000009837000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1739278087.0000000009837000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1737633478.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000002.00000003.3114244868.0000000009836000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4134179394.0000000009837000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1739278087.0000000009837000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1737633478.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000002.00000002.4131063459.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1737633478.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000002.00000002.4131063459.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1737633478.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000002.00000002.4131063459.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1737633478.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000002.00000000.1738322287.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.4132765181.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.4134892582.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1539.app
Source: explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1539.app/e62s/
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1539.appReferer:
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.3llyb.vip
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.3llyb.vip/e62s/
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.3llyb.vip/e62s/www.1539.app
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.3llyb.vipReferer:
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.6snf.shop
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.6snf.shop/e62s/
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.6snf.shop/e62s/www.roliig.top
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.6snf.shopReferer:
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ahealthcaretrends2.bond
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ahealthcaretrends2.bond/e62s/
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ahealthcaretrends2.bond/e62s/www.3llyb.vip
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ahealthcaretrends2.bondReferer:
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.angbaojia.top
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.angbaojia.top/e62s/
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.angbaojia.top/e62s/www.6snf.shop
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.angbaojia.topReferer:
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.atangtoto4.click
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.atangtoto4.click/e62s/
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.atangtoto4.click/e62s/www.ighrane.online
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.atangtoto4.clickReferer:
Source: explorer.exe, 00000002.00000003.3109730173.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3112803902.000000000C9E7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1743759977.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107209818.000000000C99B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3463400102.000000000C9E7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140993491.000000000C9D3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gstudio-ai.homes
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gstudio-ai.homes/e62s/
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gstudio-ai.homes/e62s/www.iktokonline.pro
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gstudio-ai.homesReferer:
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.heirbuzzwords.buzz
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.heirbuzzwords.buzz/e62s/
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.heirbuzzwords.buzz/e62s/www.atangtoto4.click
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.heirbuzzwords.buzzReferer:
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ighrane.online
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ighrane.online/e62s/
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ighrane.online/e62s/www.mwquas.xyz
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ighrane.onlineReferer:
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.iktokonline.pro
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.iktokonline.pro/e62s/
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.iktokonline.pro/e62s/www.ahealthcaretrends2.bond
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.iktokonline.proReferer:
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mwquas.xyz
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mwquas.xyz/e62s/
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mwquas.xyz/e62s/www.gstudio-ai.homes
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mwquas.xyzReferer:
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oftfolio.online
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oftfolio.online/e62s/
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oftfolio.online/e62s/www.angbaojia.top
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oftfolio.onlineReferer:
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.orsaperevod.online
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.orsaperevod.online/e62s/
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.orsaperevod.online/e62s/www.oftfolio.online
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.orsaperevod.onlineReferer:
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.roliig.top
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.roliig.top/e62s/
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.roliig.top/e62s/www.zitcd65k3.buzz
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.roliig.topReferer:
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wdie3162.vip
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wdie3162.vip/e62s/
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wdie3162.vip/e62s/www.orsaperevod.online
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wdie3162.vipReferer:
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zitcd65k3.buzz
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zitcd65k3.buzz/e62s/
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zitcd65k3.buzz/e62s/www.heirbuzzwords.buzz
Source: explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zitcd65k3.buzzReferer:
Source: explorer.exe, 00000002.00000002.4131063459.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1737633478.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000002.00000002.4131063459.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1737633478.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000002.00000002.4138089591.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1743759977.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000002.4133541673.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1739278087.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3114663431.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000002.4133541673.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1739278087.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3114663431.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000002.00000000.1736825558.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1736300273.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4127881821.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4129187722.0000000003700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000003.3114663431.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1739278087.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4133541673.0000000009702000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000002.00000002.4133541673.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1739278087.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3114663431.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000003.3114663431.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1739278087.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4133541673.0000000009702000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000002.00000002.4131063459.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1737633478.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000002.00000002.4131063459.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1737633478.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000002.00000002.4138089591.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1743759977.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000002.00000002.4131063459.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1737633478.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000002.00000002.4138089591.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1743759977.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000002.00000002.4138089591.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1743759977.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000000.1743759977.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4138089591.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000002.00000002.4138089591.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1743759977.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000002.00000002.4131063459.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1737633478.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000002.00000000.1737633478.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.26d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1854401835.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4129273306.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1854342454.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4129224342.0000000002F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4129000762.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.svchost.exe.26d0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.svchost.exe.26d0000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.svchost.exe.26d0000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.1854401835.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1854401835.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.1854401835.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.4129273306.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.4129273306.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.4129273306.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.1854342454.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1854342454.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.1854342454.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.4129224342.0000000002F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.4129224342.0000000002F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.4129224342.0000000002F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.4129000762.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.4129000762.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.4129000762.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: svchost.exe PID: 7100, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 2260, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: New Order #60-23095840024.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172B60 NtClose,LdrInitializeThunk,	1_2_03172B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_03172BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172AD0 NtReadFile,LdrInitializeThunk,	1_2_03172AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172F30 NtCreateSection,LdrInitializeThunk,	1_2_03172F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172F90 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_03172F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172FB0 NtResumeThread,LdrInitializeThunk,	1_2_03172FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172FE0 NtCreateFile,LdrInitializeThunk,	1_2_03172FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172E80 NtReadVirtualMemory,LdrInitializeThunk,	1_2_03172E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_03172EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172D10 NtMapViewOfSection,LdrInitializeThunk,	1_2_03172D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172D30 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_03172D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172DD0 NtDelayExecution,LdrInitializeThunk,	1_2_03172DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03172DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172C70 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_03172C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172CA0 NtQueryInformationToken,LdrInitializeThunk,	1_2_03172CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03174340 NtSetContextThread,	1_2_03174340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03173010 NtOpenDirectoryObject,	1_2_03173010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03173090 NtSetValueKey,	1_2_03173090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03174650 NtSuspendThread,	1_2_03174650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031735C0 NtCreateMutant,	1_2_031735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172B80 NtQueryInformationFile,	1_2_03172B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172BA0 NtEnumerateValueKey,	1_2_03172BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172BE0 NtQueryValueKey,	1_2_03172BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172AB0 NtWaitForSingleObject,	1_2_03172AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172AF0 NtWriteFile,	1_2_03172AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031739B0 NtGetContextThread,	1_2_031739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172F60 NtCreateProcessEx,	1_2_03172F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172FA0 NtQuerySection,	1_2_03172FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172E30 NtWriteVirtualMemory,	1_2_03172E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172EE0 NtQueueApcThread,	1_2_03172EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03173D10 NtOpenProcessToken,	1_2_03173D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172D00 NtSetInformationFile,	1_2_03172D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03173D70 NtOpenThread,	1_2_03173D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172DB0 NtEnumerateKey,	1_2_03172DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172C00 NtQueryInformationProcess,	1_2_03172C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172C60 NtCreateKey,	1_2_03172C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172CC0 NtQueryVirtualMemory,	1_2_03172CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172CF0 NtOpenProcess,	1_2_03172CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026EA330 NtCreateFile,	1_2_026EA330
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026EA3E0 NtReadFile,	1_2_026EA3E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026EA460 NtClose,	1_2_026EA460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026EA510 NtAllocateVirtualMemory,	1_2_026EA510
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026EA2EA NtCreateFile,	1_2_026EA2EA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026EA50A NtAllocateVirtualMemory,	1_2_026EA50A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026EA58B NtAllocateVirtualMemory,	1_2_026EA58B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,	1_2_030BA036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BA042 NtQueryInformationProcess,	1_2_030BA042
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035EA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,	1_2_035EA036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035EA042 NtQueryInformationProcess,	1_2_035EA042
Source: C:\Windows\explorer.exe	Code function: 2_2_0E889E12 NtProtectVirtualMemory,	2_2_0E889E12
Source: C:\Windows\explorer.exe	Code function: 2_2_0E888232 NtCreateFile,	2_2_0E888232
Source: C:\Windows\explorer.exe	Code function: 2_2_0E889E0A NtProtectVirtualMemory,	2_2_0E889E0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D135C0 NtCreateMutant,LdrInitializeThunk,	3_2_04D135C0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12CA0 NtQueryInformationToken,LdrInitializeThunk,	3_2_04D12CA0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12C70 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_04D12C70
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12C60 NtCreateKey,LdrInitializeThunk,	3_2_04D12C60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12DD0 NtDelayExecution,LdrInitializeThunk,	3_2_04D12DD0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_04D12DF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12D10 NtMapViewOfSection,LdrInitializeThunk,	3_2_04D12D10
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_04D12EA0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12FE0 NtCreateFile,LdrInitializeThunk,	3_2_04D12FE0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12F30 NtCreateSection,LdrInitializeThunk,	3_2_04D12F30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12AD0 NtReadFile,LdrInitializeThunk,	3_2_04D12AD0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_04D12BF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12BE0 NtQueryValueKey,LdrInitializeThunk,	3_2_04D12BE0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12B60 NtClose,LdrInitializeThunk,	3_2_04D12B60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D14650 NtSuspendThread,	3_2_04D14650
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D13090 NtSetValueKey,	3_2_04D13090
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D13010 NtOpenDirectoryObject,	3_2_04D13010
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D14340 NtSetContextThread,	3_2_04D14340
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12CC0 NtQueryVirtualMemory,	3_2_04D12CC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12CF0 NtOpenProcess,	3_2_04D12CF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12C00 NtQueryInformationProcess,	3_2_04D12C00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12DB0 NtEnumerateKey,	3_2_04D12DB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D13D70 NtOpenThread,	3_2_04D13D70
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D13D10 NtOpenProcessToken,	3_2_04D13D10
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12D00 NtSetInformationFile,	3_2_04D12D00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12D30 NtUnmapViewOfSection,	3_2_04D12D30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12EE0 NtQueueApcThread,	3_2_04D12EE0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12E80 NtReadVirtualMemory,	3_2_04D12E80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12E30 NtWriteVirtualMemory,	3_2_04D12E30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12F90 NtProtectVirtualMemory,	3_2_04D12F90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12FB0 NtResumeThread,	3_2_04D12FB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12FA0 NtQuerySection,	3_2_04D12FA0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12F60 NtCreateProcessEx,	3_2_04D12F60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D139B0 NtGetContextThread,	3_2_04D139B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12AF0 NtWriteFile,	3_2_04D12AF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12AB0 NtWaitForSingleObject,	3_2_04D12AB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12B80 NtQueryInformationFile,	3_2_04D12B80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D12BA0 NtEnumerateValueKey,	3_2_04D12BA0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_02CCA3E0 NtReadFile,	3_2_02CCA3E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_02CCA330 NtCreateFile,	3_2_02CCA330
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_02CCA460 NtClose,	3_2_02CCA460
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_02CCA510 NtAllocateVirtualMemory,	3_2_02CCA510
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_02CCA2EA NtCreateFile,	3_2_02CCA2EA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_02CCA58B NtAllocateVirtualMemory,	3_2_02CCA58B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_02CCA50A NtAllocateVirtualMemory,	3_2_02CCA50A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04AEA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	3_2_04AEA036
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04AE9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	3_2_04AE9BAF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04AEA042 NtQueryInformationProcess,	3_2_04AEA042
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04AE9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	3_2_04AE9BB2

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F132D	1_2_031F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FA352	1_2_031FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312D34C	1_2_0312D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0318739A	1_2_0318739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032003E6	1_2_032003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E3F0	1_2_0314E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031452A0	1_2_031452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315B2C0	1_2_0315B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315D2F0	1_2_0315D2F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E12ED	1_2_031E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DA118	1_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03130100	1_2_03130100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0320B16B	1_2_0320B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F172	1_2_0312F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0317516C	1_2_0317516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032001AA	1_2_032001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314B1B0	1_2_0314B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F81CC	1_2_031F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EF0CC	1_2_031EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031470C0	1_2_031470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F70E9	1_2_031F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FF0E0	1_2_031FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03164750	1_2_03164750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FF7B0	1_2_031FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313C7C0	1_2_0313C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F16CC	1_2_031F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315C6E0	1_2_0315C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140535	1_2_03140535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F7571	1_2_031F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DD5B0	1_2_031DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03200591	1_2_03200591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FF43F	1_2_031FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F2446	1_2_031F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03131460	1_2_03131460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EE4F6	1_2_031EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FAB40	1_2_031FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FFB76	1_2_031FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03109B80	1_2_03109B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315FB80	1_2_0315FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F6BD7	1_2_031F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0317DBF9	1_2_0317DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FFA49	1_2_031FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F7A46	1_2_031F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B3A6C	1_2_031B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313EA80	1_2_0313EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DDAAC	1_2_031DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03185AA0	1_2_03185AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EDAC6	1_2_031EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03149950	1_2_03149950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315B950	1_2_0315B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03156962	1_2_03156962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0320A9A6	1_2_0320A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031429A0	1_2_031429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03142840	1_2_03142840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314A840	1_2_0314A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031268B8	1_2_031268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E8F0	1_2_0316E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031438E0	1_2_031438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FFF09	1_2_031FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03160F30	1_2_03160F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03182F28	1_2_03182F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B4F40	1_2_031B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03141F92	1_2_03141F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FFFB1	1_2_031FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03103FD2	1_2_03103FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03103FD5	1_2_03103FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03132FC8	1_2_03132FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FEE26	1_2_031FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140E59	1_2_03140E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03152E90	1_2_03152E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FCE93	1_2_031FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03149EB0	1_2_03149EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FEEDB	1_2_031FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314AD00	1_2_0314AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F1D5A	1_2_031F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03143D40	1_2_03143D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F7D73	1_2_031F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03158DBF	1_2_03158DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315FDC0	1_2_0315FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313ADE0	1_2_0313ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140C00	1_2_03140C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B9C32	1_2_031B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0CB5	1_2_031E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03130CF2	1_2_03130CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FFCF2	1_2_031FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026D1026	1_2_026D1026
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026D1030	1_2_026D1030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026EE0EA	1_2_026EE0EA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026EE743	1_2_026EE743
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026EE43E	1_2_026EE43E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026ED569	1_2_026ED569
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026ED576	1_2_026ED576
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026EEAD0	1_2_026EEAD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026EDA81	1_2_026EDA81
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026EDB72	1_2_026EDB72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026D9E60	1_2_026D9E60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026D9E5B	1_2_026D9E5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026EEE34	1_2_026EEE34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026D2FB0	1_2_026D2FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026D2D90	1_2_026D2D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BA036	1_2_030BA036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BB232	1_2_030BB232
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B1082	1_2_030B1082
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BE5CD	1_2_030BE5CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B5B32	1_2_030B5B32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B5B30	1_2_030B5B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B8912	1_2_030B8912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030B2D02	1_2_030B2D02
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035EA036	1_2_035EA036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035E5B32	1_2_035E5B32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035E5B30	1_2_035E5B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035EB232	1_2_035EB232
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035E8912	1_2_035E8912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035E1082	1_2_035E1082
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035E2D02	1_2_035E2D02
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035EE5CD	1_2_035EE5CD
Source: C:\Windows\explorer.exe	Code function: 2_2_0E542232	2_2_0E542232
Source: C:\Windows\explorer.exe	Code function: 2_2_0E53CB32	2_2_0E53CB32
Source: C:\Windows\explorer.exe	Code function: 2_2_0E53CB30	2_2_0E53CB30
Source: C:\Windows\explorer.exe	Code function: 2_2_0E541036	2_2_0E541036
Source: C:\Windows\explorer.exe	Code function: 2_2_0E538082	2_2_0E538082
Source: C:\Windows\explorer.exe	Code function: 2_2_0E53F912	2_2_0E53F912
Source: C:\Windows\explorer.exe	Code function: 2_2_0E539D02	2_2_0E539D02
Source: C:\Windows\explorer.exe	Code function: 2_2_0E5455CD	2_2_0E5455CD
Source: C:\Windows\explorer.exe	Code function: 2_2_0E6B5232	2_2_0E6B5232
Source: C:\Windows\explorer.exe	Code function: 2_2_0E6AFB32	2_2_0E6AFB32
Source: C:\Windows\explorer.exe	Code function: 2_2_0E6AFB30	2_2_0E6AFB30
Source: C:\Windows\explorer.exe	Code function: 2_2_0E6B4036	2_2_0E6B4036
Source: C:\Windows\explorer.exe	Code function: 2_2_0E6AB082	2_2_0E6AB082
Source: C:\Windows\explorer.exe	Code function: 2_2_0E6ACD02	2_2_0E6ACD02
Source: C:\Windows\explorer.exe	Code function: 2_2_0E6B2912	2_2_0E6B2912
Source: C:\Windows\explorer.exe	Code function: 2_2_0E6B85CD	2_2_0E6B85CD
Source: C:\Windows\explorer.exe	Code function: 2_2_0E888232	2_2_0E888232
Source: C:\Windows\explorer.exe	Code function: 2_2_0E87E082	2_2_0E87E082
Source: C:\Windows\explorer.exe	Code function: 2_2_0E887036	2_2_0E887036
Source: C:\Windows\explorer.exe	Code function: 2_2_0E88B5CD	2_2_0E88B5CD
Source: C:\Windows\explorer.exe	Code function: 2_2_0E87FD02	2_2_0E87FD02
Source: C:\Windows\explorer.exe	Code function: 2_2_0E885912	2_2_0E885912
Source: C:\Windows\explorer.exe	Code function: 2_2_0E882B30	2_2_0E882B30
Source: C:\Windows\explorer.exe	Code function: 2_2_0E882B32	2_2_0E882B32
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D8E4F6	3_2_04D8E4F6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D92446	3_2_04D92446
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CD1460	3_2_04CD1460
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D9F43F	3_2_04D9F43F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04DA0591	3_2_04DA0591
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D7D5B0	3_2_04D7D5B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D97571	3_2_04D97571
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CE0535	3_2_04CE0535
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D916CC	3_2_04D916CC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CFC6E0	3_2_04CFC6E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CDC7C0	3_2_04CDC7C0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D9F7B0	3_2_04D9F7B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D04750	3_2_04D04750
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CE0770	3_2_04CE0770
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CE70C0	3_2_04CE70C0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D8F0CC	3_2_04D8F0CC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D970E9	3_2_04D970E9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D9F0E0	3_2_04D9F0E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D981CC	3_2_04D981CC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04DA01AA	3_2_04DA01AA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CEB1B0	3_2_04CEB1B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04DAB16B	3_2_04DAB16B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D1516C	3_2_04D1516C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CCF172	3_2_04CCF172
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CD0100	3_2_04CD0100
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D7A118	3_2_04D7A118
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CFB2C0	3_2_04CFB2C0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D812ED	3_2_04D812ED
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CFD2F0	3_2_04CFD2F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CE52A0	3_2_04CE52A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D80274	3_2_04D80274
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04DA03E6	3_2_04DA03E6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CEE3F0	3_2_04CEE3F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D2739A	3_2_04D2739A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CCD34C	3_2_04CCD34C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D9A352	3_2_04D9A352
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D9132D	3_2_04D9132D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D9FCF2	3_2_04D9FCF2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CD0CF2	3_2_04CD0CF2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D80CB5	3_2_04D80CB5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CE0C00	3_2_04CE0C00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D59C32	3_2_04D59C32
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CFFDC0	3_2_04CFFDC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CDADE0	3_2_04CDADE0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CF8DBF	3_2_04CF8DBF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D91D5A	3_2_04D91D5A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CE3D40	3_2_04CE3D40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D97D73	3_2_04D97D73
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CEAD00	3_2_04CEAD00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D9EEDB	3_2_04D9EEDB
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D9CE93	3_2_04D9CE93
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CF2E90	3_2_04CF2E90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CE9EB0	3_2_04CE9EB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CE0E59	3_2_04CE0E59
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D9EE26	3_2_04D9EE26
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CD2FC8	3_2_04CD2FC8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CE1F92	3_2_04CE1F92
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D9FFB1	3_2_04D9FFB1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D54F40	3_2_04D54F40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D9FF09	3_2_04D9FF09
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D00F30	3_2_04D00F30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D22F28	3_2_04D22F28
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D0E8F0	3_2_04D0E8F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CE38E0	3_2_04CE38E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CC68B8	3_2_04CC68B8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CE2840	3_2_04CE2840
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CEA840	3_2_04CEA840
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D4D800	3_2_04D4D800
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CE29A0	3_2_04CE29A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04DAA9A6	3_2_04DAA9A6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CE9950	3_2_04CE9950
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CFB950	3_2_04CFB950
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CF6962	3_2_04CF6962
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D8DAC6	3_2_04D8DAC6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CDEA80	3_2_04CDEA80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D25AA0	3_2_04D25AA0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D7DAAC	3_2_04D7DAAC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D9FA49	3_2_04D9FA49
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D97A46	3_2_04D97A46
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D53A6C	3_2_04D53A6C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D96BD7	3_2_04D96BD7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D1DBF9	3_2_04D1DBF9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CFFB80	3_2_04CFFB80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D9AB40	3_2_04D9AB40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04D9FB76	3_2_04D9FB76
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_02CCEAD0	3_2_02CCEAD0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_02CCDA81	3_2_02CCDA81
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_02CB9E5B	3_2_02CB9E5B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_02CB9E60	3_2_02CB9E60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_02CCEE34	3_2_02CCEE34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_02CB2FB0	3_2_02CB2FB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_02CCE743	3_2_02CCE743
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_02CB2D90	3_2_02CB2D90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_02CCD569	3_2_02CCD569
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_02CCD576	3_2_02CCD576
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04AEA036	3_2_04AEA036
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04AEE5CD	3_2_04AEE5CD
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04AE2D02	3_2_04AE2D02
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04AE1082	3_2_04AE1082
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04AE8912	3_2_04AE8912
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04AEB232	3_2_04AEB232
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04AE5B32	3_2_04AE5B32
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04AE5B30	3_2_04AE5B30

Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 04D4EA12 appears 86 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 04D15130 appears 36 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 04CCB970 appears 250 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 04D27E54 appears 86 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 04D5F290 appears 103 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0312B970 appears 248 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03175130 appears 36 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 031BF290 appears 103 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03187E54 appears 85 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 031AEA12 appears 84 times

Source: New Order #60-23095840024.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 1.2.svchost.exe.26d0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.svchost.exe.26d0000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.svchost.exe.26d0000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.1854401835.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1854401835.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.1854401835.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.4129273306.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.4129273306.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.4129273306.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.1854342454.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1854342454.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.1854342454.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.4129224342.0000000002F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.4129224342.0000000002F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.4129224342.0000000002F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.4129000762.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.4129000762.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.4129000762.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: svchost.exe PID: 7100, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 2260, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@520/1@10/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1720:120:WilError_03

Source: C:\Users\user\Desktop\New Order #60-23095840024.exe

File created: C:\Users\user\AppData\Local\Temp\Idonna

Jump to behavior

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: New Order #60-23095840024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\New Order #60-23095840024.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\New Order #60-23095840024.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: New Order #60-23095840024.exe	Virustotal: Detection: 34%
Source: New Order #60-23095840024.exe	ReversingLabs: Detection: 31%

Source: explorer.exe	String found in binary or memory: /LOADSAVEDWINDOWS
Source: explorer.exe	String found in binary or memory: accent-startColor
Source: explorer.exe	String found in binary or memory: accent-startColorMenu
Source: explorer.exe	String found in binary or memory: themes-installTheme
Source: explorer.exe	String found in binary or memory: Microsoft-Windows-Shell-Launcher
Source: explorer.exe	String found in binary or memory: api-ms-win-stateseparation-helpers-l1-1-0.dll

Source: C:\Users\user\Desktop\New Order #60-23095840024.exe

File read: C:\Users\user\Desktop\New Order #60-23095840024.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\New Order #60-23095840024.exe "C:\Users\user\Desktop\New Order #60-23095840024.exe"
Source: C:\Users\user\Desktop\New Order #60-23095840024.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\New Order #60-23095840024.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\SysWOW64\explorer.exe"
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\New Order #60-23095840024.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\New Order #60-23095840024.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\SysWOW64\explorer.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\New Order #60-23095840024.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order #60-23095840024.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order #60-23095840024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order #60-23095840024.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order #60-23095840024.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order #60-23095840024.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order #60-23095840024.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order #60-23095840024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order #60-23095840024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order #60-23095840024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order #60-23095840024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior

Source: C:\Users\user\Desktop\New Order #60-23095840024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: New Order #60-23095840024.exe

Static file information: File size 1153231 > 1048576

Source:	Binary string: explorer.pdbUGP source: svchost.exe, 00000001.00000003.1852485207.0000000005500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1847496501.0000000005000000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4127541703.0000000000560000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: svchost.exe, 00000001.00000003.1733134504.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1734410173.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1856513403.0000000004AFA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4129912257.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4129912257.0000000004E3E000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1854348814.000000000494A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000001.00000003.1733134504.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1734410173.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, explorer.exe, 00000003.00000003.1856513403.0000000004AFA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4129912257.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4129912257.0000000004E3E000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.1854348814.000000000494A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: explorer.pdb source: svchost.exe, 00000001.00000003.1852485207.0000000005500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1847496501.0000000005000000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4127541703.0000000000560000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000002.00000002.4142331969.0000000010F2F000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4130448150.00000000051EF000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4129331723.0000000002FCB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: explorer.exe, 00000002.00000002.4142331969.0000000010F2F000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4130448150.00000000051EF000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4129331723.0000000002FCB000.00000004.00000020.00020000.00000000.sdmp

Source: New Order #60-23095840024.exe

Static PE information: real checksum: 0xa2135 should be: 0x11fbd1

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310135E push eax; iretd	1_2_03101369
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310225F pushad ; ret	1_2_031027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310B008 push es; iretd	1_2_0310B009
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031027FA pushad ; ret	1_2_031027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03109939 push es; iretd	1_2_03109940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031309AD push ecx; mov dword ptr [esp], ecx	1_2_031309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0310283D push eax; iretd	1_2_03102858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026E275B push ss; retf	1_2_026E275D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026ED4DB push eax; ret	1_2_026ED542
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026ED4D2 push eax; ret	1_2_026ED4D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026ED485 push eax; ret	1_2_026ED4D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_026ED53C push eax; ret	1_2_026ED542
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BEB02 push esp; retn 0000h	1_2_030BEB03
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BEB1E push esp; retn 0000h	1_2_030BEB1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030BE9B5 push esp; retn 0000h	1_2_030BEAE7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035EEB1E push esp; retn 0000h	1_2_035EEB1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035EEB02 push esp; retn 0000h	1_2_035EEB03
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_035EE9B5 push esp; retn 0000h	1_2_035EEAE7
Source: C:\Windows\explorer.exe	Code function: 2_2_0E545B1E push esp; retn 0000h	2_2_0E545B1F
Source: C:\Windows\explorer.exe	Code function: 2_2_0E545B02 push esp; retn 0000h	2_2_0E545B03
Source: C:\Windows\explorer.exe	Code function: 2_2_0E5459B5 push esp; retn 0000h	2_2_0E545AE7
Source: C:\Windows\explorer.exe	Code function: 2_2_0E6B8B02 push esp; retn 0000h	2_2_0E6B8B03
Source: C:\Windows\explorer.exe	Code function: 2_2_0E6B8B1E push esp; retn 0000h	2_2_0E6B8B1F
Source: C:\Windows\explorer.exe	Code function: 2_2_0E6B89B5 push esp; retn 0000h	2_2_0E6B8AE7
Source: C:\Windows\explorer.exe	Code function: 2_2_0E88B9B5 push esp; retn 0000h	2_2_0E88BAE7
Source: C:\Windows\explorer.exe	Code function: 2_2_0E88BB02 push esp; retn 0000h	2_2_0E88BB03
Source: C:\Windows\explorer.exe	Code function: 2_2_0E88BB1E push esp; retn 0000h	2_2_0E88BB1F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_04CD09AD push ecx; mov dword ptr [esp], ecx	3_2_04CD09B6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_02CCE118 push ecx; ret	3_2_02CCE119
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_02CC275B push ss; retf	3_2_02CC275D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 3_2_02CCD4DB push eax; ret	3_2_02CCD542

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xE1

Source: C:\Windows\SysWOW64\explorer.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\New Order #60-23095840024.exe	API/Special instruction interceptor: Address: 40C824C
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFE22210774
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFE2220D8A4
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFE2220DA44
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFE22210774
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFE2220D8A4
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 26D9904 second address: 26D990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 26D9B7E second address: 26D9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: 2CB9904 second address: 2CB990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: 2CB9B7E second address: 2CB9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0315BBA0 rdtsc

1_2_0315BBA0

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 9727	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 875	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 877	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Window / User API: threadDelayed 1963	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Window / User API: threadDelayed 8009	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 2.8 %
Source: C:\Windows\SysWOW64\explorer.exe	API coverage: 2.5 %

Source: C:\Windows\explorer.exe TID: 7164	Thread sleep count: 9727 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7164	Thread sleep time: -19454000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7164	Thread sleep count: 225 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7164	Thread sleep time: -450000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 5460	Thread sleep count: 1963 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 5460	Thread sleep time: -3926000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 5460	Thread sleep count: 8009 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 5460	Thread sleep time: -16018000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed

Source: explorer.exe, 00000002.00000000.1739797568.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000002.00000000.1739278087.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000002.00000002.4131063459.00000000078A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000002.00000000.1737633478.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000002.00000000.1739797568.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000002.00000002.4127881821.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000002.00000000.1737633478.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.1739797568.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000002.00000000.1737633478.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000002.00000000.1739278087.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000002.00000003.3114663431.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4133541673.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1739278087.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1739278087.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3114663431.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4133541673.000000000982D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000002.00000000.1739797568.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000002.00000000.1737633478.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000002.00000000.1739278087.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000002.00000002.4127881821.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000002.00000002.4127881821.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_0315BBA0 rdtsc

1_2_0315BBA0

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_03172B60 NtClose,LdrInitializeThunk,

1_2_03172B60

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 3_2_006479E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

3_2_006479E1

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312C310 mov ecx, dword ptr fs:[00000030h]	1_2_0312C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03150310 mov ecx, dword ptr fs:[00000030h]	1_2_03150310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B930B mov eax, dword ptr fs:[00000030h]	1_2_031B930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B930B mov eax, dword ptr fs:[00000030h]	1_2_031B930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B930B mov eax, dword ptr fs:[00000030h]	1_2_031B930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A30B mov eax, dword ptr fs:[00000030h]	1_2_0316A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A30B mov eax, dword ptr fs:[00000030h]	1_2_0316A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A30B mov eax, dword ptr fs:[00000030h]	1_2_0316A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03127330 mov eax, dword ptr fs:[00000030h]	1_2_03127330
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F132D mov eax, dword ptr fs:[00000030h]	1_2_031F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F132D mov eax, dword ptr fs:[00000030h]	1_2_031F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315F32A mov eax, dword ptr fs:[00000030h]	1_2_0315F32A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03129353 mov eax, dword ptr fs:[00000030h]	1_2_03129353
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03129353 mov eax, dword ptr fs:[00000030h]	1_2_03129353
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]	1_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]	1_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]	1_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B035C mov ecx, dword ptr fs:[00000030h]	1_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]	1_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B035C mov eax, dword ptr fs:[00000030h]	1_2_031B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FA352 mov eax, dword ptr fs:[00000030h]	1_2_031FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B2349 mov eax, dword ptr fs:[00000030h]	1_2_031B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312D34C mov eax, dword ptr fs:[00000030h]	1_2_0312D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312D34C mov eax, dword ptr fs:[00000030h]	1_2_0312D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03205341 mov eax, dword ptr fs:[00000030h]	1_2_03205341
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D437C mov eax, dword ptr fs:[00000030h]	1_2_031D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03137370 mov eax, dword ptr fs:[00000030h]	1_2_03137370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03137370 mov eax, dword ptr fs:[00000030h]	1_2_03137370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03137370 mov eax, dword ptr fs:[00000030h]	1_2_03137370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EF367 mov eax, dword ptr fs:[00000030h]	1_2_031EF367
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0318739A mov eax, dword ptr fs:[00000030h]	1_2_0318739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0318739A mov eax, dword ptr fs:[00000030h]	1_2_0318739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03128397 mov eax, dword ptr fs:[00000030h]	1_2_03128397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03128397 mov eax, dword ptr fs:[00000030h]	1_2_03128397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03128397 mov eax, dword ptr fs:[00000030h]	1_2_03128397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312E388 mov eax, dword ptr fs:[00000030h]	1_2_0312E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312E388 mov eax, dword ptr fs:[00000030h]	1_2_0312E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312E388 mov eax, dword ptr fs:[00000030h]	1_2_0312E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315438F mov eax, dword ptr fs:[00000030h]	1_2_0315438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315438F mov eax, dword ptr fs:[00000030h]	1_2_0315438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031533A5 mov eax, dword ptr fs:[00000030h]	1_2_031533A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031633A0 mov eax, dword ptr fs:[00000030h]	1_2_031633A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031633A0 mov eax, dword ptr fs:[00000030h]	1_2_031633A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0320539D mov eax, dword ptr fs:[00000030h]	1_2_0320539D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EB3D0 mov ecx, dword ptr fs:[00000030h]	1_2_031EB3D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EC3CD mov eax, dword ptr fs:[00000030h]	1_2_031EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0313A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]	1_2_031383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]	1_2_031383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]	1_2_031383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031383C0 mov eax, dword ptr fs:[00000030h]	1_2_031383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032053FC mov eax, dword ptr fs:[00000030h]	1_2_032053FC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0314E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0314E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0314E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031663FF mov eax, dword ptr fs:[00000030h]	1_2_031663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EF3E6 mov eax, dword ptr fs:[00000030h]	1_2_031EF3E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031403E9 mov eax, dword ptr fs:[00000030h]	1_2_031403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03205227 mov eax, dword ptr fs:[00000030h]	1_2_03205227
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03167208 mov eax, dword ptr fs:[00000030h]	1_2_03167208
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03167208 mov eax, dword ptr fs:[00000030h]	1_2_03167208
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312823B mov eax, dword ptr fs:[00000030h]	1_2_0312823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312A250 mov eax, dword ptr fs:[00000030h]	1_2_0312A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EB256 mov eax, dword ptr fs:[00000030h]	1_2_031EB256
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EB256 mov eax, dword ptr fs:[00000030h]	1_2_031EB256
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136259 mov eax, dword ptr fs:[00000030h]	1_2_03136259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03129240 mov eax, dword ptr fs:[00000030h]	1_2_03129240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03129240 mov eax, dword ptr fs:[00000030h]	1_2_03129240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316724D mov eax, dword ptr fs:[00000030h]	1_2_0316724D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03159274 mov eax, dword ptr fs:[00000030h]	1_2_03159274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03171270 mov eax, dword ptr fs:[00000030h]	1_2_03171270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03171270 mov eax, dword ptr fs:[00000030h]	1_2_03171270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E0274 mov eax, dword ptr fs:[00000030h]	1_2_031E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03134260 mov eax, dword ptr fs:[00000030h]	1_2_03134260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03134260 mov eax, dword ptr fs:[00000030h]	1_2_03134260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03134260 mov eax, dword ptr fs:[00000030h]	1_2_03134260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FD26B mov eax, dword ptr fs:[00000030h]	1_2_031FD26B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031FD26B mov eax, dword ptr fs:[00000030h]	1_2_031FD26B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312826B mov eax, dword ptr fs:[00000030h]	1_2_0312826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316329E mov eax, dword ptr fs:[00000030h]	1_2_0316329E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316329E mov eax, dword ptr fs:[00000030h]	1_2_0316329E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E284 mov eax, dword ptr fs:[00000030h]	1_2_0316E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316E284 mov eax, dword ptr fs:[00000030h]	1_2_0316E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B0283 mov eax, dword ptr fs:[00000030h]	1_2_031B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B0283 mov eax, dword ptr fs:[00000030h]	1_2_031B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B0283 mov eax, dword ptr fs:[00000030h]	1_2_031B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03205283 mov eax, dword ptr fs:[00000030h]	1_2_03205283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B92BC mov eax, dword ptr fs:[00000030h]	1_2_031B92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B92BC mov eax, dword ptr fs:[00000030h]	1_2_031B92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B92BC mov ecx, dword ptr fs:[00000030h]	1_2_031B92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B92BC mov ecx, dword ptr fs:[00000030h]	1_2_031B92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031402A0 mov eax, dword ptr fs:[00000030h]	1_2_031402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031402A0 mov eax, dword ptr fs:[00000030h]	1_2_031402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031452A0 mov eax, dword ptr fs:[00000030h]	1_2_031452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031452A0 mov eax, dword ptr fs:[00000030h]	1_2_031452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031452A0 mov eax, dword ptr fs:[00000030h]	1_2_031452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031452A0 mov eax, dword ptr fs:[00000030h]	1_2_031452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F92A6 mov eax, dword ptr fs:[00000030h]	1_2_031F92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F92A6 mov eax, dword ptr fs:[00000030h]	1_2_031F92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F92A6 mov eax, dword ptr fs:[00000030h]	1_2_031F92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F92A6 mov eax, dword ptr fs:[00000030h]	1_2_031F92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]	1_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C62A0 mov ecx, dword ptr fs:[00000030h]	1_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]	1_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]	1_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]	1_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C62A0 mov eax, dword ptr fs:[00000030h]	1_2_031C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C72A0 mov eax, dword ptr fs:[00000030h]	1_2_031C72A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C72A0 mov eax, dword ptr fs:[00000030h]	1_2_031C72A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312B2D3 mov eax, dword ptr fs:[00000030h]	1_2_0312B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312B2D3 mov eax, dword ptr fs:[00000030h]	1_2_0312B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312B2D3 mov eax, dword ptr fs:[00000030h]	1_2_0312B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032052E2 mov eax, dword ptr fs:[00000030h]	1_2_032052E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315F2D0 mov eax, dword ptr fs:[00000030h]	1_2_0315F2D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315F2D0 mov eax, dword ptr fs:[00000030h]	1_2_0315F2D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0313A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315B2C0 mov eax, dword ptr fs:[00000030h]	1_2_0315B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315B2C0 mov eax, dword ptr fs:[00000030h]	1_2_0315B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315B2C0 mov eax, dword ptr fs:[00000030h]	1_2_0315B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315B2C0 mov eax, dword ptr fs:[00000030h]	1_2_0315B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315B2C0 mov eax, dword ptr fs:[00000030h]	1_2_0315B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315B2C0 mov eax, dword ptr fs:[00000030h]	1_2_0315B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315B2C0 mov eax, dword ptr fs:[00000030h]	1_2_0315B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031392C5 mov eax, dword ptr fs:[00000030h]	1_2_031392C5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031392C5 mov eax, dword ptr fs:[00000030h]	1_2_031392C5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EF2F8 mov eax, dword ptr fs:[00000030h]	1_2_031EF2F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031292FF mov eax, dword ptr fs:[00000030h]	1_2_031292FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E12ED mov eax, dword ptr fs:[00000030h]	1_2_031E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E12ED mov eax, dword ptr fs:[00000030h]	1_2_031E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E12ED mov eax, dword ptr fs:[00000030h]	1_2_031E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E12ED mov eax, dword ptr fs:[00000030h]	1_2_031E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E12ED mov eax, dword ptr fs:[00000030h]	1_2_031E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E12ED mov eax, dword ptr fs:[00000030h]	1_2_031E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E12ED mov eax, dword ptr fs:[00000030h]	1_2_031E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E12ED mov eax, dword ptr fs:[00000030h]	1_2_031E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E12ED mov eax, dword ptr fs:[00000030h]	1_2_031E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E12ED mov eax, dword ptr fs:[00000030h]	1_2_031E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E12ED mov eax, dword ptr fs:[00000030h]	1_2_031E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E12ED mov eax, dword ptr fs:[00000030h]	1_2_031E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E12ED mov eax, dword ptr fs:[00000030h]	1_2_031E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E12ED mov eax, dword ptr fs:[00000030h]	1_2_031E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031402E1 mov eax, dword ptr fs:[00000030h]	1_2_031402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031402E1 mov eax, dword ptr fs:[00000030h]	1_2_031402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031402E1 mov eax, dword ptr fs:[00000030h]	1_2_031402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DA118 mov ecx, dword ptr fs:[00000030h]	1_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DA118 mov eax, dword ptr fs:[00000030h]	1_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DA118 mov eax, dword ptr fs:[00000030h]	1_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031DA118 mov eax, dword ptr fs:[00000030h]	1_2_031DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F0115 mov eax, dword ptr fs:[00000030h]	1_2_031F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03131131 mov eax, dword ptr fs:[00000030h]	1_2_03131131
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03131131 mov eax, dword ptr fs:[00000030h]	1_2_03131131
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312B136 mov eax, dword ptr fs:[00000030h]	1_2_0312B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312B136 mov eax, dword ptr fs:[00000030h]	1_2_0312B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312B136 mov eax, dword ptr fs:[00000030h]	1_2_0312B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312B136 mov eax, dword ptr fs:[00000030h]	1_2_0312B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03160124 mov eax, dword ptr fs:[00000030h]	1_2_03160124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03137152 mov eax, dword ptr fs:[00000030h]	1_2_03137152
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312C156 mov eax, dword ptr fs:[00000030h]	1_2_0312C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136154 mov eax, dword ptr fs:[00000030h]	1_2_03136154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03136154 mov eax, dword ptr fs:[00000030h]	1_2_03136154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]	1_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]	1_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C4144 mov ecx, dword ptr fs:[00000030h]	1_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]	1_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C4144 mov eax, dword ptr fs:[00000030h]	1_2_031C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03129148 mov eax, dword ptr fs:[00000030h]	1_2_03129148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03129148 mov eax, dword ptr fs:[00000030h]	1_2_03129148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03129148 mov eax, dword ptr fs:[00000030h]	1_2_03129148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03129148 mov eax, dword ptr fs:[00000030h]	1_2_03129148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]	1_2_0312F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]	1_2_0312F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]	1_2_0312F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]	1_2_0312F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]	1_2_0312F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]	1_2_0312F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]	1_2_0312F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]	1_2_0312F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]	1_2_0312F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]	1_2_0312F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]	1_2_0312F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]	1_2_0312F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]	1_2_0312F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]	1_2_0312F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]	1_2_0312F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]	1_2_0312F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]	1_2_0312F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]	1_2_0312F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]	1_2_0312F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]	1_2_0312F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F172 mov eax, dword ptr fs:[00000030h]	1_2_0312F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C9179 mov eax, dword ptr fs:[00000030h]	1_2_031C9179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03205152 mov eax, dword ptr fs:[00000030h]	1_2_03205152
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]	1_2_031B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]	1_2_031B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]	1_2_031B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B019F mov eax, dword ptr fs:[00000030h]	1_2_031B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312A197 mov eax, dword ptr fs:[00000030h]	1_2_0312A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312A197 mov eax, dword ptr fs:[00000030h]	1_2_0312A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312A197 mov eax, dword ptr fs:[00000030h]	1_2_0312A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03187190 mov eax, dword ptr fs:[00000030h]	1_2_03187190
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03170185 mov eax, dword ptr fs:[00000030h]	1_2_03170185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EC188 mov eax, dword ptr fs:[00000030h]	1_2_031EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EC188 mov eax, dword ptr fs:[00000030h]	1_2_031EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314B1B0 mov eax, dword ptr fs:[00000030h]	1_2_0314B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E11A4 mov eax, dword ptr fs:[00000030h]	1_2_031E11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E11A4 mov eax, dword ptr fs:[00000030h]	1_2_031E11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E11A4 mov eax, dword ptr fs:[00000030h]	1_2_031E11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031E11A4 mov eax, dword ptr fs:[00000030h]	1_2_031E11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032061E5 mov eax, dword ptr fs:[00000030h]	1_2_032061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316D1D0 mov eax, dword ptr fs:[00000030h]	1_2_0316D1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316D1D0 mov ecx, dword ptr fs:[00000030h]	1_2_0316D1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F61C3 mov eax, dword ptr fs:[00000030h]	1_2_031F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F61C3 mov eax, dword ptr fs:[00000030h]	1_2_031F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032051CB mov eax, dword ptr fs:[00000030h]	1_2_032051CB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031601F8 mov eax, dword ptr fs:[00000030h]	1_2_031601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031551EF mov eax, dword ptr fs:[00000030h]	1_2_031551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031551EF mov eax, dword ptr fs:[00000030h]	1_2_031551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031551EF mov eax, dword ptr fs:[00000030h]	1_2_031551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031551EF mov eax, dword ptr fs:[00000030h]	1_2_031551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031551EF mov eax, dword ptr fs:[00000030h]	1_2_031551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031551EF mov eax, dword ptr fs:[00000030h]	1_2_031551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031551EF mov eax, dword ptr fs:[00000030h]	1_2_031551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031551EF mov eax, dword ptr fs:[00000030h]	1_2_031551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031551EF mov eax, dword ptr fs:[00000030h]	1_2_031551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031551EF mov eax, dword ptr fs:[00000030h]	1_2_031551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031551EF mov eax, dword ptr fs:[00000030h]	1_2_031551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031551EF mov eax, dword ptr fs:[00000030h]	1_2_031551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031551EF mov eax, dword ptr fs:[00000030h]	1_2_031551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031351ED mov eax, dword ptr fs:[00000030h]	1_2_031351ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]	1_2_0314E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]	1_2_0314E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]	1_2_0314E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E016 mov eax, dword ptr fs:[00000030h]	1_2_0314E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F903E mov eax, dword ptr fs:[00000030h]	1_2_031F903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F903E mov eax, dword ptr fs:[00000030h]	1_2_031F903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F903E mov eax, dword ptr fs:[00000030h]	1_2_031F903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F903E mov eax, dword ptr fs:[00000030h]	1_2_031F903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312A020 mov eax, dword ptr fs:[00000030h]	1_2_0312A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312C020 mov eax, dword ptr fs:[00000030h]	1_2_0312C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03205060 mov eax, dword ptr fs:[00000030h]	1_2_03205060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03132050 mov eax, dword ptr fs:[00000030h]	1_2_03132050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D705E mov ebx, dword ptr fs:[00000030h]	1_2_031D705E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031D705E mov eax, dword ptr fs:[00000030h]	1_2_031D705E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315B052 mov eax, dword ptr fs:[00000030h]	1_2_0315B052
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03141070 mov eax, dword ptr fs:[00000030h]	1_2_03141070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03141070 mov ecx, dword ptr fs:[00000030h]	1_2_03141070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03141070 mov eax, dword ptr fs:[00000030h]	1_2_03141070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03141070 mov eax, dword ptr fs:[00000030h]	1_2_03141070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03141070 mov eax, dword ptr fs:[00000030h]	1_2_03141070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03141070 mov eax, dword ptr fs:[00000030h]	1_2_03141070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03141070 mov eax, dword ptr fs:[00000030h]	1_2_03141070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03141070 mov eax, dword ptr fs:[00000030h]	1_2_03141070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03141070 mov eax, dword ptr fs:[00000030h]	1_2_03141070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03141070 mov eax, dword ptr fs:[00000030h]	1_2_03141070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03141070 mov eax, dword ptr fs:[00000030h]	1_2_03141070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03141070 mov eax, dword ptr fs:[00000030h]	1_2_03141070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03141070 mov eax, dword ptr fs:[00000030h]	1_2_03141070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315C073 mov eax, dword ptr fs:[00000030h]	1_2_0315C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03135096 mov eax, dword ptr fs:[00000030h]	1_2_03135096
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315D090 mov eax, dword ptr fs:[00000030h]	1_2_0315D090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315D090 mov eax, dword ptr fs:[00000030h]	1_2_0315D090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316909C mov eax, dword ptr fs:[00000030h]	1_2_0316909C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313208A mov eax, dword ptr fs:[00000030h]	1_2_0313208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312D08D mov eax, dword ptr fs:[00000030h]	1_2_0312D08D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F60B8 mov eax, dword ptr fs:[00000030h]	1_2_031F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F60B8 mov ecx, dword ptr fs:[00000030h]	1_2_031F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B20DE mov eax, dword ptr fs:[00000030h]	1_2_031B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031590DB mov eax, dword ptr fs:[00000030h]	1_2_031590DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031470C0 mov eax, dword ptr fs:[00000030h]	1_2_031470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031470C0 mov ecx, dword ptr fs:[00000030h]	1_2_031470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031470C0 mov ecx, dword ptr fs:[00000030h]	1_2_031470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031470C0 mov eax, dword ptr fs:[00000030h]	1_2_031470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031470C0 mov ecx, dword ptr fs:[00000030h]	1_2_031470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031470C0 mov ecx, dword ptr fs:[00000030h]	1_2_031470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031470C0 mov eax, dword ptr fs:[00000030h]	1_2_031470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031470C0 mov eax, dword ptr fs:[00000030h]	1_2_031470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031470C0 mov eax, dword ptr fs:[00000030h]	1_2_031470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031470C0 mov eax, dword ptr fs:[00000030h]	1_2_031470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031470C0 mov eax, dword ptr fs:[00000030h]	1_2_031470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031470C0 mov eax, dword ptr fs:[00000030h]	1_2_031470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031470C0 mov eax, dword ptr fs:[00000030h]	1_2_031470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031470C0 mov eax, dword ptr fs:[00000030h]	1_2_031470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031470C0 mov eax, dword ptr fs:[00000030h]	1_2_031470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031470C0 mov eax, dword ptr fs:[00000030h]	1_2_031470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031470C0 mov eax, dword ptr fs:[00000030h]	1_2_031470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031470C0 mov eax, dword ptr fs:[00000030h]	1_2_031470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312C0F0 mov eax, dword ptr fs:[00000030h]	1_2_0312C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031720F0 mov ecx, dword ptr fs:[00000030h]	1_2_031720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031550E4 mov eax, dword ptr fs:[00000030h]	1_2_031550E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031550E4 mov ecx, dword ptr fs:[00000030h]	1_2_031550E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_0312A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032050D9 mov eax, dword ptr fs:[00000030h]	1_2_032050D9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031380E9 mov eax, dword ptr fs:[00000030h]	1_2_031380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03130710 mov eax, dword ptr fs:[00000030h]	1_2_03130710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03160710 mov eax, dword ptr fs:[00000030h]	1_2_03160710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316F71F mov eax, dword ptr fs:[00000030h]	1_2_0316F71F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316F71F mov eax, dword ptr fs:[00000030h]	1_2_0316F71F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03137703 mov eax, dword ptr fs:[00000030h]	1_2_03137703
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03135702 mov eax, dword ptr fs:[00000030h]	1_2_03135702
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03135702 mov eax, dword ptr fs:[00000030h]	1_2_03135702
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316C700 mov eax, dword ptr fs:[00000030h]	1_2_0316C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0320B73C mov eax, dword ptr fs:[00000030h]	1_2_0320B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0320B73C mov eax, dword ptr fs:[00000030h]	1_2_0320B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0320B73C mov eax, dword ptr fs:[00000030h]	1_2_0320B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0320B73C mov eax, dword ptr fs:[00000030h]	1_2_0320B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03129730 mov eax, dword ptr fs:[00000030h]	1_2_03129730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03129730 mov eax, dword ptr fs:[00000030h]	1_2_03129730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03165734 mov eax, dword ptr fs:[00000030h]	1_2_03165734
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313973A mov eax, dword ptr fs:[00000030h]	1_2_0313973A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313973A mov eax, dword ptr fs:[00000030h]	1_2_0313973A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316273C mov eax, dword ptr fs:[00000030h]	1_2_0316273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316273C mov ecx, dword ptr fs:[00000030h]	1_2_0316273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316273C mov eax, dword ptr fs:[00000030h]	1_2_0316273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AC730 mov eax, dword ptr fs:[00000030h]	1_2_031AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EF72E mov eax, dword ptr fs:[00000030h]	1_2_031EF72E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03133720 mov eax, dword ptr fs:[00000030h]	1_2_03133720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314F720 mov eax, dword ptr fs:[00000030h]	1_2_0314F720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314F720 mov eax, dword ptr fs:[00000030h]	1_2_0314F720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314F720 mov eax, dword ptr fs:[00000030h]	1_2_0314F720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F972B mov eax, dword ptr fs:[00000030h]	1_2_031F972B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316C720 mov eax, dword ptr fs:[00000030h]	1_2_0316C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316C720 mov eax, dword ptr fs:[00000030h]	1_2_0316C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03130750 mov eax, dword ptr fs:[00000030h]	1_2_03130750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172750 mov eax, dword ptr fs:[00000030h]	1_2_03172750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172750 mov eax, dword ptr fs:[00000030h]	1_2_03172750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B4755 mov eax, dword ptr fs:[00000030h]	1_2_031B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03143740 mov eax, dword ptr fs:[00000030h]	1_2_03143740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03143740 mov eax, dword ptr fs:[00000030h]	1_2_03143740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03143740 mov eax, dword ptr fs:[00000030h]	1_2_03143740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316674D mov esi, dword ptr fs:[00000030h]	1_2_0316674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316674D mov eax, dword ptr fs:[00000030h]	1_2_0316674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316674D mov eax, dword ptr fs:[00000030h]	1_2_0316674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03138770 mov eax, dword ptr fs:[00000030h]	1_2_03138770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03140770 mov eax, dword ptr fs:[00000030h]	1_2_03140770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03203749 mov eax, dword ptr fs:[00000030h]	1_2_03203749
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312B765 mov eax, dword ptr fs:[00000030h]	1_2_0312B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312B765 mov eax, dword ptr fs:[00000030h]	1_2_0312B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312B765 mov eax, dword ptr fs:[00000030h]	1_2_0312B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312B765 mov eax, dword ptr fs:[00000030h]	1_2_0312B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EF78A mov eax, dword ptr fs:[00000030h]	1_2_031EF78A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_032037B6 mov eax, dword ptr fs:[00000030h]	1_2_032037B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315D7B0 mov eax, dword ptr fs:[00000030h]	1_2_0315D7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F7BA mov eax, dword ptr fs:[00000030h]	1_2_0312F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F7BA mov eax, dword ptr fs:[00000030h]	1_2_0312F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F7BA mov eax, dword ptr fs:[00000030h]	1_2_0312F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F7BA mov eax, dword ptr fs:[00000030h]	1_2_0312F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F7BA mov eax, dword ptr fs:[00000030h]	1_2_0312F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F7BA mov eax, dword ptr fs:[00000030h]	1_2_0312F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F7BA mov eax, dword ptr fs:[00000030h]	1_2_0312F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F7BA mov eax, dword ptr fs:[00000030h]	1_2_0312F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F7BA mov eax, dword ptr fs:[00000030h]	1_2_0312F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B97A9 mov eax, dword ptr fs:[00000030h]	1_2_031B97A9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BF7AF mov eax, dword ptr fs:[00000030h]	1_2_031BF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BF7AF mov eax, dword ptr fs:[00000030h]	1_2_031BF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BF7AF mov eax, dword ptr fs:[00000030h]	1_2_031BF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BF7AF mov eax, dword ptr fs:[00000030h]	1_2_031BF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031BF7AF mov eax, dword ptr fs:[00000030h]	1_2_031BF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031307AF mov eax, dword ptr fs:[00000030h]	1_2_031307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313C7C0 mov eax, dword ptr fs:[00000030h]	1_2_0313C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031357C0 mov eax, dword ptr fs:[00000030h]	1_2_031357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031357C0 mov eax, dword ptr fs:[00000030h]	1_2_031357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031357C0 mov eax, dword ptr fs:[00000030h]	1_2_031357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031347FB mov eax, dword ptr fs:[00000030h]	1_2_031347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031347FB mov eax, dword ptr fs:[00000030h]	1_2_031347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313D7E0 mov ecx, dword ptr fs:[00000030h]	1_2_0313D7E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031527ED mov eax, dword ptr fs:[00000030h]	1_2_031527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031527ED mov eax, dword ptr fs:[00000030h]	1_2_031527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031527ED mov eax, dword ptr fs:[00000030h]	1_2_031527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03133616 mov eax, dword ptr fs:[00000030h]	1_2_03133616
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03133616 mov eax, dword ptr fs:[00000030h]	1_2_03133616
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03172619 mov eax, dword ptr fs:[00000030h]	1_2_03172619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03161607 mov eax, dword ptr fs:[00000030h]	1_2_03161607
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE609 mov eax, dword ptr fs:[00000030h]	1_2_031AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316F603 mov eax, dword ptr fs:[00000030h]	1_2_0316F603
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03205636 mov eax, dword ptr fs:[00000030h]	1_2_03205636
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]	1_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]	1_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]	1_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]	1_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]	1_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]	1_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314260B mov eax, dword ptr fs:[00000030h]	1_2_0314260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314E627 mov eax, dword ptr fs:[00000030h]	1_2_0314E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F626 mov eax, dword ptr fs:[00000030h]	1_2_0312F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F626 mov eax, dword ptr fs:[00000030h]	1_2_0312F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F626 mov eax, dword ptr fs:[00000030h]	1_2_0312F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F626 mov eax, dword ptr fs:[00000030h]	1_2_0312F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F626 mov eax, dword ptr fs:[00000030h]	1_2_0312F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F626 mov eax, dword ptr fs:[00000030h]	1_2_0312F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F626 mov eax, dword ptr fs:[00000030h]	1_2_0312F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F626 mov eax, dword ptr fs:[00000030h]	1_2_0312F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312F626 mov eax, dword ptr fs:[00000030h]	1_2_0312F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03166620 mov eax, dword ptr fs:[00000030h]	1_2_03166620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03168620 mov eax, dword ptr fs:[00000030h]	1_2_03168620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313262C mov eax, dword ptr fs:[00000030h]	1_2_0313262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0314C640 mov eax, dword ptr fs:[00000030h]	1_2_0314C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03162674 mov eax, dword ptr fs:[00000030h]	1_2_03162674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F866E mov eax, dword ptr fs:[00000030h]	1_2_031F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F866E mov eax, dword ptr fs:[00000030h]	1_2_031F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A660 mov eax, dword ptr fs:[00000030h]	1_2_0316A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A660 mov eax, dword ptr fs:[00000030h]	1_2_0316A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03169660 mov eax, dword ptr fs:[00000030h]	1_2_03169660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03169660 mov eax, dword ptr fs:[00000030h]	1_2_03169660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03134690 mov eax, dword ptr fs:[00000030h]	1_2_03134690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03134690 mov eax, dword ptr fs:[00000030h]	1_2_03134690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B368C mov eax, dword ptr fs:[00000030h]	1_2_031B368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B368C mov eax, dword ptr fs:[00000030h]	1_2_031B368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B368C mov eax, dword ptr fs:[00000030h]	1_2_031B368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B368C mov eax, dword ptr fs:[00000030h]	1_2_031B368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031276B2 mov eax, dword ptr fs:[00000030h]	1_2_031276B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031276B2 mov eax, dword ptr fs:[00000030h]	1_2_031276B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031276B2 mov eax, dword ptr fs:[00000030h]	1_2_031276B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031666B0 mov eax, dword ptr fs:[00000030h]	1_2_031666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316C6A6 mov eax, dword ptr fs:[00000030h]	1_2_0316C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312D6AA mov eax, dword ptr fs:[00000030h]	1_2_0312D6AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0312D6AA mov eax, dword ptr fs:[00000030h]	1_2_0312D6AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_0316A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0316A6C7 mov eax, dword ptr fs:[00000030h]	1_2_0316A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313B6C0 mov eax, dword ptr fs:[00000030h]	1_2_0313B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313B6C0 mov eax, dword ptr fs:[00000030h]	1_2_0313B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313B6C0 mov eax, dword ptr fs:[00000030h]	1_2_0313B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313B6C0 mov eax, dword ptr fs:[00000030h]	1_2_0313B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313B6C0 mov eax, dword ptr fs:[00000030h]	1_2_0313B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0313B6C0 mov eax, dword ptr fs:[00000030h]	1_2_0313B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F16CC mov eax, dword ptr fs:[00000030h]	1_2_031F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F16CC mov eax, dword ptr fs:[00000030h]	1_2_031F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F16CC mov eax, dword ptr fs:[00000030h]	1_2_031F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031F16CC mov eax, dword ptr fs:[00000030h]	1_2_031F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031EF6C7 mov eax, dword ptr fs:[00000030h]	1_2_031EF6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031616CF mov eax, dword ptr fs:[00000030h]	1_2_031616CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_031AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_031AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_031AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_031AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B06F1 mov eax, dword ptr fs:[00000030h]	1_2_031B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031B06F1 mov eax, dword ptr fs:[00000030h]	1_2_031B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031ED6F0 mov eax, dword ptr fs:[00000030h]	1_2_031ED6F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C36EE mov eax, dword ptr fs:[00000030h]	1_2_031C36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C36EE mov eax, dword ptr fs:[00000030h]	1_2_031C36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C36EE mov eax, dword ptr fs:[00000030h]	1_2_031C36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C36EE mov eax, dword ptr fs:[00000030h]	1_2_031C36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C36EE mov eax, dword ptr fs:[00000030h]	1_2_031C36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_031C36EE mov eax, dword ptr fs:[00000030h]	1_2_031C36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315D6E0 mov eax, dword ptr fs:[00000030h]	1_2_0315D6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0315D6E0 mov eax, dword ptr fs:[00000030h]	1_2_0315D6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03167505 mov eax, dword ptr fs:[00000030h]	1_2_03167505
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03167505 mov ecx, dword ptr fs:[00000030h]	1_2_03167505
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03205537 mov eax, dword ptr fs:[00000030h]	1_2_03205537

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 3_2_006479E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

3_2_006479E1

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\New Order #60-23095840024.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 2580	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 2580	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread register set: target process: 2580	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\svchost.exe

Section unmapped: C:\Windows\SysWOW64\explorer.exe base address: 560000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\New Order #60-23095840024.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 5EB008

Jump to behavior

Source: C:\Users\user\Desktop\New Order #60-23095840024.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\New Order #60-23095840024.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"			Jump to behavior

Source: explorer.exe, explorer.exe, 00000003.00000002.4127541703.0000000000560000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe	Binary or memory string: Progman
Source: New Order #60-23095840024.exe	Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Source: svchost.exe, 00000001.00000003.1852485207.0000000005500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1847496501.0000000005000000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4127541703.0000000000560000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: f+SDefaultShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells/NoUACCheck/NoShellRegistrationAndUACCheck/NoShellRegistrationCheckProxy DesktopProgmanLocal\ExplorerIsShellMutex
Source: explorer.exe, 00000002.00000000.1736300273.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4127881821.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000002.00000000.1736514969.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.4128414736.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.1736514969.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.4128414736.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.26d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1854401835.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4129273306.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1854342454.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4129224342.0000000002F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4129000762.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.26d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1854401835.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4129273306.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1854342454.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4129224342.0000000002F30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4129000762.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	512 Process Injection	1 Rootkit	1 Credential API Hooking	231 Security Software Discovery	Remote Services	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	512 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	21 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
New Order #60-23095840024.exe	35%	Virustotal		Browse
New Order #60-23095840024.exe	32%	ReversingLabs	Win32.Trojan.Swotter
New Order #60-23095840024.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
www.atangtoto4.click	0%	Virustotal	Browse
www.6snf.shop	1%	Virustotal	Browse
www.ighrane.online	0%	Virustotal	Browse
www.roliig.top	1%	Virustotal	Browse
www.wdie3162.vip	0%	Virustotal	Browse
www.orsaperevod.online	0%	Virustotal	Browse
www.heirbuzzwords.buzz	1%	Virustotal	Browse
www.angbaojia.top	0%	Virustotal	Browse
www.zitcd65k3.buzz	0%	Virustotal	Browse
www.oftfolio.online	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://aka.ms/odirmr	0%	Virustotal		Browse
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	0%	Virustotal		Browse
http://www.heirbuzzwords.buzz	1%	Virustotal		Browse
http://www.atangtoto4.click/e62s/	0%	Virustotal		Browse
http://www.iktokonline.pro/e62s/	0%	Virustotal		Browse
http://www.6snf.shop/e62s/	0%	Virustotal		Browse
http://www.3llyb.vip	0%	Virustotal		Browse
http://www.zitcd65k3.buzz/e62s/	0%	Virustotal		Browse
http://www.ahealthcaretrends2.bond/e62s/	0%	Virustotal		Browse
http://www.orsaperevod.online	0%	Virustotal		Browse
www.orsaperevod.online/e62s/	2%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	0%	Virustotal		Browse
http://www.mwquas.xyz/e62s/	7%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	0%	Virustotal		Browse
https://wns.windows.com/L	0%	Virustotal		Browse
http://www.autoitscript.com/autoit3/J	0%	Virustotal		Browse
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	0%	Virustotal		Browse
http://www.wdie3162.vip/e62s/	0%	Virustotal		Browse
http://www.ahealthcaretrends2.bond	0%	Virustotal		Browse
https://word.office.com	0%	Virustotal		Browse
http://www.ighrane.online/e62s/	0%	Virustotal		Browse
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.atangtoto4.click	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.oftfolio.online	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.angbaojia.top	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.6snf.shop	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.orsaperevod.online	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.ighrane.online	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.wdie3162.vip	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.zitcd65k3.buzz	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.heirbuzzwords.buzz	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.roliig.top	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.orsaperevod.online/e62s/	true	2%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/odirmr	explorer.exe, 00000002.00000002.4131063459.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1737633478.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.iktokonline.pro/e62s/	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.oftfolio.onlineReferer:	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ahealthcaretrends2.bond/e62s/	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.wdie3162.vipReferer:	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000002.00000002.4133541673.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1739278087.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3114663431.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://excel.office.com	explorer.exe, 00000002.00000002.4138089591.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1743759977.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.roliig.top/e62s/www.zitcd65k3.buzz	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.6snf.shop/e62s/www.roliig.top	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.heirbuzzwords.buzz	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://www.atangtoto4.click/e62s/	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.6snf.shop/e62s/	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.3llyb.vip	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.zitcd65k3.buzz/e62s/	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.heirbuzzwords.buzz/e62s/www.atangtoto4.click	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.orsaperevod.online	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	explorer.exe, 00000002.00000002.4131063459.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1737633478.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.mwquas.xyz/e62s/	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false	7%, Virustotal, Browse	unknown
http://www.ahealthcaretrends2.bond	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.wdie3162.vip/e62s/	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000002.00000003.3109730173.000000000C9CF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3112803902.000000000C9E7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1743759977.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107209818.000000000C99B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3463400102.000000000C9E7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4140993491.000000000C9D3000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://wns.windows.com/L	explorer.exe, 00000002.00000000.1743759977.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4138089591.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.orsaperevod.onlineReferer:	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://word.office.com	explorer.exe, 00000002.00000002.4138089591.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1743759977.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.ighrane.online/e62s/	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 00000002.00000002.4131063459.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1737633478.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.angbaojia.topReferer:	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micr	explorer.exe, 00000002.00000002.4131063459.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1737633478.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.angbaojia.top	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.zitcd65k3.buzzReferer:	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.orsaperevod.online/e62s/www.oftfolio.online	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ighrane.online	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.atangtoto4.clickReferer:	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ahealthcaretrends2.bond/e62s/www.3llyb.vip	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.3llyb.vip/e62s/www.1539.app	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.oftfolio.online	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000002.00000002.4138089591.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1743759977.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zitcd65k3.buzz	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	explorer.exe, 00000002.00000002.4131063459.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1737633478.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://outlook.com_	explorer.exe, 00000002.00000002.4138089591.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1743759977.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.angbaojia.top/e62s/www.6snf.shop	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.angbaojia.top/e62s/	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.oftfolio.online/e62s/	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.mi	explorer.exe, 00000002.00000002.4131063459.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1737633478.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.gstudio-ai.homesReferer:	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 00000002.00000000.1737633478.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://powerpoint.office.comcember	explorer.exe, 00000002.00000002.4138089591.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1743759977.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.mwquas.xyzReferer:	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.micro	explorer.exe, 00000002.00000000.1738322287.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.4132765181.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.4134892582.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.oftfolio.online/e62s/www.angbaojia.top	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.atangtoto4.click	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.1539.app/e62s/	explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.heirbuzzwords.buzz/e62s/	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.1539.app	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.mwquas.xyz	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ighrane.online/e62s/www.mwquas.xyz	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ighrane.onlineReferer:	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.wdie3162.vip	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.1539.appReferer:	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi	explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/q	explorer.exe, 00000002.00000002.4133541673.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1739278087.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3114663431.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.gstudio-ai.homes/e62s/www.iktokonline.pro	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc	explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1	explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.orsaperevod.online/e62s/	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A	explorer.exe, 00000002.00000002.4131063459.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1737633478.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.roliig.top	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.atangtoto4.click/e62s/www.ighrane.online	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.iktokonline.pro/e62s/www.ahealthcaretrends2.bond	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.zitcd65k3.buzz/e62s/www.heirbuzzwords.buzz	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.heirbuzzwords.buzzReferer:	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.iktokonline.pro	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent	explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.gstudio-ai.homes/e62s/	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://aka.ms/Vh5j3k	explorer.exe, 00000002.00000002.4131063459.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1737633478.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.6snf.shop	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/v1/news/Feed/Windows?&	explorer.exe, 00000002.00000003.3114663431.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1739278087.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4133541673.0000000009702000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.6snf.shopReferer:	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	explorer.exe, 00000002.00000000.1737633478.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4131063459.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.wdie3162.vip/e62s/www.orsaperevod.online	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.roliig.top/e62s/	explorer.exe, 00000002.00000003.3106409623.000000000CAED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3107809603.000000000CB0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.4141274533.000000000CB14000.00000004.00000001.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522472
Start date and time:	2024-09-30 08:10:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	New Order #60-23095840024.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@520/1@10/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 38 Number of non-executed functions: 292
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:11:55	API Interceptor	16614444x Sleep call for process: explorer.exe modified

Process:	C:\Users\user\Desktop\New Order #60-23095840024.exe
File Type:	data
Category:	dropped
Size (bytes):	189440
Entropy (8bit):	7.862244196279717
Encrypted:	false
SSDEEP:	3072:IlXoJuiCwOLUPDcaUQQOd1YHmn6Whvho4XxX5g7Ac0EGZA2WRsZS0I5LKM5UWi:I1bCDcaUQH6QbvxJLPVZHSrRKl
MD5:	10CFBF4508826BA323B9F98425D33F24
SHA1:	5C54A1D8B6A90B651068A382F7CB20FA334E1D26
SHA-256:	A0CBB19AA37319E21A1BFD975A9C5E38DBB3B71C4C3F3864BCD0CE2EF33CFA39
SHA-512:	95D22E1D84A3A3ADE73ACC4010C3F923DA487F482B6D2CBA3241809297557F29B28B18FF28E9018C262C1746E6D7E1E054AD38F8EA33A7BA61FC9868781E70E5
Malicious:	false
Reputation:	low
Preview:	..rj.KVW2..:....i.8A...nZI..MKVW2CMX35IL0UM8BC37FYAM78MKVW.CMX=.B0.D.c.2{.x.%^Km;$8U1,5.V("^:9. &.E37a$Y....w_,)=.8DF.UM8BC37.I..+..T...U..L...$..7...Q..K....+.a\$..+.BC37FYAM78MKVW2C..35.M1U..G.37FYAM78.KTV9BGX3.KL0UM8BC37&.@M7(MKV.0CMXs5I\0UM:BC67GYAM78HKWW2CMX3.KL0WM8BC37DY..78]KVG2CMX#5I\0UM8BC#7FYAM78MKVW2CMX35IL0UM8BC37FYAM78MKVW2CMX35IL0UM8BC37FYAM78MKVW2CMX35IL0UM8BC37FYAM78MKVW2CMX35IL0UM8BC37FYAM78MKVW2CMX35IL0UM8BC37h-$5C8MK..0CMH35I.2UM(BC37FYAM78MKVW.CM835IL0UM8BC37FYAM78MKVW2CMX35IL0UM8BC37FYAM78MKVW2CMX35IL0UM8BC37FYAM78MKVW2CMX35IL0UM8BC37FYAM78MKVW2CMX35IL0UM8BC37FYAM78MKVW2CMX35IL0UM8BC37FYAM78MKVW2CMX35IL0UM8BC37FYAM78MKVW2CMX35IL0UM8BC37FYAM78MKVW2CMX35IL0UM8BC37FYAM78MKVW2CMX35IL0UM8BC37FYAM78MKVW2CMX35IL0UM8BC37FYAM78MKVW2CMX35IL0UM8BC37FYAM78MKVW2CMX35IL0UM8BC37FYAM78MKVW2CMX35IL0UM8BC37FYAM78MKVW2CMX35IL0UM8BC37FYAM78MKVW2CMX35IL0UM8BC37FYAM78MKVW2CMX35IL0UM8BC37FYAM78MKVW2CMX35IL0UM8BC37FYAM78MKVW2CMX35IL0UM8BC37FYAM78MKVW2CMX35IL0UM8BC37FYAM78MKVW2CMX

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.42381437861596
TrID:	Win32 Executable (generic) a (10002005/4) 95.11% AutoIt3 compiled script executable (510682/80) 4.86% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	New Order #60-23095840024.exe
File size:	1'153'231 bytes
MD5:	64dbde73e410165a5e6566ed2b2282b6
SHA1:	7635298f794a9c7a68ac7675ca33574a765b8fb7
SHA256:	4d7b9bb02299bcc46d95f2df772d152d3ebb8445c04e6255040c61fb5ea46312
SHA512:	2bb58b47caca2be94fa934b34f6e0630a4281dc63ef908a11155a3986cfdd1316bc6ee93fe41e4486b2e2bc5153c8175b990653c9ef59de81af8ada7222d4b46
SSDEEP:	24576:KfmMv6Ckr7Mny5Qtz8SC9Z0TKqIrZopc8jiFiYpn/N9H0:K3v+7/5QtUYLIF8uFHpn19H0
TLSH:	B235E112F7D780F2D9A33971297BE32BAB3575194327C48BA7E02E368F111509B36762
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

File Icon


Icon Hash:	32642092d4f29244

Static PE Info

General

Entrypoint:	0x416310
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	aaaa8913c89c8aa4a5d93f06853894da

Entrypoint Preview

Instruction
call 00007F40E51B04CCh
jmp 00007F40E51A429Eh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push esi
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [ebp+10h]
mov edi, dword ptr [ebp+08h]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F40E51A442Ah
cmp edi, eax
jc 00007F40E51A45CAh
cmp ecx, 00000100h
jc 00007F40E51A4441h
cmp dword ptr [004A94E0h], 00000000h
je 00007F40E51A4438h
push edi
push esi
and edi, 0Fh
and esi, 0Fh
cmp edi, esi
pop esi
pop edi
jne 00007F40E51A442Ah
pop esi
pop edi
pop ebp
jmp 00007F40E51A488Ah
test edi, 00000003h
jne 00007F40E51A4437h
shr ecx, 02h
and edx, 03h
cmp ecx, 08h
jc 00007F40E51A444Ch
rep movsd
jmp dword ptr [00416494h+edx*4]
nop
mov eax, edi
mov edx, 00000003h
sub ecx, 04h
jc 00007F40E51A442Eh
and eax, 03h
add ecx, eax
jmp dword ptr [004163A8h+eax*4]
jmp dword ptr [004164A4h+ecx*4]
nop
jmp dword ptr [00416428h+ecx*4]
nop
mov eax, E4004163h
arpl word ptr [ecx+00h], ax
or byte ptr [ecx+eax*2+00h], ah
and edx, ecx
mov al, byte ptr [esi]
mov byte ptr [edi], al
mov al, byte ptr [esi+01h]
mov byte ptr [edi+01h], al
mov al, byte ptr [esi+02h]
shr ecx, 02h
mov byte ptr [edi+02h], al
add esi, 03h
add edi, 03h
cmp ecx, 08h
jc 00007F40E51A43EEh

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[ASM] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8cd3c	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xab000	0x3f68	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x82000	0x840	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x80017	0x80200	6c20c6bf686768b6f134f5bd508171bc	False	0.5602991615853659	data	6.634688230255595	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x82000	0xd95c	0xda00	f979966509a93083729d23cdfd2a6f2d	False	0.36256450688073394	data	4.880040824124099	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x90000	0x1a518	0x6800	e5d77411f751d28c6eee48a743606795	False	0.1600060096153846	data	2.2017649896261107	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xab000	0x3f68	0x4000	a30f22c730c1cdf575b08c3ba114764d	False	0.30584716796875	data	4.294683893920916	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xab448	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xab570	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xab698	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xab7c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	Great Britain	0.3726547842401501
RT_MENU	0xac868	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xac8b8	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xac9b8	0x530	data	English	Great Britain	0.33960843373493976
RT_STRING	0xacee8	0x690	data	English	Great Britain	0.26964285714285713
RT_STRING	0xad578	0x43a	data	English	Great Britain	0.3733826247689464
RT_STRING	0xad9b8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xadfb8	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xae618	0x388	data	English	Great Britain	0.377212389380531
RT_STRING	0xae9a0	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.502906976744186
RT_GROUP_ICON	0xaeaf8	0x14	data	English	Great Britain	1.2
RT_GROUP_ICON	0xaeb10	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xaeb28	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xaeb40	0x14	data	English	Great Britain	1.25
RT_VERSION	0xaeb58	0x19c	data	English	Great Britain	0.5339805825242718
RT_MANIFEST	0xaecf8	0x26c	ASCII text, with CRLF line terminators	English	United States	0.5145161290322581

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
VERSION.dll	VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
MPR.dll	WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
PSAPI.DLL	EnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
USERENV.dll	CreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
KERNEL32.dll	HeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW
GDI32.dll	DeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl
SHELL32.dll	DragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize
OLEAUT32.dll	SafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 08:11:48.365533113 CEST	51785	53	192.168.2.4	1.1.1.1
Sep 30, 2024 08:11:48.374366045 CEST	53	51785	1.1.1.1	192.168.2.4
Sep 30, 2024 08:12:09.755598068 CEST	61384	53	192.168.2.4	1.1.1.1
Sep 30, 2024 08:12:09.764885902 CEST	53	61384	1.1.1.1	192.168.2.4
Sep 30, 2024 08:12:28.662158012 CEST	50894	53	192.168.2.4	1.1.1.1
Sep 30, 2024 08:12:28.671884060 CEST	53	50894	1.1.1.1	192.168.2.4
Sep 30, 2024 08:12:49.209109068 CEST	64324	53	192.168.2.4	1.1.1.1
Sep 30, 2024 08:12:49.558319092 CEST	53	64324	1.1.1.1	192.168.2.4
Sep 30, 2024 08:13:09.615330935 CEST	54193	53	192.168.2.4	1.1.1.1
Sep 30, 2024 08:13:09.623955011 CEST	53	54193	1.1.1.1	192.168.2.4
Sep 30, 2024 08:13:30.125929117 CEST	55593	53	192.168.2.4	1.1.1.1
Sep 30, 2024 08:13:30.219975948 CEST	53	55593	1.1.1.1	192.168.2.4
Sep 30, 2024 08:13:51.171015978 CEST	58680	53	192.168.2.4	1.1.1.1
Sep 30, 2024 08:13:51.179496050 CEST	53	58680	1.1.1.1	192.168.2.4
Sep 30, 2024 08:14:11.956454039 CEST	58240	53	192.168.2.4	1.1.1.1
Sep 30, 2024 08:14:11.966578007 CEST	53	58240	1.1.1.1	192.168.2.4
Sep 30, 2024 08:14:33.256742001 CEST	56987	53	192.168.2.4	1.1.1.1
Sep 30, 2024 08:14:33.266202927 CEST	53	56987	1.1.1.1	192.168.2.4
Sep 30, 2024 08:14:53.865458965 CEST	52605	53	192.168.2.4	1.1.1.1
Sep 30, 2024 08:14:53.880975962 CEST	53	52605	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 30, 2024 08:11:48.365533113 CEST	192.168.2.4	1.1.1.1	0xf1e6	Standard query (0)	www.wdie3162.vip	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:12:09.755598068 CEST	192.168.2.4	1.1.1.1	0xff0	Standard query (0)	www.orsaperevod.online	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:12:28.662158012 CEST	192.168.2.4	1.1.1.1	0xf8da	Standard query (0)	www.oftfolio.online	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:12:49.209109068 CEST	192.168.2.4	1.1.1.1	0xc4d8	Standard query (0)	www.angbaojia.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:13:09.615330935 CEST	192.168.2.4	1.1.1.1	0x815c	Standard query (0)	www.6snf.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:13:30.125929117 CEST	192.168.2.4	1.1.1.1	0x6b6c	Standard query (0)	www.roliig.top	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:13:51.171015978 CEST	192.168.2.4	1.1.1.1	0x389e	Standard query (0)	www.zitcd65k3.buzz	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:14:11.956454039 CEST	192.168.2.4	1.1.1.1	0x824e	Standard query (0)	www.heirbuzzwords.buzz	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:14:33.256742001 CEST	192.168.2.4	1.1.1.1	0x7c80	Standard query (0)	www.atangtoto4.click	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:14:53.865458965 CEST	192.168.2.4	1.1.1.1	0x9354	Standard query (0)	www.ighrane.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 30, 2024 08:11:48.374366045 CEST	1.1.1.1	192.168.2.4	0xf1e6	Name error (3)	www.wdie3162.vip	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:12:09.764885902 CEST	1.1.1.1	192.168.2.4	0xff0	Name error (3)	www.orsaperevod.online	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:12:28.671884060 CEST	1.1.1.1	192.168.2.4	0xf8da	Name error (3)	www.oftfolio.online	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:12:49.558319092 CEST	1.1.1.1	192.168.2.4	0xc4d8	Name error (3)	www.angbaojia.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:13:09.623955011 CEST	1.1.1.1	192.168.2.4	0x815c	Name error (3)	www.6snf.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:13:30.219975948 CEST	1.1.1.1	192.168.2.4	0x6b6c	Name error (3)	www.roliig.top	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:13:51.179496050 CEST	1.1.1.1	192.168.2.4	0x389e	Name error (3)	www.zitcd65k3.buzz	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:14:11.966578007 CEST	1.1.1.1	192.168.2.4	0x824e	Name error (3)	www.heirbuzzwords.buzz	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:14:33.266202927 CEST	1.1.1.1	192.168.2.4	0x7c80	Name error (3)	www.atangtoto4.click	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:14:53.880975962 CEST	1.1.1.1	192.168.2.4	0x9354	Name error (3)	www.ighrane.online	none	none	A (IP address)	IN (0x0001)	false

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8E 0xEE 0xE1
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x86 0x6E 0xE1
GetMessageW	INLINE	0x48 0x8B 0xB8 0x86 0x6E 0xE1
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8E 0xEE 0xE1

Target ID:	0
Start time:	02:10:59
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\New Order #60-23095840024.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\New Order #60-23095840024.exe"
Imagebase:	0x400000
File size:	1'153'231 bytes
MD5 hash:	64DBDE73E410165A5E6566ED2B2282B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:11:05
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\New Order #60-23095840024.exe"
Imagebase:	0x670000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.1854401835.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1854401835.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1854401835.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.1854401835.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.1854401835.0000000002F00000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.1854342454.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1854342454.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1854342454.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.1854342454.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.1854342454.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:11:05
Start date:	30/09/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	02:11:14
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\explorer.exe"
Imagebase:	0x560000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.4129273306.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4129273306.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4129273306.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.4129273306.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.4129273306.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.4129224342.0000000002F30000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4129224342.0000000002F30000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4129224342.0000000002F30000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.4129224342.0000000002F30000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.4129224342.0000000002F30000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.4129000762.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4129000762.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4129000762.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.4129000762.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.4129000762.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	02:11:18
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Windows\SysWOW64\svchost.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:11:18
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	8%
Total number of Nodes:	561
Total number of Limit Nodes:	65

Executed Functions

Function 030BA036 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 481
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 030BA19F

Strings

0, xrefs: 030BA227

Memory Dump Source

Source File: 00000001.00000002.1854687775.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30b0000_svchost.jbxd

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
Instruction ID: dc6ff952b38cf7918fb0971cfaada72603b7c0fbb348f908515be85dc50bee4e
Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
Instruction Fuzzy Hash: 2EF13074519A8C8FDBA9EF68C894AEEB7F0FF98304F40462AD44ADB250DF349645CB41

Function 035EA036 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 481
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 035EA19F

Strings

0, xrefs: 035EA227

Memory Dump Source

Source File: 00000001.00000002.1855375315.00000000035E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_35e0000_svchost.jbxd

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: fec0eebca03a74a6a4f8083be1d61863fdd615d3442dda782298204f744765a6
Instruction ID: 9e6c9f4621683675cc150422eff4a7bd37f7ebb2cc951f653bf4ef4ad6a2c011
Opcode Fuzzy Hash: fec0eebca03a74a6a4f8083be1d61863fdd615d3442dda782298204f744765a6
Instruction Fuzzy Hash: 5DF14074918A8D8FDBA9EF68D894AEEB7F0FF98304F40462AD44ADB250DF349541CB41

Function 030BA042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 030BA19F

Strings

0, xrefs: 030BA0CD

Memory Dump Source

Source File: 00000001.00000002.1854687775.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30b0000_svchost.jbxd

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
Instruction ID: d6f620a9e1963d85327ad4f880d7029dd280c721a8ec33953d1786e712d86141
Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
Instruction Fuzzy Hash: C7512E74914A8C8FDBA9EF68C8946EEB7F4FB98305F40462ED44AD7250DF309645CB41

Function 035EA042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 035EA19F

Strings

0, xrefs: 035EA0CD

Memory Dump Source

Source File: 00000001.00000002.1855375315.00000000035E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_35e0000_svchost.jbxd

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
Instruction ID: f7858bd3ba61f7e847d4a8c3028d4e478e8bd09163b76a12c91516328699b191
Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
Instruction Fuzzy Hash: 0B512D70918A8C8FDB69EF68D8946EEB7F4FB98305F40462ED44AD7260DF309645CB41

Function 026EA50A Relevance: 1.6, APIs: 1, Instructions: 61
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,026EB104,?,00000000,?,00003000,00000040,00000000,00000000,026D9CF3), ref: 026EA549

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 064ac802250dd168c771c934be1c777717bec99c171f8d87037b9a5dd00dfe46
Instruction ID: 0bcd75a4647f8edc43930e4c865bd36445dbcb0ae1832942dd05f8848bee66ee
Opcode Fuzzy Hash: 064ac802250dd168c771c934be1c777717bec99c171f8d87037b9a5dd00dfe46
Instruction Fuzzy Hash: B61103B6210218ABCB14DF88DC84EEB77ADAF88754F118559FE5997241C630E811CBE0

Function 026EA2EA Relevance: 1.6, APIs: 1, Instructions: 57
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,026D9CF3,?,026E4BB7,026D9CF3,FFFFFFFF,?,?,FFFFFFFF,026D9CF3,026E4BB7,?,026D9CF3,00000060,00000000,00000000), ref: 026EA37D

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0c3546f6f5ba8f1124a9cbad1294cc35b42613a308221493e4830bbd4581e154
Instruction ID: b457d8bac79a5288230bed09daebe39491c61888c729385a839fa3b7e06e97aa
Opcode Fuzzy Hash: 0c3546f6f5ba8f1124a9cbad1294cc35b42613a308221493e4830bbd4581e154
Instruction Fuzzy Hash: FD1105B2204208AFDB08CF98DC85DEB77ADEF8C710F058549BA4DDB241C630E811CBA5

Function 026EA58B Relevance: 1.6, APIs: 1, Instructions: 50
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,026EB104,?,00000000,?,00003000,00000040,00000000,00000000,026D9CF3), ref: 026EA549

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 4e1db3414c0164043b1febb0bea3a7816c927774ba8fe30c406b65c49da7ce32
Instruction ID: 48c0b1a25bd03dd0655ded56af2c20412bc3c5803dd4f936b6bf3b9d5a0a4218
Opcode Fuzzy Hash: 4e1db3414c0164043b1febb0bea3a7816c927774ba8fe30c406b65c49da7ce32
Instruction Fuzzy Hash: 5F011DB6210208ABCB14EF88DC81DAB73ADEF88254F118649BA4997201C630ED21CBB1

Function 026EA330 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,026D9CF3,?,026E4BB7,026D9CF3,FFFFFFFF,?,?,FFFFFFFF,026D9CF3,026E4BB7,?,026D9CF3,00000060,00000000,00000000), ref: 026EA37D

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 30ed7a251e2040c954633dce140f9e1b1cc2733b5fe166436bb37baae78f5c00
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: D4F0BDB2211208ABCB08CF88DC84EEB77ADAF8C754F158248BA0D97240C630E8118BA4

Function 026EA3E0 Relevance: 1.5, APIs: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(026E4D72,5EB65239,FFFFFFFF,026E4A31,?,?,026E4D72,?,026E4A31,FFFFFFFF,5EB65239,026E4D72,?,00000000), ref: 026EA425

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 1427131485671a569df7936531bb978031fdc50276973e7fd51aef11912af32c
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: A4F0A4B2210208ABCB14DF89DC84EEB77ADAF8C754F158249BA1D97241D630E8118BA5

Function 026EA510 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,026EB104,?,00000000,?,00003000,00000040,00000000,00000000,026D9CF3), ref: 026EA549

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: cd3de67be20732f13e36573bc1f10d19a611eda9c5010ee51cbbb1e2d12ac9e7
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: DDF015B2210208ABCB14DF89CC80EAB77ADAF88754F118149BE0997241C630F811CBA4

Function 026EA460 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(026E4D50,?,?,026E4D50,026D9CF3,FFFFFFFF), ref: 026EA485

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 94df278e804118f195a8a713e2cdbfb5414f3a419bc8d42f35fbe2dba4b5d961
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 36D01776211214ABDB10EBD8CC89EA77BADEF48760F154499BA599B242C530FA008AE1

Function 03172B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03172B6A

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d674fd4d7c218e0e334bd12d115238c3606a803392f0846dfc3979393b4fa059
Instruction ID: 75acb95e11ec39715f878f1e43c15ee527e7b0a87199a0673d7cb0378bc1214d
Opcode Fuzzy Hash: d674fd4d7c218e0e334bd12d115238c3606a803392f0846dfc3979393b4fa059
Instruction Fuzzy Hash: D1900261202404034105B2584554656400B87E4301B95D021E1015594DC72589916529

Function 03172BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03172BFA

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7c4057369484e4de1f8f12cacae58db70f6f6c3ee960b2b0dc48a840c966d5a0
Instruction ID: f966a18a9b4d118a44305fe7e98f0b150149f304e975bee7aa84a98016834f27
Opcode Fuzzy Hash: 7c4057369484e4de1f8f12cacae58db70f6f6c3ee960b2b0dc48a840c966d5a0
Instruction Fuzzy Hash: 3A90023120140C03D180B258454468A000687D5301FD5D015A0026658DCB158B597BA5

Function 03172AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03172ADA

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 792451838e1cf94117a3484312ae5b87f2c7cc53888052c8d4d43603a3100053
Instruction ID: c50fb5e4f2a364241434637cd08a22af322e1971c9ead9f9990e0315be771a17
Opcode Fuzzy Hash: 792451838e1cf94117a3484312ae5b87f2c7cc53888052c8d4d43603a3100053
Instruction Fuzzy Hash: 23900435311404030105F75C07445470047C7DD3513D5D031F1017554CD731CD715535

Function 03172F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03172F3A

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 328d06d4a5794df2f81955634f004892fec64849502d97c8fa717023d23b4a74
Instruction ID: ac14ebe779e06848e3294b198834cfa2483faf11a128593f40fdb565928934df
Opcode Fuzzy Hash: 328d06d4a5794df2f81955634f004892fec64849502d97c8fa717023d23b4a74
Instruction Fuzzy Hash: 4C90026134140843D100B2584554B460006C7E5301F95D015E1065558D8719CD52652A

Function 03172F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03172F9A

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d59f4020575462a915937100a742c57092eeac3adb133348e64b1a44901bef13
Instruction ID: d873e743e8f86662683a6cd64d944dc3d68d936d9cbd8b51d2feb74d534eaea3
Opcode Fuzzy Hash: d59f4020575462a915937100a742c57092eeac3adb133348e64b1a44901bef13
Instruction Fuzzy Hash: 3990023120180803D100B258495474B000687D4302F95D011A1165559D872589516975

Function 03172FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03172FBA

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e3199e7b693647bf03e02bd998568518826220270779e73ed9e58b62ba66e0bb
Instruction ID: 5be25e599ea65834172b12cd25718938ae215fae8dd2874911200cc7b2cf4dba
Opcode Fuzzy Hash: e3199e7b693647bf03e02bd998568518826220270779e73ed9e58b62ba66e0bb
Instruction Fuzzy Hash: DD900221601404434140B26889849464006ABE5311795D121A0999554D875989655A69

Function 03172FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03172FEA

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a8f161b6fe2719e639f8bdcffd58be774ce4b1b9876025f92453c1285e48ecfa
Instruction ID: 317124faf7c6bb66ac37dbaa8c0448393c48dd19682fd1ad9308c9b379c194d9
Opcode Fuzzy Hash: a8f161b6fe2719e639f8bdcffd58be774ce4b1b9876025f92453c1285e48ecfa
Instruction Fuzzy Hash: 76900221211C0443D200B6684D54B47000687D4303F95D115A0155558CCB1589615925

Function 03172E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03172E8A

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 339efbcc9b33b5129d39cbea1fe63239abaad39cb055c11030e919f7a22fd794
Instruction ID: 7d0862cb9eb7bcdf457c2561c44fc3560091dd64f13a2f0187523fc47f8ea87c
Opcode Fuzzy Hash: 339efbcc9b33b5129d39cbea1fe63239abaad39cb055c11030e919f7a22fd794
Instruction Fuzzy Hash: 5E90022160140903D101B2584544656000B87D4341FD5D022A1025559ECB258A92A535

Function 03172EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03172EAA

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b7e92a6d1a8c43a470c45d3d07dec902e841bba93c7728d271f207c58dcc7332
Instruction ID: 1398ca651a53f59c6b5ca96cb8cdd9f8462305814bf9dde8b550bd55294eaeac
Opcode Fuzzy Hash: b7e92a6d1a8c43a470c45d3d07dec902e841bba93c7728d271f207c58dcc7332
Instruction Fuzzy Hash: 5C90027120140803D140B2584544786000687D4301F95D011A5065558E87598ED56A69

Function 03172D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03172D1A

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 77bdebb85332028e6eee891b6f9f62daac72f8fb9bafdb82007aad1dcbf4bd51
Instruction ID: 891088f1456512b52e3f913de895b023e1139df5276c8238690c2d91b458f47e
Opcode Fuzzy Hash: 77bdebb85332028e6eee891b6f9f62daac72f8fb9bafdb82007aad1dcbf4bd51
Instruction Fuzzy Hash: 2390022921340403D180B258554864A000687D5302FD5E415A001655CCCB1589695725

Function 03172D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03172D3A

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2a51b51da322da2e14b288200154d258d754418313bd7453a9f6bf95ad18bf46
Instruction ID: e7487840678c2fc6d0dcbd049a63646909ff69f64783dda83fe6741d83765150
Opcode Fuzzy Hash: 2a51b51da322da2e14b288200154d258d754418313bd7453a9f6bf95ad18bf46
Instruction Fuzzy Hash: D490022130140403D140B25855586464006D7E5301F95E011E0415558CDB1589565626

Function 03172DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03172DDA

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 59127d61b1ddc033cc3019e63de0c80666f7077febf0b2001525a91ed12658a1
Instruction ID: a14d6ab12e128f62756c256071bc98b4a2654ebca555effb60e48ec94d35d512
Opcode Fuzzy Hash: 59127d61b1ddc033cc3019e63de0c80666f7077febf0b2001525a91ed12658a1
Instruction Fuzzy Hash: F9900221242445535545F2584544547400797E43417D5D012A1415954C87269956DA25

Function 03172DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03172DFA

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 30055d3e5cbe452b93c5d05c8f14b2a2abba8a436447c0c8796f4178dfce896b
Instruction ID: 7bf652c0a18e07b1af1dd60af1f3373496c9129aa5abe6838424cddeed5be6cc
Opcode Fuzzy Hash: 30055d3e5cbe452b93c5d05c8f14b2a2abba8a436447c0c8796f4178dfce896b
Instruction Fuzzy Hash: 4390023120140813D111B2584644747000A87D4341FD5D412A042555CD97568A52A525

Function 03172C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03172C7A

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 756bfc0d12896652c9fe6ba7c02dbbd2ddd913814857c7a09b5419ca74a6af51
Instruction ID: 8a22d092ec8477631d6329b2b68140ff47d178a77d35e3bfaa9e4fd07bd09729
Opcode Fuzzy Hash: 756bfc0d12896652c9fe6ba7c02dbbd2ddd913814857c7a09b5419ca74a6af51
Instruction Fuzzy Hash: 5B90023120148C03D110B258854478A000687D4301F99D411A442565CD879589917525

Function 03172CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03172CAA

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 041d0af523e70d51bf6dd5b73a4583b50a0db8c160e2f78e4c60b3c1e31e78a5
Instruction ID: 96c936c46310f1bc75ab436fb045e9766f97f5aec3f0be1fe5a14148e0175c34
Opcode Fuzzy Hash: 041d0af523e70d51bf6dd5b73a4583b50a0db8c160e2f78e4c60b3c1e31e78a5
Instruction Fuzzy Hash: 2B90023120140803D100B6985548686000687E4301F95E011A5025559EC76589916535

Function 026D8308 Relevance: 1.6, APIs: 1, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 026D836A

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: f835dfc7be264ead7bcfc712345794832f517f55077c4f70dc30c3f92beae668
Instruction ID: f76fbf4d78f15a8e08a92866d20bfdbea440fa81c1285b2482e789a06f34d21a
Opcode Fuzzy Hash: f835dfc7be264ead7bcfc712345794832f517f55077c4f70dc30c3f92beae668
Instruction Fuzzy Hash: 9C01F931A812187BE721A6909C02FFE772C9F41B14F04011DFB04BA1C0D69429064BE5

Function 026D8310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 026D836A

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
Instruction ID: f78114637a7cc0dfddff06f0f7866f37385d53e8e5535b1e048d59599088de7d
Opcode Fuzzy Hash: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
Instruction Fuzzy Hash: 6901A731E8122C77EB20A6949C02FBE776D5B40F50F050119FF04BA1C1E69469064BF9

Function 026DACF0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 026DAD62

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction ID: 19e51d009f615a61b64223a0c05391993b899ec889d2212a0eb2df4a5e6daa91
Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction Fuzzy Hash: 37011EB5D0120DBBDF10EAE4DC41F9DB3799B54708F0445A9A90997280FA71EB14CB91

Function 026EA812 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,026DF1D2,026DF1D2,0000003C,00000000,?,026D9D65), ref: 026EA7D0

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: b92b3424ed67801ca82ba77569421946b35dff99f8cd50d6e8107618b23beb5d
Instruction ID: 45c41987e1aa369ef994587c015e4b4e53bb835c7d9469b6947601ac21d48e23
Opcode Fuzzy Hash: b92b3424ed67801ca82ba77569421946b35dff99f8cd50d6e8107618b23beb5d
Instruction Fuzzy Hash: 9D018FB6211214AFDB10DFA8CC88EEB7769EF88720F058459F91D6B341C931E9018BE1

Function 026EA791 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,026DF1D2,026DF1D2,0000003C,00000000,?,026D9D65), ref: 026EA7D0

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 283fabbc4d039aee57eec056626321f5b409fc24e4bdcf67055a507ef6476049
Instruction ID: 70381c8cbf0ab731d27f9ba4d2281b843a0230dad91302688890303e7443eb3f
Opcode Fuzzy Hash: 283fabbc4d039aee57eec056626321f5b409fc24e4bdcf67055a507ef6476049
Instruction Fuzzy Hash: 03E092B2305204ABEB20EF44CC85EEB73A9EF89354F01C558F94C57681C631AC16CBB5

Function 026EA673 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 026EA6A8

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: de203191a5ac83adbfc24b26316e894f9c6f8748d6461ce59de3c8d9674acbd3
Instruction ID: c455d9a0723cbef91b590ef8e07e651bd1183921037535cc3578853c419785f3
Opcode Fuzzy Hash: de203191a5ac83adbfc24b26316e894f9c6f8748d6461ce59de3c8d9674acbd3
Instruction Fuzzy Hash: 47E0DF71212310BBD720EF54CC85FD73BA8EF48350F008069BD885B242D631EA02CBE1

Function 026EA640 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,026D9CF3,?,?,026D9CF3,00000060,00000000,00000000,?,?,026D9CF3,?,00000000), ref: 026EA66D

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: c9e9e81770242e6e732f0aea328755f5361c381f2f22196136b027c6683f08ee
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: BEE046B2210208ABDB18EF99CC48EA777ADEF88750F018559FE095B241C630F914CAF1

Function 026EA63B Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,026D9CF3,?,?,026D9CF3,00000060,00000000,00000000,?,?,026D9CF3,?,00000000), ref: 026EA66D

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7f4b10add5d2f06863c931fa4b9b8a0feb2dbf4d18a18d5f7cbc47efa3906ef7
Instruction ID: 5a63d908f3e7de7f5e0b58c16904caf91fdb5ced471d77eaf0cb4510b6a536df
Opcode Fuzzy Hash: 7f4b10add5d2f06863c931fa4b9b8a0feb2dbf4d18a18d5f7cbc47efa3906ef7
Instruction Fuzzy Hash: 79E01AB1210204AFDB18DFA8DC88EE73769EF88350F114559F90997241C631E915CBA4

Function 026EA600 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(026E4536,?,026E4CAF,026E4CAF,?,026E4536,?,?,?,?,?,00000000,026D9CF3,?), ref: 026EA62D

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: aba65f62e81c262eae40cabc7de670db872da66354aa6da122bed033b9f707a3
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: F6E046B2211208ABDB14EF99CC44EA777ADEF88754F118559FE095B241C630F915CBF1

Function 026EA7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,026DF1D2,026DF1D2,0000003C,00000000,?,026D9D65), ref: 026EA7D0

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: c2eafb888658695b54f069e34d12f40086b6cf51f698691637e7dfb6976e2681
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 06E01AB12102086BDB10DF89CC84EE737ADAF88650F018155BA0957241C930E8158BF5

Function 026EA680 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 026EA6A8

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 2754066171642be5ae3b8f704648416b5e27a0c766cbb4fa7c2a722eabde4746
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: D6D012726112147BD620DB98CC85FD7779CDF48750F018065BA5D5B241C531BA008AE1

Function 03172C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03172C24

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bd25a62230af5642f71c0676f24b96059d7e626d58ffe02c7b8b4cfe57cf3d8c
Instruction ID: 381b3fc9a724be1063a2ff219f499a43c6624ed67561191bf5412506cdd63b6c
Opcode Fuzzy Hash: bd25a62230af5642f71c0676f24b96059d7e626d58ffe02c7b8b4cfe57cf3d8c
Instruction Fuzzy Hash: D0B09B719015C5C7DA11F7604708717791567D4701F6DC461D3030645E4739C1D2E575

Non-executed Functions

Function 031B2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 031B3187
Initializing the application verifier package failed with status 0x%08lx, xrefs: 031B3176
@, xrefs: 031B2B74
MaxLoaderThreads, xrefs: 031B24EC
DisableHeapLookaside, xrefs: 031B246D
FrontEndHeapDebugOptions, xrefs: 031B2489
RaiseExceptionOnPossibleDeadlock, xrefs: 031B2579
DisableExceptionChainValidation, xrefs: 031B275F
MinimumStackCommitInBytes, xrefs: 031B2BB0
MaxDeadActivationContexts, xrefs: 031B2D82
TracingFlags, xrefs: 031B2549
LdrpInitializeExecutionOptions, xrefs: 031B317D
UseImpersonatedDeviceMap, xrefs: 031B251C
ExecuteOptions, xrefs: 031B25A0
CFGOptions, xrefs: 031B2967
@, xrefs: 031B2942
UnloadEventTraceDepth, xrefs: 031B24C0
GlobalFlag, xrefs: 031B2F3F, 031B3059
GlobalFlag2, xrefs: 031B2FC0
ShutdownFlags, xrefs: 031B24A1

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 273d3106dfe2c3308384bf682d40046043892fd4101713389457a544db94cb8a
Instruction ID: 89e5c4221faae8e2f53749e994a82c418087a4ad9e25cb158727ed29e204e989
Opcode Fuzzy Hash: 273d3106dfe2c3308384bf682d40046043892fd4101713389457a544db94cb8a
Instruction Fuzzy Hash: 89926B75604341ABD725DE25C884BABB7F8BB8C750F084D2DFA94DB250D770E84ACB92

Function 031268B8 Relevance: 19.0, Strings: 15, Instructions: 249COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 03189BC3
SE_InstallBeforeInit, xrefs: 0312691E
SE_LdrEntryRemoved, xrefs: 031269D2
ApphelpCheckModule, xrefs: 03126A86
SE_InstallAfterInit, xrefs: 0312694B
SE_GetProcAddressForCaller, xrefs: 03126A59
SE_ShimDllLoaded, xrefs: 031268F1
LdrpGetShimEngineInterface, xrefs: 03189BB9
apphelp.dll, xrefs: 0312698A
SE_LdrResolveDllName, xrefs: 03126A2C
SE_InitializeEngine, xrefs: 031268C5
SE_ProcessDying, xrefs: 031269FF
SE_DllUnloaded, xrefs: 031269A5
Could not locate procedure "%s" in the shim engine DLL, xrefs: 03189BB3
SE_DllLoaded, xrefs: 03126978

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim engine DLL$LdrpGetShimEngineInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_InitializeEngine$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-3089669407
Opcode ID: ce7ebfc00b8137a91119a8b251c1957fc68eedd98b399049376f5cfcb7529be9
Instruction ID: c45bbb806023cb0427864fbd1e44ee473a775e9167489c57934d3d432d48ea7c
Opcode Fuzzy Hash: ce7ebfc00b8137a91119a8b251c1957fc68eedd98b399049376f5cfcb7529be9
Instruction Fuzzy Hash: 9781F0B2D022187FCB11FB99EDC4EEEB7BDAB18610B149522B910E7114E774ED148BA0

Function 03168620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Critical section debug info address, xrefs: 031A541F, 031A552E
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 031A54E2
Critical section address, xrefs: 031A5425, 031A54BC, 031A5534
Thread is in a state in which it cannot own a critical section, xrefs: 031A5543
double initialized or corrupted critical section, xrefs: 031A5508
Thread identifier, xrefs: 031A553A
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 031A540A, 031A5496, 031A5519
Invalid debug info address of this critical section, xrefs: 031A54B6
Address of the debug info found in the active list., xrefs: 031A54AE, 031A54FA
8, xrefs: 031A52E3
undeleted critical section in freed memory, xrefs: 031A542B
corrupted critical section, xrefs: 031A54C2
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 031A54CE
Critical section address., xrefs: 031A5502

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 0a276f43df0231ff88a4d8cd9f2dbabf7fa82243c209d2a0d311b26a711d3095
Instruction ID: 970a772fdeea54e13ef40d939200ab7a1ae95bcabccfd25350092dc2c3c082df
Opcode Fuzzy Hash: 0a276f43df0231ff88a4d8cd9f2dbabf7fa82243c209d2a0d311b26a711d3095
Instruction Fuzzy Hash: 4681BEB4A00758EFDB20CF99C844BAEBBB6EB0D705F148159F514BB641D371A941CB60

Function 030B2D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

kern, xrefs: 030B2F5A
el32, xrefs: 030B2F27
32.d, xrefs: 030B2F0B
M, xrefs: 030B3082
S, xrefs: 030B3073
wini, xrefs: 030B2F72
user, xrefs: 030B2F03
dll, xrefs: 030B2F4C
.dll, xrefs: 030B2F2F
net., xrefs: 030B2F44
ll, xrefs: 030B2F13

Memory Dump Source

Source File: 00000001.00000002.1854687775.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30b0000_svchost.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: ab1a08f5601bb58648aaa1b7a98311fd2fc7c22e65de961b229c56ed3d498181
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 77E15B78619F488FC7A4EF68C4847EAB7E0FB98301F504A2E959BCB255DF30A541CB85

Function 035E2D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

32.d, xrefs: 035E2F0B
.dll, xrefs: 035E2F2F
el32, xrefs: 035E2F27
kern, xrefs: 035E2F5A
M, xrefs: 035E3082
S, xrefs: 035E3073
dll, xrefs: 035E2F4C
ll, xrefs: 035E2F13
wini, xrefs: 035E2F72
net., xrefs: 035E2F44
user, xrefs: 035E2F03

Memory Dump Source

Source File: 00000001.00000002.1855375315.00000000035E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_35e0000_svchost.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 3818a9223b964e73297ab2bf3af68cf5f22e0d93df0c61bba1cf26e3b8e9dfd7
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 07E15A78618F488FC768EF68D4847AAB7E0FB98301F404A2E959BCB255DF34A541CB85

Function 03160F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON

Download Yara Rule

Strings

9, xrefs: 03160F9C
%%%u!%s!, xrefs: 031A14A1
l, xrefs: 03160FC4
%, xrefs: 03160F7E
!, xrefs: 03160FA6
0, xrefs: 03160F92
w, xrefs: 03160FBA
, xrefs: 03160FEC
h, xrefs: 03160FB0
%%%u, xrefs: 031A14CC

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
API String ID: 0-360209818
Opcode ID: 96ca2e1e82946f5fef22e112ebad8bf568dcd3065159c46f98352fca9c98fe49
Instruction ID: d8cbe4ae4729788723cd482d64abebba6122890b3501758f08764d5f2c361630
Opcode Fuzzy Hash: 96ca2e1e82946f5fef22e112ebad8bf568dcd3065159c46f98352fca9c98fe49
Instruction Fuzzy Hash: EA62B3B9E00625AFDB24CF58C8407A9B7B6FF89311F5981EAD449AB240D7725EE1CF40

Function 031E12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON

Download Yara Rule

Strings

Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 031E186B
Heap block at %p is not last block in segment (%p), xrefs: 031E17B7
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 031E18F8
Free Heap block %p modified at %p after it was freed, xrefs: 031E171B
Heap block at %p has incorrect segment offset (%x), xrefs: 031E181A
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 031E18A5
HEAP: , xrefs: 031E1706, 031E1756, 031E17A8, 031E1809, 031E184D, 031E1895, 031E18E6
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 031E176D
HEAP[%wZ]: , xrefs: 031E16CD, 031E16F9, 031E1749, 031E179B, 031E17FC, 031E1840, 031E18D9

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 9fb667194c9a7c877d5d4d511b8bebe29d01d3b9c1e3b8dddd53e8638e1c7410
Instruction ID: f619de08b400bfb27fd04d967ea6021a9647ce6588e940730c948146fef7a713
Opcode Fuzzy Hash: 9fb667194c9a7c877d5d4d511b8bebe29d01d3b9c1e3b8dddd53e8638e1c7410
Instruction Fuzzy Hash: 7D12AD74604A41EFDB29CF29C441BBABBF6FF0D714F098469E4968B642D776E880CB50

Function 0312D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON

Download Yara Rule

Strings

Control Panel\Desktop\MuiCached, xrefs: 0312D62B
PreferredUILanguages, xrefs: 0312D4B8, 0312D4C5
@, xrefs: 0312D3E9
MachinePreferredUILanguages, xrefs: 0312D685
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0312D3B6
@, xrefs: 0312D49D
Control Panel\Desktop, xrefs: 0312D45D
PreferredUILanguagesPending, xrefs: 0318A8DE
@, xrefs: 0312D663

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
API String ID: 0-3532704233
Opcode ID: 2ca39edb861d0ab03175cb37480bdac9f212c8ed4fe2bdef210e9901823f502c
Instruction ID: ac0c56914121f3afe432968dab17aa74270407c371c1a206281b7305b004a8fa
Opcode Fuzzy Hash: 2ca39edb861d0ab03175cb37480bdac9f212c8ed4fe2bdef210e9901823f502c
Instruction Fuzzy Hash: AEB1AC729083619FC725EF24D480A6BBBE8AF8C754F09492EF8A9D7240D770D945CB92

Function 031C9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON

Download Yara Rule

Strings

AppContainerNamedObjects, xrefs: 031C946E, 031C94D6
BaseNamedObjects, xrefs: 031C9477, 031C947C
\Sessions, xrefs: 031C9488
%s\%ld\%s, xrefs: 031C948D
\BaseNamedObjects, xrefs: 031C949E
Global\Session\%ld%s, xrefs: 031C94C5
%s\%u-%u-%u-%u, xrefs: 031C9422
\AppContainerNamedObjects, xrefs: 031C94AB, 031C94B9

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 2994545307-3063724069
Opcode ID: 7422970860dc77b865e521f0d703feb6c298f3c230b55d73d22fc02c5490b28a
Instruction ID: 6e07dbf6eaf599e1eda764d7d575c6a9715e736528313e083d7d77d6bb5da191
Opcode Fuzzy Hash: 7422970860dc77b865e521f0d703feb6c298f3c230b55d73d22fc02c5490b28a
Instruction Fuzzy Hash: E8D1C4B28143A5AFD721DB64C840BAFF7E8AFAC714F05492DF994AB290D770C9448792

Function 031E0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

Just reallocated block at %p to %Ix bytes, xrefs: 031E05F1
HEAP: , xrefs: 031E03A6, 031E04B5, 031E05DD, 031E0682, 031E06D9
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 031E069F
RtlReAllocateHeap, xrefs: 031E02BF, 031E0362
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 031E04D3
About to reallocate block at %p to %Ix bytes, xrefs: 031E03BA
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 031E06EA
HEAP[%wZ]: , xrefs: 031E0399, 031E04A8, 031E05D0, 031E0675, 031E06CC

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 2144b1b4da13752295bd0ee441e19ebc99abc35c45bc677c1bbea8365611ffd4
Instruction ID: 55dd60fd41d5132adcf6a82521b4b32f9848d6a62122f7900da1990a2f0b266d
Opcode Fuzzy Hash: 2144b1b4da13752295bd0ee441e19ebc99abc35c45bc677c1bbea8365611ffd4
Instruction Fuzzy Hash: 53D1EE79504B85EFCB26EF6AD840AADFBF1FF4E700F088049E4559B252C7B69981CB10

Function 0312D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON

Download Yara Rule

Strings

Control Panel\Desktop\LanguageConfiguration, xrefs: 0312D196
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0312D262
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0312D0CF
@, xrefs: 0312D2AF
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0312D146
@, xrefs: 0312D0FD
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0312D2C3
@, xrefs: 0312D313

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: 33f5bdef8c7ed11f31afab7fad0b011c25abe5283014eff4b4448d5b9450cca6
Instruction ID: b2556e04bfe74f60d96b51406663c7ef89f0786a3656cf2c7da2b5f742ab5f06
Opcode Fuzzy Hash: 33f5bdef8c7ed11f31afab7fad0b011c25abe5283014eff4b4448d5b9450cca6
Instruction Fuzzy Hash: 24A188719083559FD320DF21D484BABBBE8BF8C715F044D2EE5A89A240E774D948CF92

Function 0313EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

, xrefs: 0313F299
{, xrefs: 03194643
LdrpResSearchResourceInsideDirectory Exit, xrefs: 0313EB6C
T, xrefs: 0313EB4E
LdrpResSearchResourceInsideDirectory Enter, xrefs: 0313EB58
R, xrefs: 0313EB62

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 193bd3b4860c87bdb9ce26a8b1f0839f528bbaaf08728a0c70554c108104fbd2
Instruction ID: 95f8fb8bd60dda13b0ddc7d4c7154c829a8744ff9c585823bcfaa62829c561e4
Opcode Fuzzy Hash: 193bd3b4860c87bdb9ce26a8b1f0839f528bbaaf08728a0c70554c108104fbd2
Instruction Fuzzy Hash: 72A22675E05629CBEF68DF19CC987A9B7B5AF49304F1542EAD809A7250DB309EC6CF00

Function 0312F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

(LONG)FreeEntry->Size > 1, xrefs: 0318E291
(UCRBlock != NULL), xrefs: 0318DF6F
HEAP: , xrefs: 0318DF64, 0318E0A8, 0318E286, 0318E39E
(!TrailingUCR), xrefs: 0318E3A9
((LONG)FreeEntry->Size > 1), xrefs: 0318E0B3
HEAP[%wZ]: , xrefs: 0318DF57, 0318E09B, 0318E279, 0318E391

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 3302de7315c26b9b021b0915f8207be0c37b9bdd534ba461aa8caff53cafd455
Instruction ID: 43f6cc9050943efd6e29d560d99081e06cd8d49fad0b3c0c9ce293a8af1b01e6
Opcode Fuzzy Hash: 3302de7315c26b9b021b0915f8207be0c37b9bdd534ba461aa8caff53cafd455
Instruction Fuzzy Hash: BD42EF752087919FC719EF28C894A2AFBE5FF8D204F18896DE8958B351D730D892CF61

Function 0314B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrutil.c, xrefs: 0319840D, 031984E1
LdrpPreprocessDllName, xrefs: 03198403, 031984D7
SxS, xrefs: 031983ED
DLL %wZ was redirected to %wZ by %s, xrefs: 031983FC
API set, xrefs: 031983F4, 031983F9
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 031984D0

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: 40156d8b15a2fd1c5fde6d216488b8529698f13cd178652beb487d626c12f1c3
Instruction ID: 03f2cfe5e57b87c44a40ed48c1d75b9a56904309038e9162f93a7fac23a9e5eb
Opcode Fuzzy Hash: 40156d8b15a2fd1c5fde6d216488b8529698f13cd178652beb487d626c12f1c3
Instruction Fuzzy Hash: 7AC13C35A08315ABDF28DB65C890BBEB7A5AF4D300F18C069E8969F2C1E7B4D945C391

Function 031663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 031A40E9, 031A414B, 031A420F, 031A4269
Process initialization failed with status 0x%08lx, xrefs: 031A413A
Delaying execution failed with status 0x%08lx, xrefs: 031A4258
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 031A41FE
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 031A40D8
_LdrpInitialize, xrefs: 031A40DF, 031A4141, 031A4205, 031A425F

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 3fa8fdd65d2ec4370bb5490363237a5bfb8573727aa23666a60ba6a72f2c7727
Instruction ID: 1e684088b4e7d7c47867745e1fb0723ecaabee38d24ec05fe55990c1e94cb0aa
Opcode Fuzzy Hash: 3fa8fdd65d2ec4370bb5490363237a5bfb8573727aa23666a60ba6a72f2c7727
Instruction Fuzzy Hash: B7917839A00B14AFDB34EF59EC48BAEB7A4FF1DB15F184129E5106B381DBB49851C790

Function 03162674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 031A219F
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 031A2180
SXS: %s() passed the empty activation context, xrefs: 031A2165
RtlGetAssemblyStorageRoot, xrefs: 031A2160, 031A219A, 031A21BA
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 031A21BF
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 031A2178

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: aaddb0e1b81a87efe13bace6a91a649360beb9eb7e8fd72d34391fe19a8b74e6
Instruction ID: 5083583952122bebf14fd93c4b6f31453e7a70e6f9c7dd4dda51e41a4cb31767
Opcode Fuzzy Hash: aaddb0e1b81a87efe13bace6a91a649360beb9eb7e8fd72d34391fe19a8b74e6
Instruction Fuzzy Hash: 5A312B3AF402147BE725CA998C41F9FB778DB6DA92F094469FA047B281D370DA12C7E1

Function 0316C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 0316C6C3
LdrpInitializeProcess, xrefs: 0316C6C4
Unable to build import redirection Table, Status = 0x%x, xrefs: 031A81E5
LdrpInitializeImportRedirection, xrefs: 031A8177, 031A81EB
minkernel\ntdll\ldrredirect.c, xrefs: 031A8181, 031A81F5
Loading import redirection DLL: '%wZ', xrefs: 031A8170

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: f5512dc4076077fd1cf6868b1f40f20a4fe3e09661645bbc8fde74deb443d5e8
Instruction ID: f380e76437aa07f1c18e60fd9456a21852e23e6e5e7121d7112585d19380eba2
Opcode Fuzzy Hash: f5512dc4076077fd1cf6868b1f40f20a4fe3e09661645bbc8fde74deb443d5e8
Instruction Fuzzy Hash: 6531287A744741AFC220EF68DC45E6AB7A4EF8CB11F040968F8946F391D720EC04C7A2

Function 03149950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON

Download Yara Rule

Strings

Status != STATUS_SXS_SECTION_NOT_FOUND, xrefs: 031976A3
minkernel\ntdll\sxsisol.cpp, xrefs: 031976AD
Internal error check failed, xrefs: 031976B2
, xrefs: 031499F1
, xrefs: 031499F9

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
API String ID: 0-3393094623
Opcode ID: 5e4f40054cb77e7ce1ac0a7daa7b15afc087b6e01dc579cbdd5151710db43fd4
Instruction ID: 68343996fb3d12ce18f013ac72aa9d6eec6575812f584764aa71ff333da9c07f
Opcode Fuzzy Hash: 5e4f40054cb77e7ce1ac0a7daa7b15afc087b6e01dc579cbdd5151710db43fd4
Instruction Fuzzy Hash: AD0247719083418FD724CF64C084BABFBE5BF8D714F49896EE9999B250E770D884CB92

Function 031551EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

Kernel-MUI-Number-Allowed, xrefs: 03155247
Kernel-MUI-Language-Allowed, xrefs: 0315527B
Kernel-MUI-Language-SKU, xrefs: 0315542B
WindowsExcludedProcs, xrefs: 0315522A
Kernel-MUI-Language-Disallowed, xrefs: 03155352

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: cc86f4111c61bab3372b1a7f90de895c54a3a260d0e7589f49948daea1650b79
Instruction ID: 6737b82ae466f92ca17ae23314e3b7e292e1a74c24cd9bb0744352434f191746
Opcode Fuzzy Hash: cc86f4111c61bab3372b1a7f90de895c54a3a260d0e7589f49948daea1650b79
Instruction Fuzzy Hash: 6FF16C76D10219EFCF15DF98C980AEEBBBAEF4D650F15405AE912AB210E7709E01CB90

Function 031B4F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON

Download Yara Rule

Strings

/, xrefs: 031B4F6D
.Local, xrefs: 031B5170
\, xrefs: 031B4F66
\microsoft.system.package.metadata\Application, xrefs: 031B5158
.DLL, xrefs: 031B50C7, 031B519C

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
API String ID: 0-2518169356
Opcode ID: 458d1bd56da5d9e15d8a0e24f82e50ea374df173624bbcf028f8e359c5c76ec6
Instruction ID: 1f1ba0c43b0744baa8728ce20fa37c14f2c7aa163ba2aa4d8c3781b4da379809
Opcode Fuzzy Hash: 458d1bd56da5d9e15d8a0e24f82e50ea374df173624bbcf028f8e359c5c76ec6
Instruction Fuzzy Hash: 2791BE769006199BCB24CF69C881AFEF7B6EF8D310F594169E810EB350D735DA41CB90

Function 0315D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 0319F2D8
$, xrefs: 0315D900
Process 0x%p (%wZ) exiting, xrefs: 0319F2C7
LdrShutdownProcess, xrefs: 0319F2CE
$, xrefs: 0315D86D

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 0-1975516107
Opcode ID: bf1585223aec27e7287c352158926338355a468a87ba4a634da1a20e2658a42a
Instruction ID: e600d277b0d79aebd5e4d1c4a4953c34ec2913106e3ee9178c92dda5b287f17e
Opcode Fuzzy Hash: bf1585223aec27e7287c352158926338355a468a87ba4a634da1a20e2658a42a
Instruction Fuzzy Hash: 6751F075A00345EFDB24EFA4E88879DBBB1FF4C314F288159E8216B295D774A885CB80

Function 031276B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

Invalid heap signature for heap at %p, xrefs: 0318B02F
, passed to %s, xrefs: 0318B040
HEAP: , xrefs: 0318B023
RtlFreeHeap, xrefs: 0318B03F
HEAP[%wZ]: , xrefs: 0318B016

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
API String ID: 0-3061284088
Opcode ID: ee7d54b28abd4381bb06419271d4d697408f0b349012e2e1a02268ea949290bc
Instruction ID: 99af5ee02bb9cc1de362c64e4436b05af7ff0c63fde05c3b514629d62c0a6cd3
Opcode Fuzzy Hash: ee7d54b28abd4381bb06419271d4d697408f0b349012e2e1a02268ea949290bc
Instruction Fuzzy Hash: CD01287610C260EFD22DF319A80DF66BBE4DF4EA70F19C04AE0104B5D2CBE89880C964

Function 031470C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 03147C96, 03148696
HEAP: , xrefs: 03147C7C, 0314867F
HEAP[%wZ]: , xrefs: 03147C6D, 03148670

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 59aae9165f19cfb3a316a602b27734aa62bba8e343dc2d26a22b8988ce28f54e
Instruction ID: 72d95f1cdaaa0209bdfb45e58a5f434f92b13b31ba23c6fbe76fca9d485270b2
Opcode Fuzzy Hash: 59aae9165f19cfb3a316a602b27734aa62bba8e343dc2d26a22b8988ce28f54e
Instruction Fuzzy Hash: 70139D70A00655DFDB29CF68C8907A9FBF1BF4D304F1881A9D859AB381D735A986CF90

Function 03141070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON

Download Yara Rule

Strings

!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 0319588F
HEAP: , xrefs: 03195884
@, xrefs: 03195A53
HEAP[%wZ]: , xrefs: 03195877

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 2994545307-3570731704
Opcode ID: 36f86191e2e20ea205643cb8030f0cafa85effb6b0e01152f8b2c4ad547e6dcd
Instruction ID: 5609562954c7ae6627fcd2f271d66f9334d5ee7938fc3b0206a00b3d0898b182
Opcode Fuzzy Hash: 36f86191e2e20ea205643cb8030f0cafa85effb6b0e01152f8b2c4ad547e6dcd
Instruction Fuzzy Hash: 82924A75A00269DFEB25CF28CC44BA9B7B6BF49314F1981EAD949AB240D7349EC0CF51

Function 0314A840 Relevance: 5.4, Strings: 4, Instructions: 358COMMON

Download Yara Rule

Strings

SsHd, xrefs: 0314A885
SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 03197D39
RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 03197D03
SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 03197D56

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
API String ID: 0-2905229100
Opcode ID: ee296f767fbce41965eaab021f7a50df9c1bb47fc6f2f7089e440b50382f6e42
Instruction ID: a10bff6c1e4f713a01f4889ca38167fa78c52d4495dfd533ab45dbcf79c34038
Opcode Fuzzy Hash: ee296f767fbce41965eaab021f7a50df9c1bb47fc6f2f7089e440b50382f6e42
Instruction Fuzzy Hash: 41D17C75A4021A9BDF28CF98D8C0AADF7B5FF4C310F1A406AE845AB351D771E991CB90

Function 0313A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

6, xrefs: 0313A3F7
LdrResFallbackLangList Enter, xrefs: 0313A3EF
LdrResFallbackLangList Exit, xrefs: 0313A3FF
8, xrefs: 0313A3E7

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: b13e648b4d627b1422da0c5d2fb3cd2985df6b9b94d007b799a14c75eedfbe5b
Instruction ID: 25f2cb915d05a084b2fd3b8233b1933bc5e3ae07ec43964a16a319e7ed500341
Opcode Fuzzy Hash: b13e648b4d627b1422da0c5d2fb3cd2985df6b9b94d007b799a14c75eedfbe5b
Instruction Fuzzy Hash: ACC17874108386DFDB15CF18C044B6AB7F4BF8A704F08896AF9D58B250E735DA8ACB52

Function 0316273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 031A22B6
SXS: %s() passed the empty activation context, xrefs: 031A21DE
.Local, xrefs: 031628D8
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 031A21D9, 031A22B1

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: b3d7fa110b2f926f0f7c53c13e1e8e5b97649667ed155555e1e6bc5d6d881f72
Instruction ID: b76febeb4141e98cf3f86b97171958d4d04fc771bd36b588166b9e8f63188a52
Opcode Fuzzy Hash: b3d7fa110b2f926f0f7c53c13e1e8e5b97649667ed155555e1e6bc5d6d881f72
Instruction Fuzzy Hash: BAA172359012299FDB24CFA4DC84BA9B3B5BF5C314F1949EAD848AB251D7309ED2CF90

Function 0312F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON

Download Yara Rule

Strings

ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0318E563
`, xrefs: 0318E428
HEAP: , xrefs: 0318E54E
HEAP[%wZ]: , xrefs: 0318E3FE

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: d6efc495b553d636a8542222ff473e33171aa1c5e4019bef58db6b15d6305762
Instruction ID: c53e5bcbfc353013d161799b3a3e8302bf6c65f42949a25c3cbaffbc9f013267
Opcode Fuzzy Hash: d6efc495b553d636a8542222ff473e33171aa1c5e4019bef58db6b15d6305762
Instruction Fuzzy Hash: 3361F376205780AFD721EB28C844F6BBBE9EF8C714F090868F955CB291D734E952CB61

Function 031E11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 031E1261
HEAP: , xrefs: 031E124A, 031E125D, 031E125F, 031E12C4
This is located in the %s field of the heap header., xrefs: 031E12D6
HEAP[%wZ]: , xrefs: 031E123D, 031E12B7

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 4b97d2d05d2d0696585e71681cc5a267f80320d3976949d58b5869d9e978906d
Instruction ID: af329d42414159fac73f5aee55622e9bfed7474d99363cc41aebefe02dd1715f
Opcode Fuzzy Hash: 4b97d2d05d2d0696585e71681cc5a267f80320d3976949d58b5869d9e978906d
Instruction Fuzzy Hash: 6231FE75204A15FFCB19DB98CC85F6AB7E9EF0D620F284065F411CB291D7B2EC80CA65

Function 03129148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

VirtualProtect Failed 0x%p %x, xrefs: 0318BABA
VirtualQuery Failed 0x%p %x, xrefs: 0318BAF7
HEAP: , xrefs: 0318BAAD, 0318BAEA
HEAP[%wZ]: , xrefs: 0318BAA0, 0318BADD

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 2994545307-1391187441
Opcode ID: f104f3e57ac4392c6f9a11f42edb769fab451ae140f0e8c1f4b5124d37122d63
Instruction ID: 52f703fe39cb63e103a4d02ad6b177d3f1de99783e899da07b1fcf9c8e64effa
Opcode Fuzzy Hash: f104f3e57ac4392c6f9a11f42edb769fab451ae140f0e8c1f4b5124d37122d63
Instruction Fuzzy Hash: 0A31B476604214EFCB15EB4AC885FDEBBB9EF4D630F158051E814AB291D770ED50CE60

Function 03109B80 Relevance: 5.0, Strings: 3, Instructions: 1217COMMON

Download Yara Rule

Strings

&, xrefs: 03109F3A
&, xrefs: 03109F1A
&, xrefs: 03109E3F

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: &$&$&
API String ID: 0-3101051865
Opcode ID: d5f063ca5d5a54335614681ab4e62901192a92094b4ba48229c72eb9652841ef
Instruction ID: 6a7d59f584b593f2fe9b2d27293821eeffaf9b37afbd874951a4d8d9406e2a93
Opcode Fuzzy Hash: d5f063ca5d5a54335614681ab4e62901192a92094b4ba48229c72eb9652841ef
Instruction Fuzzy Hash: FCC2256250D7D64EEB139B34CC58B91BFE1AF07318F9E82DAC0D08E4A3D7A9554AC316

Function 031429A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0314327D
HEAP: , xrefs: 03143264
HEAP[%wZ]: , xrefs: 03143255

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: eb0647f400b3e9d3b4f43530c59c5d47a7b5278f52986bae5f30150c79eb1141
Instruction ID: 8c0b280cb8f01c9e8400ff062944dfa34bc57f152fb6e512731ce672092d117b
Opcode Fuzzy Hash: eb0647f400b3e9d3b4f43530c59c5d47a7b5278f52986bae5f30150c79eb1141
Instruction Fuzzy Hash: AA92CE75A042499FDB29CF68C444BADBBF1FF4D300F188899E859AB391D735A982CF50

Function 03141F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 0314216B, 03195E68, 03196016, 03196160
HEAP: , xrefs: 0314212E, 03195E53, 03196001, 0319614B
HEAP[%wZ]: , xrefs: 03142155, 03195E46, 03195FF4, 0319613E

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 3f8703e2424baa1031b71778f9a059ebb8245eff7ac6c8177b3ea7bb9beea97c
Instruction ID: 26eea50f19126939140094e5c01bf635cd8fdba55a1c8e5d91a7279607424eda
Opcode Fuzzy Hash: 3f8703e2424baa1031b71778f9a059ebb8245eff7ac6c8177b3ea7bb9beea97c
Instruction Fuzzy Hash: A622F1706006419FEB19DF28C494B7AFBF6FF0E704F18849AE4559B282D775E892CB60

Function 03140770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 031950CA
HEAP: , xrefs: 031950BD
HEAP[%wZ]: , xrefs: 031950AE

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: c41640f82ef79563526395162959e373b6fc7e89bab635303ee76d006157b1cb
Instruction ID: 5d72a1d764284c939905d62b9a0e5a6db5cd47f5b51eeea62f5dbddc5f4380d2
Opcode Fuzzy Hash: c41640f82ef79563526395162959e373b6fc7e89bab635303ee76d006157b1cb
Instruction Fuzzy Hash: 6DF1DF74A00605DFEB19CF69C994B6AF7B6FF4D300F1881A9E516AB381D734E981CB90

Function 03131460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 03131728
HEAP: , xrefs: 03131596
HEAP[%wZ]: , xrefs: 03131712

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 01fced2c1870a9f2348786d9856a176c73bd3bd5eb7131bddb71ae74b63bf9eb
Instruction ID: 670166129ec709330c8343ec83c2547476649279cda55d1f9cb05883e703801b
Opcode Fuzzy Hash: 01fced2c1870a9f2348786d9856a176c73bd3bd5eb7131bddb71ae74b63bf9eb
Instruction Fuzzy Hash: F8E10274A04641AFDB29EF68C491BBABBF5EF4E300F18846DE896CB245D734E841CB50

Function 0313B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Enter, xrefs: 0313B702
LdrResGetRCConfig Exit, xrefs: 0313B714
MUI, xrefs: 0313B6D8, 0313B7E7

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
API String ID: 0-1145731471
Opcode ID: 51f4382d282e60516835c500f5e842dda92d67516c96b47904ee0a888ef69abe
Instruction ID: 705131699104b0c50452038cb8a5f947b86acc9b49be5cfdb6e03141e8c27ae5
Opcode Fuzzy Hash: 51f4382d282e60516835c500f5e842dda92d67516c96b47904ee0a888ef69abe
Instruction Fuzzy Hash: 9DB19179A087449FDF25CF59C980BADB7B6EF49714F18896AE461EB380E730E841CB50

Function 031B368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON

Download Yara Rule

Strings

\SystemRoot\system32\, xrefs: 031B3842
DelegatedNtdll, xrefs: 031B36CE
@, xrefs: 031B389F

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: @$DelegatedNtdll$\SystemRoot\system32\
API String ID: 0-2391371766
Opcode ID: 657791bfffa710e00a94254ecad2b21478902b9d3bc115491d876f217579f6fc
Instruction ID: 45095f4a6eb462223ac31c9c4a08545de4ab49c180dce7865c316b6f3034fdd4
Opcode Fuzzy Hash: 657791bfffa710e00a94254ecad2b21478902b9d3bc115491d876f217579f6fc
Instruction Fuzzy Hash: DDB1AE7A604341AFD321DE65DC84BABB7F8EB4C710F155D29FA609B280D770E854CB92

Function 03156962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 03156C24
, xrefs: 0319CA51

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID: $@
API String ID: 2994545307-1077428164
Opcode ID: 7d20e9da909c341ecfe3290092f18fbdb81a5af5844f06ce2c9f1b9e123a7cbb
Instruction ID: c9219bceea321b9706f956e9ec4c77b62c979f5829d7fac3926a1c2d3b7a9935
Opcode Fuzzy Hash: 7d20e9da909c341ecfe3290092f18fbdb81a5af5844f06ce2c9f1b9e123a7cbb
Instruction Fuzzy Hash: 23C26C71608341DFEB29CF24C881BABB7E5AF8C754F09896EF99987240D734D845CB92

Function 0312A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

UseFilter, xrefs: 0312A1C1
\??\, xrefs: 0318C1E4
FilterFullPath, xrefs: 0318C2E6

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 8e6b0b76fe4900ff3745a63aeb70e5dd834365932900ae9ce8a5839f6b7ef6d2
Instruction ID: 22bbed803ca311673e4f4e709b69c3e727dbd71bc7059b6d6c0e3e03945b8cfb
Opcode Fuzzy Hash: 8e6b0b76fe4900ff3745a63aeb70e5dd834365932900ae9ce8a5839f6b7ef6d2
Instruction Fuzzy Hash: E1A15B759012299BDB31EF64CC88BEAF7B8EF48700F1441E9E909AB250D7359E85CF94

Function 031C36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON

Download Yara Rule

Strings

@, xrefs: 031C3867
LdrpResMapFile Exit, xrefs: 031C3727
LdrpResMapFile Enter, xrefs: 031C3715

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
API String ID: 0-318774311
Opcode ID: b7ec46612c8b439b9c21e48bed855707b5fe1a72a647c426822a3425e5d199ac
Instruction ID: 00f8096d4e86609e8b8db0931d3d751fe170839900eb71a8c1c837601819bfe3
Opcode Fuzzy Hash: b7ec46612c8b439b9c21e48bed855707b5fe1a72a647c426822a3425e5d199ac
Instruction Fuzzy Hash: 82819B79618380AFE315DB14C844B6AB7E8FF99750F088D2DF9A09B390D778D944CB62

Function 0316909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

%, xrefs: 031A5D3F
&, xrefs: 031A5CF8
@, xrefs: 03169148

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: %$&$@
API String ID: 0-1537733988
Opcode ID: 3211aa9643bd3b1a418ca447aedff64b80099bcf513e3e95ae379884e86b0535
Instruction ID: 37f324b03631809439039fd3c2a10b18fe68497eb30a7ec4113fff75803d7190
Opcode Fuzzy Hash: 3211aa9643bd3b1a418ca447aedff64b80099bcf513e3e95ae379884e86b0535
Instruction Fuzzy Hash: AE71E1745087019FC714DF64C980A2BFBEAFF8D718F24891DE49A8B240C731D855CB92

Function 0320B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON

Download Yara Rule

Strings

\Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 0320B82A
GlobalizationUserSettings, xrefs: 0320B834
TargetNtPath, xrefs: 0320B82F

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
API String ID: 0-505981995
Opcode ID: 0d29ca45810514b465689b71be84799774be4648cdc6fee75ef87dfbb541f1ed
Instruction ID: ea81d62b8e03283ceded7f25af0297b84768ce35feff18bbfa3c939f9a33c34d
Opcode Fuzzy Hash: 0d29ca45810514b465689b71be84799774be4648cdc6fee75ef87dfbb541f1ed
Instruction Fuzzy Hash: 61618F7695122DABDB31EF54CC88BDAB7B9AF08710F0501E5A908AB291C774DEC4CF90

Function 0312F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON

Download Yara Rule

Strings

RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0318E6C6
HEAP: , xrefs: 0318E6B3
HEAP[%wZ]: , xrefs: 0318E6A6

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: 0160bdd9364eb7023d7d0c8c0cc486c618a5235b8c21dc636ce97da3c1d7542b
Instruction ID: 360554ecba7090f7874fb7f19965fb0b91737144a72d83627b48f65aa47d00db
Opcode Fuzzy Hash: 0160bdd9364eb7023d7d0c8c0cc486c618a5235b8c21dc636ce97da3c1d7542b
Instruction Fuzzy Hash: 4451F575604B54EFD716EB68C844BAAFBF8FF0D300F0840A4E9518B692D774E961CB20

Function 031DDAAC Relevance: 3.9, Strings: 3, Instructions: 163COMMON

Download Yara Rule

Strings

Heap block at %p modified at %p past requested size of %Ix, xrefs: 031DDC32
HEAP: , xrefs: 031DDC1F
HEAP[%wZ]: , xrefs: 031DDC12

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: 30f034c4354ced02a1c1a509bd7f5d130e9d9d87ed6949861cf14afa9c7c251d
Instruction ID: 0118d50ff74c2808f6f4b601281945150b2e4a99c7c1dd7c2dd15f8b3c05e9a4
Opcode Fuzzy Hash: 30f034c4354ced02a1c1a509bd7f5d130e9d9d87ed6949861cf14afa9c7c251d
Instruction Fuzzy Hash: CD5127351046508FD778DB2EE884772B7E2DF4F249F09888AE4D28B585D375E882DB21

Function 0316C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 031A82E8
LdrpInitializePerUserWindowsDirectory, xrefs: 031A82DE
Failed to reallocate the system dirs string !, xrefs: 031A82D7

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 6dec0fd43544fa86869bbebe762003984bcb9c15a37cdfc15709c07a06396797
Instruction ID: 5b83cfaa5a7f21ba225706c9e1dce656995466a8f6a847677b374d982aa77525
Opcode Fuzzy Hash: 6dec0fd43544fa86869bbebe762003984bcb9c15a37cdfc15709c07a06396797
Instruction Fuzzy Hash: 5C41C5BA544310BBC720EB68EC44B6B77E8EF4C750F05992AF998D7250E774D850CB91

Function 031616CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON

Download Yara Rule

Strings

LdrpAllocateTls, xrefs: 031A1B40
TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 031A1B39
minkernel\ntdll\ldrtls.c, xrefs: 031A1B4A

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
API String ID: 0-4274184382
Opcode ID: 0bdeac2c8eef0a052d0e6b2b56e47434da64d9e5973ba57aaa9db8b35ee77dbe
Instruction ID: f60d3e4d944b7d8d934a2001319ddb74ff1430356ac4425ce47c65745c068882
Opcode Fuzzy Hash: 0bdeac2c8eef0a052d0e6b2b56e47434da64d9e5973ba57aaa9db8b35ee77dbe
Instruction Fuzzy Hash: B34188B9A00608AFDB15DFA8DC41BAEFBF6FF4C714F148529E415AB250E774A810CB90

Function 031EC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 031EC212
@, xrefs: 031EC1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 031EC1C5

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: a5ebad2345ead49c6480ead60efb049c281171800d38b15b3cb0499b2da14517
Instruction ID: 59b2fe19268073fbac55a86f2d3fb9de89f784a3aa794689c8c4e55167820208
Opcode Fuzzy Hash: a5ebad2345ead49c6480ead60efb049c281171800d38b15b3cb0499b2da14517
Instruction Fuzzy Hash: E9418E76E0060AEFDB11DBD4CC81FEEF7B9AB0C700F08406AE915B7290D7759A458B90

Function 031C4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

@, xrefs: 031C4225
LdrpResValidateFilePath Enter, xrefs: 031C4160
LdrpResValidateFilePath Exit, xrefs: 031C4172

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: d8be8b520d25fcd90c3ceb41e1e85f1a06e8c7a4cd4a0dc715a2d46cbb36f9bf
Instruction ID: d38425a9db5cce7c7b1dbbeaae05b2f418837e3b911105856399c49ccb85ab81
Opcode Fuzzy Hash: d8be8b520d25fcd90c3ceb41e1e85f1a06e8c7a4cd4a0dc715a2d46cbb36f9bf
Instruction Fuzzy Hash: CF41F1369183988BEB26DBA6D850BADB7B8EF6D340F18045ED851AF781DB349901CB11

Function 031B4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpCheckRedirection, xrefs: 031B488F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 031B4888
minkernel\ntdll\ldrredirect.c, xrefs: 031B4899

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: d7ffe3e1fbb9ed206a6bd23c00e84163699d9120af570fb5ce51fd4142f1cdf4
Instruction ID: a2e84c3cb9f2f663ac73fb5d422fe5ee0b05dbb7cd9bc53f15f1f691f65f62d7
Opcode Fuzzy Hash: d7ffe3e1fbb9ed206a6bd23c00e84163699d9120af570fb5ce51fd4142f1cdf4
Instruction Fuzzy Hash: 5341D632A007509FCB21DEAAD840AA6B7F8EF4D650F0A855DEC98DB353DB70D800CB91

Function 031633A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

RtlCreateActivationContext, xrefs: 031A29F9
SXS: %s() passed the empty activation context data, xrefs: 031A29FE
Actx , xrefs: 031633AC

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
API String ID: 0-859632880
Opcode ID: 52fe236512da6bcb1f7c8b6d43e8be1c6e8c67f5b4306f0cbc4d4c991530c71f
Instruction ID: 91c84fa58915f41c149f25fd4fd1189e0ac58615c6bddb82e22d1b056e049b59
Opcode Fuzzy Hash: 52fe236512da6bcb1f7c8b6d43e8be1c6e8c67f5b4306f0cbc4d4c991530c71f
Instruction Fuzzy Hash: A131663A2003119FDB26DF98C880F96B3A5FF4D711F098869EC159F2A1CB70D862CB90

Function 03161607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON

Download Yara Rule

Strings

LdrpInitializeTls, xrefs: 031A1A47
minkernel\ntdll\ldrtls.c, xrefs: 031A1A51
DLL "%wZ" has TLS information at %p, xrefs: 031A1A40

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
API String ID: 0-931879808
Opcode ID: f6bfc4d995390684315c5a0a99d2975ccab487c2ac28395b5f4414a84f213196
Instruction ID: d044590109290b9c21117bfa6e4c88bdd92f9ef3220fa507f14749e30d8ba644
Opcode Fuzzy Hash: f6bfc4d995390684315c5a0a99d2975ccab487c2ac28395b5f4414a84f213196
Instruction Fuzzy Hash: 9C31463AA00300BBEB20DB88DC49FBAB6BDFB5D754F158439E404AB180E7B0AD508790

Function 03171270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

@, xrefs: 031712A5
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0317127B
BuildLabEx, xrefs: 0317130F

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-3051831665
Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction ID: 6ccc5277f60b40d4ac3ab369e7728b354f70b8ce56b7cfb587b3e916118b20aa
Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction Fuzzy Hash: 8931827A90061DBFDB11EF95CC44EEEBBBDEB88760F144425E914AB260D730DA46CB90

Function 031B20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 031B2104
Process initialization failed with status 0x%08lx, xrefs: 031B20F3
LdrpInitializationFailure, xrefs: 031B20FA

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 340fd74aa6876299f738e009d16417b2362c18d5f561e0b1ab5eca3662cf629d
Instruction ID: a6f487b3f4b03749e44fa7bd26525d3150b3fc0ca3549c71c6123bc462dab94e
Opcode Fuzzy Hash: 340fd74aa6876299f738e009d16417b2362c18d5f561e0b1ab5eca3662cf629d
Instruction Fuzzy Hash: 4AF02238640308BFEB20E60CEC06FDA77B8EB48B45F144868F6007B285D3F0E911CA90

Function 031403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 03194D8A

Strings

#%u, xrefs: 03194D82

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: a1c75cded6fe85f11366ba1d4c4c6f95c51cf270cd9d36e7ead60f4fd69be933
Instruction ID: 90e4ebf6c00e23f50a4ef1615779d0dd5c0931a8e8391f9e81cc3b5a61969609
Opcode Fuzzy Hash: a1c75cded6fe85f11366ba1d4c4c6f95c51cf270cd9d36e7ead60f4fd69be933
Instruction Fuzzy Hash: 11715875A0020A9FDB05DFA9D990FAEB7F8BF0C744F194065E901AB251EB34ED41CBA0

Function 031D705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 031D70C8

Strings

kLsE, xrefs: 031D70A4

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: DebugPrintTimes
String ID: kLsE
API String ID: 3446177414-3058123920
Opcode ID: 234e6833cbc92934b29e2f27466bc5c384397056c3272825174601f824fde1dc
Instruction ID: 5328281df125f7fd5747b469eea11ef593dbde2263d3c598e1d9882a6f8ff783
Opcode Fuzzy Hash: 234e6833cbc92934b29e2f27466bc5c384397056c3272825174601f824fde1dc
Instruction Fuzzy Hash: F04169325013506BD731FF65FC8CB697B94AB1AB24F189618ED604E0C9CBF44485C791

Function 031452A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 031455A3
@, xrefs: 03145445

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: d3a6dccf98cece0d6ec79728c113a6191a5a054f4a07b1b6bf9149decda8c089
Instruction ID: 038ed7c7ba55efb88e22e9042bde8c9cd9405c4a90bb11bcb2461518e36fb384
Opcode Fuzzy Hash: d3a6dccf98cece0d6ec79728c113a6191a5a054f4a07b1b6bf9149decda8c089
Instruction Fuzzy Hash: 62329B745083118BDB28CF19C580B3EB7E6EF8E750F19492EF9959B290E734D885CB62

Function 031FA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 031FA44B
`, xrefs: 031FA551

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 6218440a5a6f84501f8f57d065bc67eb922392da69e26730aec7c628086a4a26
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 9CC1AD312043429FDB24CF28C841B6BFBE5AFC8358F184A2DF6998A290D779E545CF91

Function 031AE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 031AE75A
UEFI, xrefs: 031AE751

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 58c3fecb45d1651c1302677e8277a1715efca76d8e065eaf54e25708fda203f9
Instruction ID: 8b799bf439008971c7f63e801e36c83e41809d30cd02441250c4ec471b7640d0
Opcode Fuzzy Hash: 58c3fecb45d1651c1302677e8277a1715efca76d8e065eaf54e25708fda203f9
Instruction Fuzzy Hash: 36614D75E007189FDB24DFADC980BADBBB9FB48701F14406DE559EB291D731A940CBA0

Function 0314F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

$, xrefs: 0314F7F6
$, xrefs: 0314F860

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: $$$
API String ID: 0-233714265
Opcode ID: 79bacdbc283f95daf46e954a171c4ea1d9534f0675c042546e67fef2513aca36
Instruction ID: 220cb0aaf83605fa144726b79e0b8769689c2be2ebe8679ed41073338cf7d2ac
Opcode Fuzzy Hash: 79bacdbc283f95daf46e954a171c4ea1d9534f0675c042546e67fef2513aca36
Instruction Fuzzy Hash: 2861AA75A0074ADFDB20DFA4C584BA9B7B1FF4C704F188469E515AF780CB74A986CB90

Function 0313A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 0313A2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 0313A309

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: c050d3bf11a9100ba0a6d8fd5d6291261e60f2c25974908bbee99d32c0f433d4
Instruction ID: 4d23ec59ab6759152c9ba130e63e2f42df78d3d653532962b5bf1c9f87ce8f90
Opcode Fuzzy Hash: c050d3bf11a9100ba0a6d8fd5d6291261e60f2c25974908bbee99d32c0f433d4
Instruction Fuzzy Hash: 3341D035A04649DBEB15CF69C840BADB7F4FF8A310F1844AAEC41DB291E335D941CB41

Function 0316329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

.Local\, xrefs: 031632B5
@, xrefs: 0316330D

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: cc988d2a8abc26382ace06588a63db298e0c398b09269046124ed0afe1a6b2dd
Instruction ID: 8a5b27d0eb099562108daed75780ae69229a60625e83bcbb0d364afdb0ab63c4
Opcode Fuzzy Hash: cc988d2a8abc26382ace06588a63db298e0c398b09269046124ed0afe1a6b2dd
Instruction Fuzzy Hash: 9231A17A508304AFC320DF68C880A5BBBE8EBCD654F490D2EF5A587260DB30DD55CB92

Function 0313C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 0313C8C3, 0313CA40

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 50551704ad7a0277211f9cda658d222bb14f2d238d76a8e7e5490c43a25585c1
Instruction ID: 7e953197da83b6a77fa3c8e46734218ddd5be921ad5b624cdcb9b58a2003a8b2
Opcode Fuzzy Hash: 50551704ad7a0277211f9cda658d222bb14f2d238d76a8e7e5490c43a25585c1
Instruction Fuzzy Hash: 6D825975E002189BDB24CFA9D880BEDF7B5BF4E710F1881A9E859BB254D7309D85CB90

Function 03182F28 Relevance: 2.0, Strings: 1, Instructions: 762COMMON

Download Yara Rule

Strings

P`vRbv, xrefs: 0318300D, 031833E4, 0318343B, 031834FE, 0318352E

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: P`vRbv
API String ID: 0-2392986850
Opcode ID: c9bd803554842f07cb29d74286979745e5e5e7a533945e5b0141fb72f02c0bfd
Instruction ID: 4574afc047b3fb2f93c70c2b168fd19baf368894fd44d41957aa1a391145e4cd
Opcode Fuzzy Hash: c9bd803554842f07cb29d74286979745e5e5e7a533945e5b0141fb72f02c0bfd
Instruction Fuzzy Hash: 2742E67DD04259ABDF29EF68D4446BDFBB1AF0CB10F1C885AE461AB280D7748681CF58

Function 030BB232 Relevance: 1.9, Strings: 1, Instructions: 642COMMON

Download Yara Rule

Strings

`, xrefs: 030BB41D

Memory Dump Source

Source File: 00000001.00000002.1854687775.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30b0000_svchost.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: 2fcde5c7904d1cc09d039e7e7753b2026a15b30ed6799501881b702dd80e7238
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: 55223870A19A099FCB99DF28C4996EEF7F1FB98301F44062AE45ED7250DF30A851CB85

Function 035EB232 Relevance: 1.9, Strings: 1, Instructions: 642COMMON

Download Yara Rule

Strings

`, xrefs: 035EB41D

Memory Dump Source

Source File: 00000001.00000002.1855375315.00000000035E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_35e0000_svchost.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: d22fb82096ab12013b8fc6f7a6999bd0183a421410d9931a5f56309806e71306
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: 0F223A70A18A099FCB5DDF28D4956AEF7F1FB98302F44062EE45ED7660DB30A451CB81

Function 03137370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 852ba5e1a13fad494da553b10b98e6d038175b6be794ca8bc28a69b4b643dbb0
Instruction ID: 7c18cb73ba5065f2f6da288043d58e91246fa1f338fc3e0ae5c079a14b547b7a
Opcode Fuzzy Hash: 852ba5e1a13fad494da553b10b98e6d038175b6be794ca8bc28a69b4b643dbb0
Instruction Fuzzy Hash: 3DA17DB5608342DFD724DF28D480A2ABBF5BF8D304F15496EE5858B390E770E985CB92

Function 026D9E5B Relevance: 1.7, Strings: 1, Instructions: 434COMMON

Download Yara Rule

Strings

(, xrefs: 026DA17C

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 4f6bf1eb987708ccb7b4922ea9faab8edc6f18a453cfd42a011f31636055fdb1
Instruction ID: 87a3d43bfa603c6f9e8ead7a91db97fc734693b4f32c9a8b83598fd10a9ad943
Opcode Fuzzy Hash: 4f6bf1eb987708ccb7b4922ea9faab8edc6f18a453cfd42a011f31636055fdb1
Instruction Fuzzy Hash: EC121DB6E006189FDB14CF99C48059DFBF2FF88314F1AC1AAD849A7315D7746A418F80

Function 026D9E60 Relevance: 1.7, Strings: 1, Instructions: 423COMMON

Download Yara Rule

Strings

(, xrefs: 026DA17C

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction ID: 621c8c3ad20584e733b4df1c82da31bbea4d4c52d5897c5193a3e8a2b07f8656
Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction Fuzzy Hash: DB021DB6E006189FDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7315D6746A418F80

Function 0316F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d1b85e589325452e87ee5160e9fef47b73845eec7d7cd1285d85110459ac3f
Instruction ID: 6120f976b77fcbd707341e265b1448485358cfb0436df9d2a4e922bea8381aa8
Opcode Fuzzy Hash: e2d1b85e589325452e87ee5160e9fef47b73845eec7d7cd1285d85110459ac3f
Instruction Fuzzy Hash: 034149B5900288AFDB20DFA9E880AADFBF4FB48340F54816EE959A7211D7309955CB60

Function 03130100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON

Download Yara Rule

Strings

, xrefs: 03130255

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 0ca10fc11417a7ed50810b2ef4c31b506fd209370639b3a98a2b6945f7a2f30b
Instruction ID: 4cdff3ba1326e5a590dfd4d40dcb5ebdf52e7967289401e67527aaa614904843
Opcode Fuzzy Hash: 0ca10fc11417a7ed50810b2ef4c31b506fd209370639b3a98a2b6945f7a2f30b
Instruction Fuzzy Hash: 8CA1FB35A083686BDF28DB19C840BFEA7E95F4E314F0940D9ED876B281C774C984CB65

Function 026EEE34 Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

0, xrefs: 026EEC0A

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 1df114d5379f01c420854ad042f3ec27fa52af3489586805299f9009a035677c
Instruction ID: 9664fbc2781903861f037f515d83655e45a943e6af98cb0bd6738ed9575ff39c
Opcode Fuzzy Hash: 1df114d5379f01c420854ad042f3ec27fa52af3489586805299f9009a035677c
Instruction Fuzzy Hash: BED15433A59380CFEB12CF38C98A7423FB5F745324B48425ED99297492D774246ACF89

Function 0316A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 031A67C9

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: c1693fb657b1025bcb5866c8c4a088545f528297fcd905f73ce7c4c5babeea8e
Instruction ID: 498bb1b740ff89bc95a8a0ace20c0e416b2cadf6780282ae27af91c8276d6445
Opcode Fuzzy Hash: c1693fb657b1025bcb5866c8c4a088545f528297fcd905f73ce7c4c5babeea8e
Instruction Fuzzy Hash: 67715E79E0071ADFDF28CF9CD5906ADBBB5BF4C702F18816AE805AB244D7709941CB50

Function 0313973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

@, xrefs: 031397F3

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction ID: e49f6ebfc68184f65efa4808446785ea5b4f5c56b5ed4b26f6f881339a0d88da
Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction Fuzzy Hash: 71618E75D0025DABDF21DF99C840BEEFBB8FF89710F1945AAE810A7290D7709942CB50

Function 026EEAD0 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

0, xrefs: 026EEC0A

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 6db272c97322b3b0fa29930fc3b55a8b502d7f7bae67c8059515f7cb8f74e152
Instruction ID: eda574889cbff3abd8e808f0c3a1caa59555f9f86a156322a3681d97c9201f0b
Opcode Fuzzy Hash: 6db272c97322b3b0fa29930fc3b55a8b502d7f7bae67c8059515f7cb8f74e152
Instruction Fuzzy Hash: C6814333A48380CFDB01CF39C98A7423FB5F741324B49425EDA92974A2C774246ACF8A

Function 031BF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

@, xrefs: 031BF867

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction ID: 581342c3e38b3c970094d872161f0588e479cfefccfa15e3bd424e943d494646
Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction Fuzzy Hash: 10515776604705AFD721DF54CC40FAAB7F8FB88750F080929FA949B290D7B4E916CB92

Function 0314E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 0314E6A4

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: b883f53df7b5d7a41da2b9f9e7a299ca31c398e7b936d36d95527d747f681113
Instruction ID: ebd1ebe23d21d0dbe2d75391080f7cf6476850585e67620698dc2abf8a9fc5f4
Opcode Fuzzy Hash: b883f53df7b5d7a41da2b9f9e7a299ca31c398e7b936d36d95527d747f681113
Instruction Fuzzy Hash: 3D417D76608301ABD710DB75C980B6BB7E8BF8C725F480D2EF984EB180E774D94487A6

Function 031EB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 031EB28F

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: PreferredUILanguages
API String ID: 0-1884656846
Opcode ID: 90cae11d40d3c9cd59a11d32fd08047af4ead2712f4764b2184da0bcf02be324
Instruction ID: f4cb47842638c568b964a91da354e1684950a4faf2518a25d04b34fde4c9af27
Opcode Fuzzy Hash: 90cae11d40d3c9cd59a11d32fd08047af4ead2712f4764b2184da0bcf02be324
Instruction Fuzzy Hash: 8641153AD08619ABCB11DB95C841BEEF7B9EF4C710F098126E911EB254D7B1DE40C7A0

Function 031AC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 031AC77F

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 42ccfa80a2ec1372a742e28a6215d7bc2abadd912acaa2c43480915723bec51c
Instruction ID: e3732bea40b2a04fa9e0714852ca39a536c2d3b1bf0b13bd3aad52554a735379
Opcode Fuzzy Hash: 42ccfa80a2ec1372a742e28a6215d7bc2abadd912acaa2c43480915723bec51c
Instruction Fuzzy Hash: 97412FB5D0062CABDB21DA64CC84FDEB77CAB49715F0045E5EA08AB140DB709E898FE4

Function 031B97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

verifier.dll, xrefs: 031B9870

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: verifier.dll
API String ID: 0-3265496382
Opcode ID: 677d4c12eb637db03c257e0c1285867a8db3867f487297a741a26f67fc788da1
Instruction ID: 06a3325f0c58d52f4f050724324ae219c9f6ffebeccdf8f0efdb54585390f796
Opcode Fuzzy Hash: 677d4c12eb637db03c257e0c1285867a8db3867f487297a741a26f67fc788da1
Instruction Fuzzy Hash: E3317075A10305AFDB24DF69A850AB6B7F5EB4D710F68807AE609DF281E7718C828790

Function 03167505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

#, xrefs: 031A4622

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction ID: 1e7b79e60991ba42b809fb9cafce8135bad680d20d1b6bc516741e0fdd7efec5
Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction Fuzzy Hash: 9B41C579A00615EBCF25DF88C4A0BBEB7B5FF48705F05409AE955AB280DB30D991CBA1

Function 03135096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 031350BF

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 73c0c48b0ed292ba833d1a3b5123423ba161301524c168fa5710257440450a4c
Instruction ID: 68a1feb96037c04bd7605725a6a39ec25fa5547d5ddd507f7878009fe44d371e
Opcode Fuzzy Hash: 73c0c48b0ed292ba833d1a3b5123423ba161301524c168fa5710257440450a4c
Instruction Fuzzy Hash: CF1166307055028BEB28C91D88506B6F2D7EB9FA64F3D452AD456CB391D773D8818780

Function 0316E8F0 Relevance: 1.0, Instructions: 985COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78034d7e9cddb04a8499e06d7b4655d70c17f837191c17fb4147967745935e34
Instruction ID: 3f299a1344a20b1394d61fdf07fb2295ce918f412a250200257abcc9d30d9706
Opcode Fuzzy Hash: 78034d7e9cddb04a8499e06d7b4655d70c17f837191c17fb4147967745935e34
Instruction Fuzzy Hash: D7822472F102188BCB58CFADD8916DDB7F2EF8C314B19812DE416EB345DA34AC568B45

Function 0317516C Relevance: .8, Instructions: 785COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e48d6bbdf49bfa70d6580a0c5e728defd09562ae5f3d60b2ad57d4f5cd09230
Instruction ID: 06ef60fded33a6547afe58c8ae6693b8e39d2205a7ab43524c8192a31cd4df9f
Opcode Fuzzy Hash: 7e48d6bbdf49bfa70d6580a0c5e728defd09562ae5f3d60b2ad57d4f5cd09230
Instruction Fuzzy Hash: 88625E3290464AEFCF25CF08D4905AEFB73BA5A314B4DC69CC89A67604D371BA94CBD1

Function 0318739A Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7a93906bf394fdd4a4f61629556514374d7fd34fb1300468fa2493640fb1b27
Instruction ID: cb669ae3729bf593cb62442aec902bd9b3d16e1fea2d7f2e52859f25c0eb9697
Opcode Fuzzy Hash: d7a93906bf394fdd4a4f61629556514374d7fd34fb1300468fa2493640fb1b27
Instruction Fuzzy Hash: E3429F75A006168FDB18EF59C4906BEF7B6FF8C314B288569D552AB380D734E842CF94

Function 03185AA0 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
Instruction ID: eb35deafee5a148e98e8bfd7d17763f272ec6adeb0cd97324e3dbf259a8d3c2a
Opcode Fuzzy Hash: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
Instruction Fuzzy Hash: 89128273B716180BC344CD7DCC852C27293ABD452875FCA3CAD68CB706F66AED1A6684

Function 0315B2C0 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277413f1ea189c50746591743a4d132fbbf6154ace821f8b238c2733512324c5
Instruction ID: ef97161021554da96d03ab4cb770b88472c17fdb1b472934b5ad3e50391cc882
Opcode Fuzzy Hash: 277413f1ea189c50746591743a4d132fbbf6154ace821f8b238c2733512324c5
Instruction Fuzzy Hash: 8832BF76E05219DBCF24DFA8C894BAEBBB5FF48714F184029F815AB380E7759941CB90

Function 03142840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb77de338d4fc754fb4da5499b1983a2070fdcda94834b061f0fa517697e038c
Instruction ID: 15db4ff11217f773fc8427652ab84597c56cbf8fa3a361512b40b6ceb676725e
Opcode Fuzzy Hash: cb77de338d4fc754fb4da5499b1983a2070fdcda94834b061f0fa517697e038c
Instruction Fuzzy Hash: 6732AD74A007558FEF28CF69C8447BEFBF6AF88714F18455EE4469B284D735A882CB60

Function 031DA118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 439212df651499bccba73a13d2a2d15c253475cc94a492814b835ad3a80a7e3c
Instruction ID: fbeff0aaf2bcc5f6892b1359484c4c663e3928afc8cd601668755f067099261f
Opcode Fuzzy Hash: 439212df651499bccba73a13d2a2d15c253475cc94a492814b835ad3a80a7e3c
Instruction Fuzzy Hash: 4C22D174204661CFDB28CF29C094772B7F1AF4E300F0D859AE9968F685E735E592CB60

Function 031F16CC Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6b5a406880c0dc1a590e59918409ba25b078025061aad27db5dcd414f2565c
Instruction ID: 3cc327ce586aebf61db9d1a24ff70284bb4e3457ba2e0614f0077fd25f9a39ef
Opcode Fuzzy Hash: 5e6b5a406880c0dc1a590e59918409ba25b078025061aad27db5dcd414f2565c
Instruction Fuzzy Hash: E3229035A00216DFCB19CF59C490AAAF7B6BF8D314B2845BDDA56DB344DB30E942CB90

Function 0315FB80 Relevance: .6, Instructions: 559COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 821c774548ea3247a843d78bec732156299e38bff04f442979787c5a3fce674d
Instruction ID: 5588958a9fdbac4b756c23b8800d69337772a12549e48c299b8337c36885afe7
Opcode Fuzzy Hash: 821c774548ea3247a843d78bec732156299e38bff04f442979787c5a3fce674d
Instruction Fuzzy Hash: A022C679D00609EFDB14DFA8C884BAEB7B5FF4C311F1885A9E8149B245E734DA85CB90

Function 030B8912 Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854687775.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e27f183078115b9e4f8fe20dd9ef32afe9fe95e7fab8d9d706de258247787a69
Instruction ID: abb0271e969d686fd8b0e52eb15ade61871ad5f6baedea2852dc5cb7494694ce
Opcode Fuzzy Hash: e27f183078115b9e4f8fe20dd9ef32afe9fe95e7fab8d9d706de258247787a69
Instruction Fuzzy Hash: 52E1F472BA86404BC71CDE18DCC26B973EAE7CA309F19943CE4C7C7247DA29D5038949

Function 035E8912 Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1855375315.00000000035E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_35e0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e27f183078115b9e4f8fe20dd9ef32afe9fe95e7fab8d9d706de258247787a69
Instruction ID: cc35d66e54420275b499211c61ae56afeda0343cbd9ec874be0bace986a5af5c
Opcode Fuzzy Hash: e27f183078115b9e4f8fe20dd9ef32afe9fe95e7fab8d9d706de258247787a69
Instruction Fuzzy Hash: 4EE10472BA86404BC71CDE18ECC26B973EAE7CA309F19947CE4C7C7247DA29D5038949

Function 03103FD2 Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49ef15869f96430b2f187ee95b1c7d0ab198b687f9f8708ddb1d341b2d510748
Instruction ID: bc6ab298f15442ca38daf5d6bf0531e6bd1efb5f23bab31b2e126b2c02f61805
Opcode Fuzzy Hash: 49ef15869f96430b2f187ee95b1c7d0ab198b687f9f8708ddb1d341b2d510748
Instruction Fuzzy Hash: 1EF12C5082E3C22EF303AB345DAAB91BF614B17314F694ACB94E5DB493D5C8C269D332

Function 031F2446 Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e89a1438ba4fba81e4ff50c3d5796ebbf3dd0d927881202ad5badf18107a43a9
Instruction ID: 371329cc230aefb16db070519f29ecea6b78d5b38a4608a34b4667a59986c1b3
Opcode Fuzzy Hash: e89a1438ba4fba81e4ff50c3d5796ebbf3dd0d927881202ad5badf18107a43a9
Instruction Fuzzy Hash: 1D02E2796046518FDB28CF2AC4502B5F7F1AF9D300B19899ADAD6CF291D734D883DB60

Function 0320B16B Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e8f6854bf60841e2c243c31c6fd24440ede103f2bf7e4dd0985db471e4c66a0
Instruction ID: 30a212cdff43c120b41f975c16111edb3f1f7fbcb6ff197d624bd78f5aa42410
Opcode Fuzzy Hash: 6e8f6854bf60841e2c243c31c6fd24440ede103f2bf7e4dd0985db471e4c66a0
Instruction Fuzzy Hash: C2F1F772E102129FCB28CFA9C9A067EFBF5AF8820071D416DD456DB3C1D674EA85CB90

Function 026D2FB0 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction ID: 0241974a290f4dc3bacc2203c2d548d32c7f7f318987eef6a98a3de4268f6595
Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction Fuzzy Hash: AE026E73E547165FE720CE4ACDC4725B3A3EFC8301F5B81B8CA142B613CA39BA525A90

Function 0320A9A6 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8217ed48e1dd218f2e263038d5d46bae1449b33c095cdbeedbf8bf332d0c2fb9
Instruction ID: 4201a26bd52482d468263e498c12c0f56497f24f663c7e4028daa1d84f2b4ce0
Opcode Fuzzy Hash: 8217ed48e1dd218f2e263038d5d46bae1449b33c095cdbeedbf8bf332d0c2fb9
Instruction Fuzzy Hash: 66F1E573E106269BCB18CF68C5A05BDFBF5AF54200B5A4269D856EB3C1D734DE84CB90

Function 026EE0EA Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5536d6ddc44d4289dc5b9911f8a30ba67a91d283cb9dfa3fb512cd2e3dfc4f9e
Instruction ID: 1ee47db2aafd419c7f7484161f42b1d49f7876117836d3989da67b6d19c042e4
Opcode Fuzzy Hash: 5536d6ddc44d4289dc5b9911f8a30ba67a91d283cb9dfa3fb512cd2e3dfc4f9e
Instruction Fuzzy Hash: A9126572919391DFDB1ACF38D9867513FB1F742314B08829ED8A1935D2DB38252ADF88

Function 03128397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d99b4500b49bbdc7c41a58980ce7a37006a8bf751c70737c966eb2a8c6b3449e
Instruction ID: 7829a688a2cbdeff0f9c30d2c5753b7ea6a0d0c1bbdc019a025cc3395cd05dd1
Opcode Fuzzy Hash: d99b4500b49bbdc7c41a58980ce7a37006a8bf751c70737c966eb2a8c6b3449e
Instruction Fuzzy Hash: 64D1E475A007269BCF18DF65C890BBABBB5FF4C304F198629E815DB280E734E961CB50

Function 0315C6E0 Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c993d932aea71863ee137dff14597bba4fada6a15526cf6352c83afa21f6aaac
Instruction ID: 8286eefe44d0a8f797916d14b45e5f1565b81c995cb1ff95c42ad53e62135a14
Opcode Fuzzy Hash: c993d932aea71863ee137dff14597bba4fada6a15526cf6352c83afa21f6aaac
Instruction Fuzzy Hash: A6D14A71E04319CBEF28CF98C5943BDBBB5FB48340F19906AE862A7294D7748981CBD4

Function 030BE5CD Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854687775.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a75f732bcaf17438dac538d57962d60df10d8bc0b90a0b63c797cdd2248b8f6
Instruction ID: 13f7f835f3e396e548351507ec23a5a83f7e0919254b000657e1260d5974fe95
Opcode Fuzzy Hash: 1a75f732bcaf17438dac538d57962d60df10d8bc0b90a0b63c797cdd2248b8f6
Instruction Fuzzy Hash: 1ED1486644F3C29FD7538B34A8656E1BFB19E1722470F44DBC4C08F4A3E259494AC362

Function 035EE5CD Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1855375315.00000000035E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_35e0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a75f732bcaf17438dac538d57962d60df10d8bc0b90a0b63c797cdd2248b8f6
Instruction ID: 3a02d8d7abaf6c7de98ee24c9e0f5773fb24121d4881f33c8f4624ddcedfe0c7
Opcode Fuzzy Hash: 1a75f732bcaf17438dac538d57962d60df10d8bc0b90a0b63c797cdd2248b8f6
Instruction Fuzzy Hash: 80D169A685E3C29FD7178B346C756A1BFB1AE17224B0F44DBC4C08F4B3E259494AD362

Function 031438E0 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d68de47162b97188879e7ff75ac045c66621ca5de3cde1e802028c182544e5f
Instruction ID: c42c3323c3901063a64bbac1c788fee6b7b6b1db95928ba47165750221f8fed2
Opcode Fuzzy Hash: 2d68de47162b97188879e7ff75ac045c66621ca5de3cde1e802028c182544e5f
Instruction Fuzzy Hash: 8BE19E75A00205DFDB18CF58C880AAAB7F5FF5C310F298599E866EB391D734E951CBA0

Function 026EDB72 Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac4be3575ee97074a2761ca45740cf3d344041cef5e9452e50ec4e6e5bcda081
Instruction ID: 1b47dd9b20206b4209a16be1f51e8c31ce40e19b09749d2291b7535773bcd992
Opcode Fuzzy Hash: ac4be3575ee97074a2761ca45740cf3d344041cef5e9452e50ec4e6e5bcda081
Instruction Fuzzy Hash: 48026872919781CFEB16DF39D986A503FB5F742324B08828EC8A1935E1D738252ADF49

Function 0313D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b410f590d6efe13946cf0ac1c6807f4b1cd79ea1ce9e889a00d398072f1bc1aa
Instruction ID: b979e5370951c028b6d4ceb3bacb28d7a034a9b62b2ae2141f98ebf8d83efa0f
Opcode Fuzzy Hash: b410f590d6efe13946cf0ac1c6807f4b1cd79ea1ce9e889a00d398072f1bc1aa
Instruction Fuzzy Hash: ADC1B671E002159FEF28CF5AD840BAEF7B5FF59314F1982A9D815AB290D770E942CB80

Function 0315D2F0 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3d6c2a61c50af119dbf7a660be9dd8e78e4cce8ee85c1312ee98e55f77ac127
Instruction ID: 6ee77efcb700e53e517a10cb7c1eb0969c6d8217d5ad62b4c97779cf84e8f246
Opcode Fuzzy Hash: d3d6c2a61c50af119dbf7a660be9dd8e78e4cce8ee85c1312ee98e55f77ac127
Instruction Fuzzy Hash: 55B1E722A14514CBEF1CCB18D8A137D6367EFDD211F1E82AAEC268F7D5D77899818342

Function 030B1082 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854687775.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c405e12876c8006324a92657e80a7d0a99c6e8e74291b674bd38530cd5c25550
Instruction ID: e263d35d17973623c4d5aa38e891f97a2ac75fd87241bbc03727cd3797932f71
Opcode Fuzzy Hash: c405e12876c8006324a92657e80a7d0a99c6e8e74291b674bd38530cd5c25550
Instruction Fuzzy Hash: 0BB15D75225B488FCB69EF24C894AEAB3F4FF94305F40066E955BCB150EF30A645CB86

Function 035E1082 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1855375315.00000000035E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_35e0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c405e12876c8006324a92657e80a7d0a99c6e8e74291b674bd38530cd5c25550
Instruction ID: 17b4db508a7298b901a7770c3342dda6dab2cdbc164261b75faac25dd254ed79
Opcode Fuzzy Hash: c405e12876c8006324a92657e80a7d0a99c6e8e74291b674bd38530cd5c25550
Instruction Fuzzy Hash: 50B16F35124B498FC769EF24E884AEAB3F4FF94305F44056D945BCB161EF30A645CB86

Function 03140535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 2b3a5d7eaa46ac429eeb0a03908f2cb2f043e9af2e351b197570736e0237170d
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 52B12775600745AFDF25DB69C850BBEFBF6EF4D200F190199D6529B281DB30E982CB90

Function 026EDA81 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e672693f1689a5cc90c26117af48f77c362a8f2a2f0f32cb5493afaa51a1b77
Instruction ID: 53b349ec861f4956a90940396247489fa060f87a01a0ceaf1d9a170e1ccabdf3
Opcode Fuzzy Hash: 7e672693f1689a5cc90c26117af48f77c362a8f2a2f0f32cb5493afaa51a1b77
Instruction Fuzzy Hash: 5CE18872919781DFDB1ACF39D9466513FB5F346324B08828FC8A2935D2D738251ADF88

Function 031590DB Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3e03e5f9ba25fa147d7177ade2718e8ec81580229d157c71b67b6c99bcc192fe
Instruction ID: c78f8ca47f5cee0c1950389095f7aaa21e352bd807eab3cb9b46f9efa6ca9a92
Opcode Fuzzy Hash: 3e03e5f9ba25fa147d7177ade2718e8ec81580229d157c71b67b6c99bcc192fe
Instruction Fuzzy Hash: 25A16675900205AFEF22EFA4CC81BAEB7B9EF49750F054054FA10AF2A0D7759D11CBA1

Function 031383C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b19184c40b6de391a1fcde63d9c4cf227c20c61715d9ae398ac278a801e418a
Instruction ID: 3107bcbd6c87a410bbcf95d5c292179ed809cbee6479f3d62154d5d3377ea48e
Opcode Fuzzy Hash: 3b19184c40b6de391a1fcde63d9c4cf227c20c61715d9ae398ac278a801e418a
Instruction Fuzzy Hash: 1FC14974108341DFEB64CF15C494BAAB7E5FF88304F48496EE9898B291D774EA48CF92

Function 03170185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f70a13d34d09f93c485c5c86925770075393315c0dd8f68f4ea28a6cc2f39c85
Instruction ID: bcbc77fbea65030ec02b06cbfbda1ded451fb0e7f7877cf8fbe2c3dca314ef69
Opcode Fuzzy Hash: f70a13d34d09f93c485c5c86925770075393315c0dd8f68f4ea28a6cc2f39c85
Instruction Fuzzy Hash: 3DA1C075B00719DFDB28DF69C890BAAB7B5FF4C315F184129EA069B281DB34E852CB50

Function 026EE43E Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecf813f97a88b5728cddbeb780f7274d2d81527003f3df8eb15c1d3ccaba7bb
Instruction ID: 3e6a7e319d7666392a1fff897ed5d27089070aacb47b5331b0e3f773ab7d0d6e
Opcode Fuzzy Hash: 5ecf813f97a88b5728cddbeb780f7274d2d81527003f3df8eb15c1d3ccaba7bb
Instruction Fuzzy Hash: FBD15472919381CFEB16DF39D9566503FB5F706324B08828FD8A1936E1D738252ACF88

Function 0314E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a236a6eaf65badb3c460549418f370999279451344a5730cd2fad4afc573592
Instruction ID: 829ad7d69d67da72b507dbbb52d3a01ccfbaf99b208fdc7c6fa2a9569fb86484
Opcode Fuzzy Hash: 9a236a6eaf65badb3c460549418f370999279451344a5730cd2fad4afc573592
Instruction Fuzzy Hash: DB910636A006159BEB24DB69D844BBDB7A5FF8C710F0D44AAE805DF740E738D981CB61

Function 03131131 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1feec504561dc0cf3036032910a30c1930702e3d57f82a3a6c3d8a699046d052
Instruction ID: a83e39f0a9e0210c8002a79d8a6edabbf5b546fe4ab83fbea725e41f3d99fe80
Opcode Fuzzy Hash: 1feec504561dc0cf3036032910a30c1930702e3d57f82a3a6c3d8a699046d052
Instruction Fuzzy Hash: E1B1F0756093409FD354DF28C480A5AFBE1BB8D304F18496EF899DB351D371E986CB46

Function 03164750 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
Instruction ID: 41e2776c5cef9771597f89f4debab6bfc62199803fd8df5aa1f2a28e03676a32
Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
Instruction Fuzzy Hash: 1F816B29E047958FEB25CEEDC8C037DBB65EF5E200F1D4A7AD8528B241CB64D896C391

Function 026ED569 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94a6ffe801dba30c202caa0171e4f45638f216cda252ad8a007b359fa952ed04
Instruction ID: 35f5e67372def584b71ab1ebfd5e7986d72600b2e631f73ddca1ed36d5300b93
Opcode Fuzzy Hash: 94a6ffe801dba30c202caa0171e4f45638f216cda252ad8a007b359fa952ed04
Instruction Fuzzy Hash: 09C16572909381CFEB1ADF39D9566513FB5F742324B08828FD8A1935E1D738252ADF88

Function 0317DBF9 Relevance: .2, Instructions: 244COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
Instruction ID: 82bd9f9a6bca0b9a1f2d67ecab99ed68977211e1213c90144d3c6aa73f6243a6
Opcode Fuzzy Hash: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
Instruction Fuzzy Hash: 82915071620A0ACFD725CF29D885662BBF0FF59324B1D8A1CD4E6DB6A0C775E561CB00

Function 026ED576 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b91ed06c7a5037144b35a1f9ec33502fb88b392af0ee8e485ae396d502aa1ff
Instruction ID: 766baa83663e432d4e111669a1ddfe031f01f0db59dc1ed842e51c6a84cd130e
Opcode Fuzzy Hash: 2b91ed06c7a5037144b35a1f9ec33502fb88b392af0ee8e485ae396d502aa1ff
Instruction Fuzzy Hash: C3C17472809381CFEB1ADF39D9466503FB5F742324B08828FC8A1935E1D738252ADF88

Function 031FF7B0 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e72274099ad604c5e04d5419007bb02796477677c37ac9f6ada28440d0900b6
Instruction ID: 5ccade670f6a5c286ae7c902d4fa1a971431d633e5bebaac9bc1a904573bbd19
Opcode Fuzzy Hash: 3e72274099ad604c5e04d5419007bb02796477677c37ac9f6ada28440d0900b6
Instruction Fuzzy Hash: A191E576E00206AFDB14CF28C8807AAB7E5FF4C310F198578EA55DB291D7B4E956CB90

Function 031FF43F Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43fe490a6aab5689a77e126d63ff9c0d1024dc389cf2b20b1961ecfdaa741bee
Instruction ID: 5f1cf6558e19b6a5c0efc782dac8e963340e8f88267e351442ea6874f1f09d6e
Opcode Fuzzy Hash: 43fe490a6aab5689a77e126d63ff9c0d1024dc389cf2b20b1961ecfdaa741bee
Instruction Fuzzy Hash: C991D072A001199FCB18DF69C8906BABBF1FF8C210F19C2A9D916DB295D774D906CB50

Function 031F81CC Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be23620be50a1f8c81c879c1c8bd613026ddae564c9820886e633a43eb7c27cf
Instruction ID: 437fd7360fc1eef417f8bed002ea010a77deb19d81cf2e23e3164eee783a0472
Opcode Fuzzy Hash: be23620be50a1f8c81c879c1c8bd613026ddae564c9820886e633a43eb7c27cf
Instruction Fuzzy Hash: 7F819572E006199FCB18CFA9C8805AEB7F5FF8C314B19436AD925E7290D774E952CB90

Function 031EE4F6 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ac6fef473a60fdd3f28bb7e7ca54578b4d318344d0c008b8c6bf36f85a83c96
Instruction ID: a10b70e844c6995c3bc5d791db3a973f279cdd5e50990e9cea50a372c099c928
Opcode Fuzzy Hash: 0ac6fef473a60fdd3f28bb7e7ca54578b4d318344d0c008b8c6bf36f85a83c96
Instruction Fuzzy Hash: CE818076E006159BCB18CF99C9906ADFBF1EF8C310F198169D816EF385D7359941CBA0

Function 031FAB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 2f47db803779106586a885d8d808e2ff0f385495f10fef3d6d7cfe49347df619
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: 87818335A102059FCF18DF98C890AAEB7F6FF88314F198569D91A9B344D778E941CF50

Function 0315D090 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction ID: f811f735f794a40e499876df6058f80245577b66e22e0f309ed0b026de2cc762
Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction Fuzzy Hash: 4E815E76E00115CBEF18DF68C9907ADF7B2FB88344F19816BD825BB344D735AA408BA1

Function 0316E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c67fe5f581cae626bd54a7f3fdb0e0f901814b08792d4b89d8bceb3d92bed473
Instruction ID: ad0f19791d8f68e567f90b416fb7b432d7ca845b4adc521115188fa0abb9f4ac
Opcode Fuzzy Hash: c67fe5f581cae626bd54a7f3fdb0e0f901814b08792d4b89d8bceb3d92bed473
Instruction Fuzzy Hash: E1818C79A00709AFDB25CFA9C980AEEF7BAFF8C340F144529E556A7250D730AC55CB60

Function 0315B950 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f23237a321ee757ab050d0f5079f179cb7a72fd5b06c38d0f3222d5432b386c5
Instruction ID: cac01dcedd72ffdf427f1a2117489120eedc3469486d9a533433a630a0bf7ca3
Opcode Fuzzy Hash: f23237a321ee757ab050d0f5079f179cb7a72fd5b06c38d0f3222d5432b386c5
Instruction Fuzzy Hash: 1471E474208650DFEB28CF2AC940736B7E1AB8C704F59D55AFCA68B1C4D775E842CB61

Function 0314C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e770bbac2faed309101bd3c70727b6f125911143b98d393fa15cb0d5fcbb0445
Instruction ID: 1478abc8f48f8d152600f40fbde7af5538f8f8dcf61f5c768f41af095bdee17d
Opcode Fuzzy Hash: e770bbac2faed309101bd3c70727b6f125911143b98d393fa15cb0d5fcbb0445
Instruction Fuzzy Hash: 0B71CBB6C01265ABDB25CF59D9907BEBBB4FF5D700F19815AE842AB350E7709840CBA0

Function 031EDAC6 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4161c31157465c9ac77ff383c94739183ab102354d4bebadd1e31343ad37fe1
Instruction ID: 83e28826aed8d009fe6805cea8fcb5bd359f7a91fa1d0492fbd8e57b06971697
Opcode Fuzzy Hash: a4161c31157465c9ac77ff383c94739183ab102354d4bebadd1e31343ad37fe1
Instruction Fuzzy Hash: A5818B70D00A959FCB24CF69D440AAABBF0FF4D740F04849DE496AB285D376D881EF50

Function 031F70E9 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24bb796a3db524cf979073562d0685a8977ed473ba4448b7c440b381ec9f3604
Instruction ID: dbeaf2c3b3cff142408510310ff0e56a4539ed65419c97fe034e968271240a68
Opcode Fuzzy Hash: 24bb796a3db524cf979073562d0685a8977ed473ba4448b7c440b381ec9f3604
Instruction Fuzzy Hash: B561D575E00316AFCB14EEA5C8909FFF779AF4C250F184429EA11AB280DB70D9458B90

Function 0314260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aca33314fff5530f9194de72a0dd5bd3a2c75159fcda820c15e3d5a8160d19b5
Instruction ID: bbe259c01fd01f9d85b5262b42dba94ececb72808572afedfb25d827ce75bd28
Opcode Fuzzy Hash: aca33314fff5530f9194de72a0dd5bd3a2c75159fcda820c15e3d5a8160d19b5
Instruction Fuzzy Hash: 5371CF356046419FD715DF28C480B6AB7E5FF8C310F0989AAF898CB351DB38D886CBA1

Function 031EF0CC Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f3eb414141b690b602478265a276e788968a4e59f65e3b3eee468e10b418a0
Instruction ID: 37bd3a7b90b36339a92c9d02431a480a7230a36c60d721f24f38ef09c43f5417
Opcode Fuzzy Hash: e7f3eb414141b690b602478265a276e788968a4e59f65e3b3eee468e10b418a0
Instruction Fuzzy Hash: 14719E79A01A26DBCB28CF5AC48017AF3F1FF4C705B6A846EDD4297240D376E982CB50

Function 031B035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 733cb9aedb568d59a33a2933617d72baf60d4e9aea2216b1b2c2453d020544d2
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 70715A75E00619AFCB11DFA9C984EEEBBB9FF8C700F144569E505AB250DB34EA41CB90

Function 031C62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bec74d454cb37eb601c94e71e1f7d60ea5bcda0a5f031b01793951bb1a8c561e
Instruction ID: 73fd3f35b953c767d053dcd59cf09b0db505b70e2d0a101766df6144197a757c
Opcode Fuzzy Hash: bec74d454cb37eb601c94e71e1f7d60ea5bcda0a5f031b01793951bb1a8c561e
Instruction Fuzzy Hash: 9171EE36210B41AFDB31DF54C844FAAB7B5EF58720F1D882CE25A8B2A0DB74E945CB50

Function 031F7A46 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443c321d49ff6dac00f7f441121dd4dda6e08ba92afeb7a9b01c4923dc3891e8
Instruction ID: 7307bc8d709c8e85dcecf2ef37fd0273d26e48a0168f75b1ccf8bb57d5783b05
Opcode Fuzzy Hash: 443c321d49ff6dac00f7f441121dd4dda6e08ba92afeb7a9b01c4923dc3891e8
Instruction Fuzzy Hash: E0512875A002265FCB18DF69C880ABAB7E6EF8C350B194169EE55DB3C4DB74C942C7A0

Function 031F132D Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55f32f988235a37fbda83e1f90cda69c42638b603aa694b2f8c35c55b089778d
Instruction ID: 4fb01bbd454018964fcce77aae6134b0fff13c970b7716e9362d8af57f3cc9bd
Opcode Fuzzy Hash: 55f32f988235a37fbda83e1f90cda69c42638b603aa694b2f8c35c55b089778d
Instruction Fuzzy Hash: 94819075A00605DFCB09CFA9C490AAEBBF1FF88310F1981A9D859EB355D734EA41CB90

Function 031F903E Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40addf42c5fd2e0cc19a0e5543f2d27370a6f41a67ea06236248cf4368bd5053
Instruction ID: 1fb1a0ce5f6bff55fd783712f4d3917cef333fa76af6cbb85d051eea06380ae1
Opcode Fuzzy Hash: 40addf42c5fd2e0cc19a0e5543f2d27370a6f41a67ea06236248cf4368bd5053
Instruction Fuzzy Hash: 5B61EE75600715AFD315EF68C884BABBBA9FF8C350F048619FA698B240DB30E511CBD1

Function 03137703 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd273352becaf2d3178c3445e7ec8f53bdf7136b38b8af37e23f6fe4d09264c9
Instruction ID: 06e39b6abd1510734b60196e2c3b05d68bac1e01f8e4807b9f216e9737a2a25d
Opcode Fuzzy Hash: fd273352becaf2d3178c3445e7ec8f53bdf7136b38b8af37e23f6fe4d09264c9
Instruction Fuzzy Hash: D76143B5A00606EFDB18DF68D480AADFBB5FF4D210F1885AED519A7340DB30A955CBD0

Function 030B5B30 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854687775.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00decb759f0a0a5b506fde3db33c21a66b91628726808b13d9680d45fb230924
Instruction ID: 6ea431da51e9ba75ac0dacc7d3804fb1eaeeacb7f6fb779a701c880fe4fd52fa
Opcode Fuzzy Hash: 00decb759f0a0a5b506fde3db33c21a66b91628726808b13d9680d45fb230924
Instruction Fuzzy Hash: 2C414474228A5C8F8BA8DF2C80982BAB7E2FBD9215741476E849FCB648DF34D5425B41

Function 035E5B30 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1855375315.00000000035E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_35e0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00decb759f0a0a5b506fde3db33c21a66b91628726808b13d9680d45fb230924
Instruction ID: 80b98419e9a5df1a5a291404f086b646b3b1bf70dc000954a283182f7a4f5ef6
Opcode Fuzzy Hash: 00decb759f0a0a5b506fde3db33c21a66b91628726808b13d9680d45fb230924
Instruction Fuzzy Hash: C1416178228A5C8F8B9CDF2C909823AB7F2FBD9215741476E849FCB618DF34C5419B42

Function 031F92A6 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65d2cc4a0735d45fcf7a4d3dfcc6fc07625d655d09462384230d25c5bf168fa2
Instruction ID: 10924bcd471f5002e7f09a949c3e575a15c811080bf62a69ae55fb85c7a62775
Opcode Fuzzy Hash: 65d2cc4a0735d45fcf7a4d3dfcc6fc07625d655d09462384230d25c5bf168fa2
Instruction Fuzzy Hash: 8B6136352047428FD315EF68C894B6AF7E0FF98308F1C486CEA958B291DB35E846CB81

Function 030B5B32 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854687775.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_30b0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90847b0600c76fbd8cbdbcc3aa2155c44a328d670e951348b18462eee9109b19
Instruction ID: 57852b68faca3ed473946e430faa891e80c6e242b28b8693c2fc0e7326d061a0
Opcode Fuzzy Hash: 90847b0600c76fbd8cbdbcc3aa2155c44a328d670e951348b18462eee9109b19
Instruction Fuzzy Hash: 55415474228A5C8F8BA8DF2C80982BAB7E2FBD9215751476E449FCB648DF34C5425B41

Function 035E5B32 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1855375315.00000000035E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_35e0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90847b0600c76fbd8cbdbcc3aa2155c44a328d670e951348b18462eee9109b19
Instruction ID: 5f50de1a0c2f2be5615d0248c6188aae230e1a6d2329adfb021560d8500d8e93
Opcode Fuzzy Hash: 90847b0600c76fbd8cbdbcc3aa2155c44a328d670e951348b18462eee9109b19
Instruction Fuzzy Hash: 50416174228A5C8F8B9CDF2C909823AB7F2FBD9215741876E849FCB618DF34C5419B42

Function 026EE743 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ccb92c0ffcfcbe2b84818477e0a4b1a0cce97956e5c63b1cdfc9f8ace8624a5
Instruction ID: eed653a58544e33587d9506585d05194fef802ece2358402b6e286b8657cc499
Opcode Fuzzy Hash: 6ccb92c0ffcfcbe2b84818477e0a4b1a0cce97956e5c63b1cdfc9f8ace8624a5
Instruction Fuzzy Hash: A381123294D3C1CFEB1ADF78E89A6453FB1F746720B08478DD8A24A2E6C7751166CB41

Function 026D2D90 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction ID: 3c8bfdcbecaad7fc4d41a63fba473f822c2c1e677f4157eb0160bbaa97897e26
Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction Fuzzy Hash: FA5180B3E14A254BD3188E09CC50631B792EFC8312B5B81BADD199B357CA74E9529A90

Function 0312B2D3 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ee17ae066fd4f1c96160dac10b3c2f950f123cf6973abfc13923b72dc78529b
Instruction ID: 44f87c4200397ef018c3e169df186075f3301db72c450fe310c4bafbbbb9e52d
Opcode Fuzzy Hash: 8ee17ae066fd4f1c96160dac10b3c2f950f123cf6973abfc13923b72dc78529b
Instruction Fuzzy Hash: FD412535604710AFC726EF25EC80B26BBA9EF4C720F19C46AE5599F250D770DCA1CB90

Function 03143740 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ae77a26b943d7c2b72085df0fd3dbc4be86e8dfda96d389ed005e16e7936df7
Instruction ID: 1b86a14f541fb008bde9fbeb74f86296200646f2cc25c1111b31d71fb7b87d2f
Opcode Fuzzy Hash: 4ae77a26b943d7c2b72085df0fd3dbc4be86e8dfda96d389ed005e16e7936df7
Instruction Fuzzy Hash: 58511479E00616AFC715CF68C880669F7B0FF48710F098AA5E8A5DB740E734E9A1CBD0

Function 03137152 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d472042b0b02743d304d669fdf6936a3d68442c161e7b9d9464f9fd0812e9b6
Instruction ID: 5ebeb2c3d08559afeb7416453e6092edfec6a710ce1446cc12d4c907d589417d
Opcode Fuzzy Hash: 8d472042b0b02743d304d669fdf6936a3d68442c161e7b9d9464f9fd0812e9b6
Instruction Fuzzy Hash: 6F51E076A0060AEFEF19EF64C944BADB7B9BF0D315F14406AE412972D0EB749991CB80

Function 031B3A6C Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07580290651f2aaf41b633e350d70dd2c15b4a44c312f6286bec0499172c343e
Instruction ID: 8b75cebbbf6b9a64fe2f09baad39ba0d85559750b37ff8282b8edfeca866afa6
Opcode Fuzzy Hash: 07580290651f2aaf41b633e350d70dd2c15b4a44c312f6286bec0499172c343e
Instruction Fuzzy Hash: 80518E36E5012D5BEF24CA58D8A1BEFB3F2EB48310F480819E855BB3C4C7B669A6D550

Function 031FD26B Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction ID: e8d0ac8144e5a8ba6a5552a2437cc3cdcb12a64ff6dd614526a71cb47bc69151
Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction Fuzzy Hash: A5517D766087429FC315CF28D884B6ABBE5FFC8344F08892DFA948B244D734E945CB92

Function 031F7571 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99c5e494c19f78299401dc6bb88cf5ede70ebb7383cdeab8e72c581fd874fecc
Instruction ID: 756dd8f322d329b0e86e102c84bf33ae283242b67c6cc7f5ce3f8d9794501e11
Opcode Fuzzy Hash: 99c5e494c19f78299401dc6bb88cf5ede70ebb7383cdeab8e72c581fd874fecc
Instruction Fuzzy Hash: D4510431A00219AFDB15EF69D844A7EFBB9FF4C390F198169DA05E7290DB70AD51CB80

Function 031351ED Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f94cd31e5a15955585a011d2464506e5749d6ac7d85e1e4e352b535b295f6e2
Instruction ID: 0009860c8dabd42f67832ac2ce1dc4c3913fb2bb908fb93557d6f38fc7fcac96
Opcode Fuzzy Hash: 9f94cd31e5a15955585a011d2464506e5749d6ac7d85e1e4e352b535b295f6e2
Instruction Fuzzy Hash: A251BD35A05214DFEF25DBA9C840BADB3BABF0EB14F090069D851EB240D7B49880CB62

Function 0316F71F Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83f1bd8aa442f2d76c16828348f71a04d1b91540d3433ab010ab9cef943fccf2
Instruction ID: 44c3b938e45570a0cecbfd9f3ec9a0598d48116701c993cdacb1c4d9bdaf8b4a
Opcode Fuzzy Hash: 83f1bd8aa442f2d76c16828348f71a04d1b91540d3433ab010ab9cef943fccf2
Instruction Fuzzy Hash: D941747BD04229ABDB15EBE8D884AAFF6BCAF0D650F050166E911FB200D734DE5187E4

Function 031601F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d69104e5f7402366f449bc94b34d6cb5f64c733f1cc50029873ef7dc4b462c86
Instruction ID: fce659fbab06492fc489b861dee1daa13ef94650adf17a744c3da92bd20bcb8d
Opcode Fuzzy Hash: d69104e5f7402366f449bc94b34d6cb5f64c733f1cc50029873ef7dc4b462c86
Instruction Fuzzy Hash: 2D419A7AA052199BCB14DFD8C840AEEF7B4BF8C610F19816AE816EB240D7359D51CBA4

Function 03172750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: b91c5de4d255ce8b77b0e1e91e5942b663f816258951e2616248268f6ce71ed4
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 01514C79A00615DFCB14CF5CC580AAEF7B6FF88711F2985A9D815A7350D730AE82CB90

Function 03136154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46c0138b1ade522d3a538170595d2f360548e92de59b81dd7502211f0ff10aa5
Instruction ID: ae61d7d8fa0aa3d722341c86b12f77ef4c7bfe91d031012157908f88a76ced7e
Opcode Fuzzy Hash: 46c0138b1ade522d3a538170595d2f360548e92de59b81dd7502211f0ff10aa5
Instruction Fuzzy Hash: BB511870904216EBDB29DB64CC44BE8BBB5EF0E314F1982E5D429AB2C0D77899C1CF80

Function 0312B136 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37f4fb84d6cf551a227a47049ddcc72c7b20ba047b653f645e21c0e373ee23de
Instruction ID: b0c43ff36d80d3f86d8c987e2b9740206e2a5d3d881129d7812c392d40f24bee
Opcode Fuzzy Hash: 37f4fb84d6cf551a227a47049ddcc72c7b20ba047b653f645e21c0e373ee23de
Instruction Fuzzy Hash: 8F41DC75640711EFCB25EFA4C880B6ABBB8EF0C780F058469E5119B250D774E860CFA0

Function 031FF0E0 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb906d61e708d9a6a7c42cdcf37d28a74b137b7563b8498f5ff845ec36e71e0d
Instruction ID: 02b20d2f14e91e1ea13c23b3c278a652ea439495a1e21bdb3bf33606c919f028
Opcode Fuzzy Hash: bb906d61e708d9a6a7c42cdcf37d28a74b137b7563b8498f5ff845ec36e71e0d
Instruction Fuzzy Hash: 6C41E1752083419FD704DF25D8A497ABBE1FF88215F188A5EF9968B382C770D80ACB61

Function 031F866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 9ee11a7b55cdfe7227dd275785ac4a6014dabb466479391b4569cc22868df6b1
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: D6419675B00219AFDB15DF99CC95AAFFBBAAF8C610F194069EA04A7341D770DD01C760

Function 031DD5B0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ec3b2cdbb4b9066469164c528185ddf3fa50434e83ac4f3bb8951c7142227a7
Instruction ID: b682787e7c36308b3a060ed354adcb91a36696c5eb938b3a79e3f763e6d1824a
Opcode Fuzzy Hash: 4ec3b2cdbb4b9066469164c528185ddf3fa50434e83ac4f3bb8951c7142227a7
Instruction Fuzzy Hash: 4041F131A08295AFCB14DF29D495ABAFBF1FF4E300F0A8499E4C58B245C735A456DBA0

Function 0315D6E0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c43bb072ca4492e41214a00c321139dbc291b9dafc4f695fc95de25e2e7fe6bf
Instruction ID: bff133bd3b4e0b48f6baf7f2f9371f16ebdc99f2137f1e5f2522629434a589eb
Opcode Fuzzy Hash: c43bb072ca4492e41214a00c321139dbc291b9dafc4f695fc95de25e2e7fe6bf
Instruction Fuzzy Hash: 5441B17A504300EFD724FF65DC94B6AB7A8EB5D721F14852EF8258B290DB30E842CB91

Function 0312A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 5f5d58a3933f80dd454d821e84ba4b0b07c7463f073ebd565ac13eb5c9b25cf3
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 62413B31A08321DBCB24EF9484507BEFB62EF4C714F1AC06AE9459B240DB359D90CF98

Function 03160710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 6681be96eb36b97998924ffd5deb77a42f1b51a3db2bee19ff5bc98bc52304bc
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: A0412675A04705EFCB24CF98C990AAAB7F8FF0C700B11496DE596DB290D330AA54CF90

Function 0313262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33ebf717e031c2ed7910f4f342c7b69ae453a021c2bb929a937cccd241e059f8
Instruction ID: a0512990a6afac4aff13b8e41bf7e1ef99fa45768bcd327984552b192839f5eb
Opcode Fuzzy Hash: 33ebf717e031c2ed7910f4f342c7b69ae453a021c2bb929a937cccd241e059f8
Instruction Fuzzy Hash: 884102B5901714DFCB25FF28D900B29B7B5FF4E310F158AA9C8169B2A0DB309982CF41

Function 031FFFB1 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c15f1585cba4e500ea4402911b6efd28b33a62c0a3e13174347b8f441b0c97
Instruction ID: 710edfdc20ffddc57b9735d9749f5a908840bfc795d089a80eeafc6b849d91a1
Opcode Fuzzy Hash: 83c15f1585cba4e500ea4402911b6efd28b33a62c0a3e13174347b8f441b0c97
Instruction Fuzzy Hash: 70413B319142565BD740DB2684A06BABFF2BF85205F1CC1A6DC82D7282D679C54AC770

Function 031FFA49 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4570e47fd2e59a814507c1b8006eaf11b1b56a50ce18f3949402d146dd10719a
Instruction ID: 9904ffcac83179503d83f556b293ba1cc7c5e12044b89f2c485326a239340d07
Opcode Fuzzy Hash: 4570e47fd2e59a814507c1b8006eaf11b1b56a50ce18f3949402d146dd10719a
Instruction Fuzzy Hash: 263128767105069FC718CF29CC44BA6BB99EF8C750F088674EA18CB284E7F4D946C794

Function 026D1026 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 212c67cddb357ee034409966756fb29ce37f76ba36a1a5b19561db3bb26b7ad5
Instruction ID: 3f00f1de9a1d29c699d8d83f35db486297eea9864779ff5c4eab68184a952c0d
Opcode Fuzzy Hash: 212c67cddb357ee034409966756fb29ce37f76ba36a1a5b19561db3bb26b7ad5
Instruction Fuzzy Hash: 373193116597F14ED30E436D08B9675AEC28EA720174EC2FEDADA6F3F3C4888408D3A5

Function 031FFB76 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 367bc4642b86baa8056660e3cb842cb076a678d847faabe4f58d990bd108b69a
Instruction ID: 89fecc174450fab65c04f6e60aed0e9c519030bb3afa332df2a27182fc4330f0
Opcode Fuzzy Hash: 367bc4642b86baa8056660e3cb842cb076a678d847faabe4f58d990bd108b69a
Instruction Fuzzy Hash: 0131E236610115AFD714DF29DC44EABBBE5EF8C350B558428FA08CB240D7B4E942C790

Function 026D1030 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction ID: 639082958af560db50ca9a0f4b9aa772f095d7f60d4661e4b0a5186ebed9dfa5
Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction Fuzzy Hash: 353182116586F10ED30E436D08BD675AEC18E9720174EC2FEDADA6F2F3C4888408D3A1

Function 031402E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 83f43c07c5579d6caa9375dd23a65b51f8e308ff918798ca7b1f64bea5cdd99e
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: A2311232A04344AFDB21DB69CC40B9AFFE9EF0C350F0985A6E855DB351D7749885CBA0

Function 03159274 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5a528740d165fdd54cbcf3eafe498e905d405e93342aa1a31de94c6853420a13
Instruction ID: e340a7bed5ff1bd89b7f777f12976b5930d7b6f82b1c3daeead75d3e30477f95
Opcode Fuzzy Hash: 5a528740d165fdd54cbcf3eafe498e905d405e93342aa1a31de94c6853420a13
Instruction Fuzzy Hash: C2318575A00328EFDB25DB24DC40B9EB7B5EF89710F150199B95CAB280DB309E85CF92

Function 03135702 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87a825b678e425ef8f2a3e5a64c5877e8d6c5cae9552bb5052e0a9f6b096d099
Instruction ID: 1f95eec57157c60bbe135d4b315959aeec63cc42c553ab389916bb5b5b600a22
Opcode Fuzzy Hash: 87a825b678e425ef8f2a3e5a64c5877e8d6c5cae9552bb5052e0a9f6b096d099
Instruction Fuzzy Hash: 1B31D035701B02FFDB55DB20CA80A99FBAAFF4EB54F445065E8418BA50DB70E860CBD0

Function 03134260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ec0ccddfe29c1199f69c4b6a7d749adbeb2828bd74b1424e468eb01df00850
Instruction ID: 86646789b7f332013a9a4a6d235e04ea07501465aeb6c2a38819a3907ec34c5a
Opcode Fuzzy Hash: 07ec0ccddfe29c1199f69c4b6a7d749adbeb2828bd74b1424e468eb01df00850
Instruction Fuzzy Hash: 1041C035200B45DFDB22CF25C981FD6BBE9AF4E314F05882AE5998F250CB74E844CB90

Function 031550E4 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction ID: f93fd1b2376879b8a2c7247261e5d3edc82af13222a04fac5da8b9f1d85e177b
Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction Fuzzy Hash: 8331DB31608341DBD725DB28C840767BA96AB8E754F0D855AFCA78B281D774D881C7A1

Function 031F61C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e100a53110aadd7ad6b8ffba72f79c824fb6b0210f1f366e7cb6faffc7fb3354
Instruction ID: bc56e9daa6471e947ebbe5a758b505347bd59d4cac41cc3c141d41971871d5ab
Opcode Fuzzy Hash: e100a53110aadd7ad6b8ffba72f79c824fb6b0210f1f366e7cb6faffc7fb3354
Instruction Fuzzy Hash: 0A31A176A00215EFDB15DF98CC40BAEB7B5EB4C740F494169E500AB244D774ED41CB94

Function 03129730 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13914587cb6e698a565d9c0712c3c8c9256b8f3057380d92eb1480bd287ce93a
Instruction ID: ec3bb142a5a05bc7ff9ce370a065e2458340c1841e109f7e7a5dc9967b1df8d9
Opcode Fuzzy Hash: 13914587cb6e698a565d9c0712c3c8c9256b8f3057380d92eb1480bd287ce93a
Instruction Fuzzy Hash: EC21B37AA00B24AFC321EF598800B5ABFB5FB8CB50F164469AA559F741D770E861CF90

Function 031F6BD7 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1efdd4463ac4a456894c76288ae40f6e8bd414364739e7deb407ad656c754a93
Instruction ID: 355ce80cc0cd932fa7c09fc441956bdcdbe0443db6801dfe7cac31c199a88f36
Opcode Fuzzy Hash: 1efdd4463ac4a456894c76288ae40f6e8bd414364739e7deb407ad656c754a93
Instruction Fuzzy Hash: 83318E31600244AFCB24DF2AE885A5B7BF4FF4D310F958469E908DF249D3B0E955CBA4

Function 031F60B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9721949bc6a183f1413a6bfe4bda841c6fcb7f1837d7aadf6821857dc1203221
Instruction ID: fc8de10f7c693f46ca9372a9828060c67f44ca3f6f65a9efc37bf7e7cb09df80
Opcode Fuzzy Hash: 9721949bc6a183f1413a6bfe4bda841c6fcb7f1837d7aadf6821857dc1203221
Instruction Fuzzy Hash: EE31EE79B04615AFDB22EBA9CC50B6EBBB9AB8C314F1440A9E641DF341DB30DC418B90

Function 031307AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b750178d25f5038f403e94e8d6c653b611589b4a158a5cb2b58be90d67183538
Instruction ID: a5011fc48019174b8236d7229cfb5d46d6945b005f68493a2f43605d0a05384c
Opcode Fuzzy Hash: b750178d25f5038f403e94e8d6c653b611589b4a158a5cb2b58be90d67183538
Instruction Fuzzy Hash: 7A31C536E04711DBC715EF248880AABBBE5EF9E660F0645A9FC56AB310DB30DC1187E1

Function 0312D6AA Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction ID: 3a4150e4ac2cdb8139d16222b6a7bc217277095047393bc3bf29009c4bea4ee4
Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction Fuzzy Hash: 3E31E936A00624AFDB21DE54E880F6AFBB9DF8C754F1E8469ED259B250D338DD50CB50

Function 031357C0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e50383e7c3bd4f4d4ebb8bfb5fc4ac62ef624f9afcb6d753c2df7907763d99f
Instruction ID: a3cf2c5ef1b76810d6797ed3bd6453ca5f28b7772e73fe3ec08f1aed522b0cc2
Opcode Fuzzy Hash: 6e50383e7c3bd4f4d4ebb8bfb5fc4ac62ef624f9afcb6d753c2df7907763d99f
Instruction Fuzzy Hash: 4231A039B15A05FFDB55EB25CA40AA9BBA6FF4E710F4450A5E9018BB50D731E870CB80

Function 0316A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 52c9cfa4a0afb5d4c299852a77696c528483fdc143f383c700344684036e4771
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 883126B2B00B00AFD764CFA9DE41B57B7F8AF0CA50F08492DA59AD3650E731E900CB64

Function 0315438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931790986a3fe3c01d45d6a35e0d14b6c46bb0186f0e48ae9b0b9818edf891fd
Instruction ID: b15a694d7b8f3ffac5370768026e52e2f8ff7210bdd0929fe196045f16511667
Opcode Fuzzy Hash: 931790986a3fe3c01d45d6a35e0d14b6c46bb0186f0e48ae9b0b9818edf891fd
Instruction Fuzzy Hash: EB31D832B00305DFDB24EFA6C984A6FB7F9AB88705F00852AE855D7554DB30E985CB90

Function 031392C5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction ID: ce66fb35d8c20d19ff13571e166a6ee817fd72f08329c7c3a203ef77511c7642
Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction Fuzzy Hash: 8F317CB56083499FCB05DF28D840A5ABBE9EF8D350F05096AFC519B3A1D730DC55CBA2

Function 03187190 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction ID: 01545482b00522a83068d5326632ef90f3bd627c4e7272952664ebdc1f10ff7a
Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction Fuzzy Hash: F0315235604206CFC710CF28C48091AFBE6FF8D310B2986A9E9589B365EB30ED46CF95

Function 031EC3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 6e37cfa13a5e1c7d5a015681c24263eed7e6401ada61727c2027804ee3c0e8d5
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 1F21F93F600A5567CB14EBA5CC00ABAF7B4EF48710F44841AF9A78A551E735D950C3A0

Function 0312C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82cbe7104cec8b71023458d3320adc3359aa0c4c55cb23f633d32902fdfc9d4e
Instruction ID: 78737dbef89ae5aa4fa8193f4098da0f8f6cef65fff9df9ef91999122c4e9c98
Opcode Fuzzy Hash: 82cbe7104cec8b71023458d3320adc3359aa0c4c55cb23f633d32902fdfc9d4e
Instruction Fuzzy Hash: 1E3135B65003109BDB34FF24DC41BA9B7B8AF49318F58C1A9D8459F381DB749986CFA4

Function 0312E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: eaf105f1bc3e0a9835cce90b96f7584bdb336426cb2db5f9eb0030024e823bbb
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: CB319A35600754EFDB25DF68C884F6ABBB9EF48354F1549A9E512CB290E730EE42CB60

Function 032003E6 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 852c51c6da15c9ea7e66af384eeb8f1e8ad9b8a218afb79609a16c518fdcd0ce
Instruction ID: 20730b95ba2e84dd740429979c3fd04172b089623607026f0a5cfbf6ebc8d0d8
Opcode Fuzzy Hash: 852c51c6da15c9ea7e66af384eeb8f1e8ad9b8a218afb79609a16c518fdcd0ce
Instruction Fuzzy Hash: EC318171A10119BFDB14DBA5D898F9FBBB9FB88304F418129E905E7241CB706D48CBA4

Function 031AE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 182b454e0792dbc4f8509b7d49b10f3724ac224c20cb138f004bca991cabb733
Instruction ID: a66b356f4d2b99c0ccf12827016598d8b5b90f9729b04cba037dc03a345a6380
Opcode Fuzzy Hash: 182b454e0792dbc4f8509b7d49b10f3724ac224c20cb138f004bca991cabb733
Instruction Fuzzy Hash: 8D31A279A00605EFCB18CF1CC884DAEB7B6FF88704F154959E8099B391E771EA51CBA0

Function 03133616 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d5a549ddf5e32ec2a74574eac0497a9f4487e63e2e6bcbe813b3256655ef8c9
Instruction ID: c96453143cd539bce74032f671380a9e6078557049551951be3a8e6bc2283655
Opcode Fuzzy Hash: 6d5a549ddf5e32ec2a74574eac0497a9f4487e63e2e6bcbe813b3256655ef8c9
Instruction Fuzzy Hash: 792105792457509FC761DF04C944B6ABBA4FB8AA10F090C69F8650B641C7B0D984CB81

Function 03200591 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43d1026d8f6e3ec4cad4d66a4bae7a2a89ab685aab773509bd94567bcb21cbca
Instruction ID: 9b44343251f6de5fbfd59672d8cdb437dcf40dd675a788c7ead59d5b313cfd70
Opcode Fuzzy Hash: 43d1026d8f6e3ec4cad4d66a4bae7a2a89ab685aab773509bd94567bcb21cbca
Instruction Fuzzy Hash: CC21A2726242068FE728CE29D880BAAB7A6FFD4310F59C478D915DB1C6D770F889C750

Function 0315F32A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction ID: 7e5b1b28ee47a740109050cb900936503769cdda6bd4d6679e8d8fd68a8914dc
Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction Fuzzy Hash: 1E21D172200304DFD719DF15C445B6ABBE9EF99361F15816DE91A8B3A0EBB0EC02CB94

Function 031B06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c30b99bf1c298d74b55d60b4c74229b55f57ffc758b87eb939e2aa6ca4589f4
Instruction ID: de051c28d7fc2933f4bcf433563f03676c41c7b73feefaba7751302a936f1b01
Opcode Fuzzy Hash: 2c30b99bf1c298d74b55d60b4c74229b55f57ffc758b87eb939e2aa6ca4589f4
Instruction Fuzzy Hash: 30217C75A00629ABCF24DF59C881AFEF7F8FF4C740B554069E541AB240D778AD52CBA0

Function 031B019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d31ee438f02daf9f4de227b06a46ed31294f6533c7e370d6384adbfebf99f83b
Instruction ID: fa1d27b104370d082f70f41b49824002c9050db82d56887d65e74d953d79e8b7
Opcode Fuzzy Hash: d31ee438f02daf9f4de227b06a46ed31294f6533c7e370d6384adbfebf99f83b
Instruction Fuzzy Hash: 12218975600644ABCB15DBA8D844BAAB7B8FF8C740F1840A9F944DB6A0D734ED50CBA8

Function 03169660 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c32f665a7188a463a4072373893bcc2ae57b20718b73bbfcb22d2ced03bda74
Instruction ID: fe558b91bbdb4e1ff1c7a171f452c2deaeeb274a2f523458e057df7b700f1fc1
Opcode Fuzzy Hash: 4c32f665a7188a463a4072373893bcc2ae57b20718b73bbfcb22d2ced03bda74
Instruction Fuzzy Hash: C0216835104B01EBCF35EB69DC00B2677A6FB4C224F184659E8928A5E0D771A8A5CB52

Function 031B0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70cbb433a99380254e4be5b0aa6468a0ed3b4136c63914a12ddc30df7532b254
Instruction ID: 9a3ea3f0a6009c23cb3075f6c0b61c0b36dc1126afb082587e6f1d767ed09ddc
Opcode Fuzzy Hash: 70cbb433a99380254e4be5b0aa6468a0ed3b4136c63914a12ddc30df7532b254
Instruction Fuzzy Hash: B8219D729043459FC711EBA9C848B9BF7ECBF8D250F08485AFC908B261D734D948C6A2

Function 032001AA Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3106e630dfc278986479d093d1d04e0436bf2c3b7cb67cd2a6939dd91f49f37
Instruction ID: 2eb83d05a68a33b77d3b1d5761929b6f854ba6c0496a292e6641ab20c3a625ee
Opcode Fuzzy Hash: a3106e630dfc278986479d093d1d04e0436bf2c3b7cb67cd2a6939dd91f49f37
Instruction Fuzzy Hash: 0421E4612082504FD745DB5A88B44B6BFE5FFCA125B29C2E6D885CB343C174D94BC7A0

Function 0316A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26140bc407130bc7564261cee1053b3cc8ca1d74defbb27e9c5ccad5222bc3b6
Instruction ID: b2652362f43dcb65af75434960d2f8a837c064eebb1ff688032f7383da498000
Opcode Fuzzy Hash: 26140bc407130bc7564261cee1053b3cc8ca1d74defbb27e9c5ccad5222bc3b6
Instruction Fuzzy Hash: 57217C79200B10AFC725DF69CD01B56B7F5AF4C744F1884A8A919DBB61E331E852CF94

Function 0312B765 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c763a4c82703ffde881ebcf635c2e5a83f0bc6e940a7754190ec852e8c0d88fa
Instruction ID: d092492d417d9ef0a48a0dffe42f49abfa2a7589560c7136c9e741213b35f848
Opcode Fuzzy Hash: c763a4c82703ffde881ebcf635c2e5a83f0bc6e940a7754190ec852e8c0d88fa
Instruction Fuzzy Hash: A7217A36110B10EFC721EF68D940F19BBF5FF18708F18896DE01A9BAA1C738A852CB44

Function 03160124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: d8afd6ae39fb449ce394eb54ecd52f47ca430f63d544f153c3d14128107ed749
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 9C11DD76605704AFD722DA85CC40FAABBB8EB88754F154029E6009F180D775ED64CB60

Function 03138770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e2e2ef2caba5fdbc56f4c5b2dd6670208520864bc4b2ca2f6bd91dbb80f007
Instruction ID: 00320db39934e6551e0b5e89542c7089ff3e374228b1c54cb9527ed51aa2eb32
Opcode Fuzzy Hash: 58e2e2ef2caba5fdbc56f4c5b2dd6670208520864bc4b2ca2f6bd91dbb80f007
Instruction Fuzzy Hash: 47118236701621DBCB15CF59C580A5AF7EAEF4F750B1940A9FD08DF205D7B2E9068790

Function 03133720 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c732e7f401f9bb93fd9266638a2ccae6a527c2719a7bbb6eb961b93f15adfeff
Instruction ID: eea47655a56e6b83e20e589590518e554e5b2ca3bf9b8f2693edc3297a408b00
Opcode Fuzzy Hash: c732e7f401f9bb93fd9266638a2ccae6a527c2719a7bbb6eb961b93f15adfeff
Instruction Fuzzy Hash: CA212979A002088BEB25DF5DD4487EDB7B4FB8D318F2D8418C821572D0CBB89945CB54

Function 031380E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f055fac91be7418a1fbe94087829db972a6e160fb64b8d9c63c7eee92ba474ab
Instruction ID: 8710be8dcc12bf44d7d6320d7afedde880984f06d5c7438989ed5a2dfb17b49e
Opcode Fuzzy Hash: f055fac91be7418a1fbe94087829db972a6e160fb64b8d9c63c7eee92ba474ab
Instruction Fuzzy Hash: E7218E75A00205DFCB18CF98C581AAEBBF5FB89318F24416DE105AB310CB71AD4ACBD0

Function 0316674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0cf3c882bf9ff5b8b4004a92332b819897201d0032462a5d568de3c28f493f2
Instruction ID: 7d5d5c7e1a0a3febb0ff20e6990809a26767650fa24ed18081e3444d49e885e6
Opcode Fuzzy Hash: a0cf3c882bf9ff5b8b4004a92332b819897201d0032462a5d568de3c28f493f2
Instruction Fuzzy Hash: 02215E75610B00EFC724DFA9D841B66B3F8FF48250F44882DE49AC7650DB70AD60CBA1

Function 03129240 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a43c276258838ffec47c5aa1aa52b4b3b69bdeac37f23785e1393c3857490bc
Instruction ID: b23d7aafb94e1a12cab103c6b3fd7fb3bc4f33b0390e536a01b3164298947292
Opcode Fuzzy Hash: 9a43c276258838ffec47c5aa1aa52b4b3b69bdeac37f23785e1393c3857490bc
Instruction Fuzzy Hash: AA11BE3B020240BBD734EF56EC05A727BA8EBACB80F149025E9009B258E378DD01CF65

Function 031666B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c108a8a4336b511bd5d4e41d4f7fbbc5dad23294e3fe0d88b044acc4a97aa1e
Instruction ID: 3575b789476664f9bb64cf94108e60100b7d42be50e66df2925f46bdc98ba197
Opcode Fuzzy Hash: 2c108a8a4336b511bd5d4e41d4f7fbbc5dad23294e3fe0d88b044acc4a97aa1e
Instruction Fuzzy Hash: AF11C17AA01244EFCB24DF99E980A5ABBE9EF98610F0A8079E8059B310D770DD10CB90

Function 031FFF09 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2c7d587c742a8da167f65a09cdf47b065ecc438f78d7cce9fef6bb7d3fded1
Instruction ID: 8227b54b32fe8347d4639825b69a2a46fe8b1bfc0134c5f3a72cfd60fbc6c8ac
Opcode Fuzzy Hash: 4a2c7d587c742a8da167f65a09cdf47b065ecc438f78d7cce9fef6bb7d3fded1
Instruction Fuzzy Hash: 362154716142059FD754DF29E884A42BBE5FB5D210B95C5BAE90CCF24AE770D844CB90

Function 031527ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7503b137f9434c9dd1dc4e914797f8c2d8c997a8d7eb77cd0f7c815ca9336f53
Instruction ID: caf42c10973c6843abdee7076a321cbf9512d71b428bbd1a3fe4c040fd539132
Opcode Fuzzy Hash: 7503b137f9434c9dd1dc4e914797f8c2d8c997a8d7eb77cd0f7c815ca9336f53
Instruction Fuzzy Hash: A0010436605744ABE31AE3AA9C44F67A6DCEF893A4F0A04A5F9108B640DB24DC01C2A1

Function 0315B052 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c72b31157eb864a02a037c80567b9007a88e000f478665f775f183290436819
Instruction ID: a428c51e49c18473fae07468ae9127065c4d454b168c4ae189708eeddd483898
Opcode Fuzzy Hash: 6c72b31157eb864a02a037c80567b9007a88e000f478665f775f183290436819
Instruction Fuzzy Hash: 2601C476B08300EBD710EB6A9C81F6AB6B8DF8C614F044029FA25C7141EB70E9008621

Function 03134690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 415392ad55b511f2c432266cf5137babb5c856ee6b965d93395d2a0b09d89fdf
Instruction ID: b2abe72002c6d26f568bc07ebbcb968162fd2de1e28cde2eeed87ae49d03f227
Opcode Fuzzy Hash: 415392ad55b511f2c432266cf5137babb5c856ee6b965d93395d2a0b09d89fdf
Instruction Fuzzy Hash: 3711E17A240744AFDB25CF5BD944F56B7A9EB8FB64F094129F8148B690CB74E840CFA0

Function 031ED6F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction ID: 3b5ea604290cad90f7ea7b3d53a26773f58bbcef595b6d29abd516d3ae743407
Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction Fuzzy Hash: A7018876B00609BF9B04DBA6DE44DEFBBBDEF89A48F050059A915D7100E730EE51D760

Function 03166620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6c9d2c40db7dcea42833fdb72dcab4e3688e02af7bb84223f2379059169f4a
Instruction ID: 3c1db5075393cbe28fac913043385834682c2445e45f4b8b19f1e3f1b6cf2a0c
Opcode Fuzzy Hash: 3e6c9d2c40db7dcea42833fdb72dcab4e3688e02af7bb84223f2379059169f4a
Instruction Fuzzy Hash: 7C110876A00715ABCB21EF99EDC0B5EF7B8EF4C740F540455D901AB200D770AD11CB90

Function 03127330 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a250367bf0775d74a2b84c36b8b5273284a21d774fd57365a9ae2c5a39540fb7
Instruction ID: df617c6dee3ef98eb761ef7ebc13332e40bf490160dfc9b37fdff67c20cedfca
Opcode Fuzzy Hash: a250367bf0775d74a2b84c36b8b5273284a21d774fd57365a9ae2c5a39540fb7
Instruction Fuzzy Hash: 4311A071600724AFD721CF66C841F6BBBE8EB48304F058429E985CB252E775EC50CBA1

Function 0315F2D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f238072174bc720bf46a527b608f9df92a394633612558ce364d946420e6d9c
Instruction ID: 332fbe696cd668c564d842b2d23df6ff83c919083f5c075f7d39dc60c8c57f8b
Opcode Fuzzy Hash: 3f238072174bc720bf46a527b608f9df92a394633612558ce364d946420e6d9c
Instruction Fuzzy Hash: 9511AC79600A48DBD720DF69C984BAAB7B8AB4C600F1904AAE901AB641DB79D941C750

Function 031C72A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction ID: 91d3d2e62b88c1bc2838f9cd7a6e3f8c7f345f09a09bb4c5d1d60e052514b947
Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction Fuzzy Hash: 1701D27A240605BFD721EF56CC80E62F77DFF5C390B044929F110475A0C731ACA2CAA4

Function 0312A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: c67a47d1f34dc739c5e68973ae460d6d7692eb043b593f5a73c9d64aef8c26cd
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 1601C072505B219BCB20CF559840A26BFAAEF4DB607058A6DF8959B680DB31D830CBA0

Function 03136259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 371857dae3e2c07374bc0fe65714f68a68d4af739ea988f8fde96ffd5db6a447
Instruction ID: d1a5c8042a55f0c8163a13015507304587f80da250ef9546d3c9b3f4fbd54598
Opcode Fuzzy Hash: 371857dae3e2c07374bc0fe65714f68a68d4af739ea988f8fde96ffd5db6a447
Instruction Fuzzy Hash: BE115E75541218ABEB25EB64CC45FE9B378EB0C710F5445D5A314AA0E0DB709E92CF84

Function 0313208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: e6c705e493ad194eb0a876c35970daf9fb5ef294bd2afeb805cdccafcb174ae4
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 000128362002108BEF14FB19D880F96B76ABFCD700F5A49A5ED158F245DB71C8C6C790

Function 0312C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 7c8beb825237f5c1bbd9e945a41e48804fe46eb234909fc9a9cc2cb16d4b6c40
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: D901B9361007449FDB22E765E800A67B7E9FFCC754F05841AA6568B580DB70E451CB50

Function 031720F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e71757d972d5317cf992498278f176daa49b4c6c885808c37ddf521e5796fdbd
Instruction ID: 0cd563a68e321cc728476962f7e66bc19a71b6ced77dab4677ea6e0a73807db3
Opcode Fuzzy Hash: e71757d972d5317cf992498278f176daa49b4c6c885808c37ddf521e5796fdbd
Instruction Fuzzy Hash: A7116939A0020CEBDB05EFA5C850EAE7BB9FF48340F044499E9019B290DB35EE12CB90

Function 03129353 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction ID: ae4ef09954e28f85f0e31dbbe2caad869d44c4b441f13196bf49c8aba89b8af3
Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction Fuzzy Hash: 05115B32911B219FD721DF29C880F22BBE4BF48762F19C86DD4994E5A5C375E8A1CB50

Function 031533A5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction ID: cef60ee3cedebafa53ca2c51b041f7ed86978168cb5b385173aba66c552abaea
Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction Fuzzy Hash: 5201863A700205EBCB16DB9BDD00F9FFA6D9F88681B154829BD35DB160EB30D951C760

Function 0316D1D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction ID: 77c200f156bf9894e4e94b92e91b88c4f2e5bd0d375457120d720d00013d5b80
Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction Fuzzy Hash: 7E01477AB006049BD710DA94F800F65B3A9EFCC620F15C15DFE228F280CB74D850C780

Function 0312826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71735e89a02c0ab8079207308895bd8e36893e91f391d3aeb923072ff5a0419a
Instruction ID: a79578343751f2d95b2cf6188d20a30351bd8ac2488958911791c847949f3151
Opcode Fuzzy Hash: 71735e89a02c0ab8079207308895bd8e36893e91f391d3aeb923072ff5a0419a
Instruction Fuzzy Hash: B501A735700618EBC714EB65DD149AEFBB9EF4C660B1A4029D902AB650EF70DD01C691

Function 0314E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: d23f24a23eb4bb3259d8692b29ffc89888c93f6dbba0f1ccaed427f8b86523c1
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 1D011A723006849FD326D72DC948F76B7ECEB49750F0D44A1E915CB691D768DC80C665

Function 031EF367 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6464419d1572bec156bddc80dee1a6bb0d724a2b9deefd62444938c2a2949080
Instruction ID: 324b45b295ccb5ff5a7df89d41d70ca499078237cbf186677a3fd1d5635118f1
Opcode Fuzzy Hash: 6464419d1572bec156bddc80dee1a6bb0d724a2b9deefd62444938c2a2949080
Instruction Fuzzy Hash: 78018475A10358EBDB14EBA5D805FAEB7B8EF48700F044466B901EB280D774D901C794

Function 0315BBA0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a24f52cdb8288cb79fc50fb6bee831d4ad8badaeb1e95628220fc13d97c47883
Instruction ID: a6c742a69a522cbcd41772bb6044cabd972d92e42b326bdd4f3bb2d5c5cc8d7c
Opcode Fuzzy Hash: a24f52cdb8288cb79fc50fb6bee831d4ad8badaeb1e95628220fc13d97c47883
Instruction Fuzzy Hash: 57017177904129DBCB28CF49C5A0BADB7A5EF49710F1940B9EC16A7340DB71AE00DB94

Function 031F972B Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94

Function 03205636 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3702aab0a3dab6258da83c159233e33ca6c8fdd14fd1db8c16ede2698ac3f59d
Instruction ID: c33aa3ed6a8318903510fe9a36f1e10703e30a2fa40da716cccbdbb6fd89cbb5
Opcode Fuzzy Hash: 3702aab0a3dab6258da83c159233e33ca6c8fdd14fd1db8c16ede2698ac3f59d
Instruction Fuzzy Hash: 28118078D10249EFCB04DFA9D444A9EB7B4FF18304F14845AB814EB381D774DA02CB95

Function 0312C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: c436706cb210e75d448be586112ffd2dd7292f105519e98f4c9f942e94c93bf7
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: FCF0FC3B2447329BC732D6595880F6FEE95CFDDBA4F1A0436E3099F204CB648C2256D1

Function 03205152 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f042f6433a182b7b95ce76358960abcfdaaeb1d8dac3237505c830ba3cd75b76
Instruction ID: 213c4e011002dc1177dc7c6b536e1f197ba1ede9199b2459c4a81760279219ff
Opcode Fuzzy Hash: f042f6433a182b7b95ce76358960abcfdaaeb1d8dac3237505c830ba3cd75b76
Instruction Fuzzy Hash: 3B012C75A10209ABDB00DFA9D9419EEBBB8FF4D710F14405AF900EB381D774AA018BA1

Function 03205060 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e6217514958d27e4eec7dac20e6919876c5395c7d3c760d5041ab32391e4a7
Instruction ID: cdcadba4a3c1071a6555bbd65a47bf7ea882de3be649d9251fa9d69d05eea530
Opcode Fuzzy Hash: 72e6217514958d27e4eec7dac20e6919876c5395c7d3c760d5041ab32391e4a7
Instruction Fuzzy Hash: 99012C75A10309ABDB04DFA9D9419EEB7B8EF4D310F14405AF901EB381D774AA018BA1

Function 0315C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 0d0e6e2c3d30ec8c2b9869e330f6c9a4101fe90019749c9abe40ae1240678922
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 7BF0AFB7600710ABD324CF4DD840E57F7EADBC4A80F088128A915DB220EA31DD04CB90

Function 032050D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b326da41ad72bd167eca97153c3604a23d1b7126a248d94eac18a014d0f4c240
Instruction ID: 2b07e4995bac79b5ac4888e68e4a80817084dd167847f3a9eb94f69ec94fb988
Opcode Fuzzy Hash: b326da41ad72bd167eca97153c3604a23d1b7126a248d94eac18a014d0f4c240
Instruction Fuzzy Hash: D4012CB5A10309ABDB00DFA9E9459EEB7B8EF49710F54445AE500FB381D774AA018BA1

Function 03165734 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction ID: 2c4a055a5a753001e350c2ce049e53fb18420d6cb93c0728a56ce3d7bf1aeb8f
Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction Fuzzy Hash: 9BF0FF72A01214AFE319CF9CC840F6AF7EEEB4A650F094079D500DB230E771DE04CA94

Function 03205537 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa3b0ce4d4e1b44fba4ddc72c1f95d985a42d4678e4e7ea02f8b99bf585e93e
Instruction ID: 8604ca082d1a6eff45b73ef7fe50386359dca67a65947aeb3b52e14986b79053
Opcode Fuzzy Hash: 1fa3b0ce4d4e1b44fba4ddc72c1f95d985a42d4678e4e7ea02f8b99bf585e93e
Instruction Fuzzy Hash: 10110974A10249DFDB04DFA9D941AADBBF4BF08200F14426AE518EB382E674D9458B90

Function 031EF78A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2489df183bacb5e7dc2399345d036df7a6d12ffead1dc1a0f55afeaa742f0ada
Instruction ID: 7f4f647247b5de6e69131aa0b9c632261e1d7ff3c801dd9c2976603680dfca90
Opcode Fuzzy Hash: 2489df183bacb5e7dc2399345d036df7a6d12ffead1dc1a0f55afeaa742f0ada
Instruction Fuzzy Hash: E0010CB4E00749AFCB04DFA9D545AAEBBF4EF08304F15806AB855EB341E774DA01DB91

Function 031EF2F8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8de8c2d64787bc4f1f7a8f5b94d2d337ca7fd8fc7ba3b81c09e13df4308758d0
Instruction ID: 86b7597541cf074c9315ab5ecc6a6fa4137d39918ba7ca3384f14f2a01c597d3
Opcode Fuzzy Hash: 8de8c2d64787bc4f1f7a8f5b94d2d337ca7fd8fc7ba3b81c09e13df4308758d0
Instruction Fuzzy Hash: B3F0C876B10748ABDB04DFB9D805AEEB7B8EF48710F048456E511EB280DB75DA01C791

Function 032061E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9813aa356283ff4b0dde2da09713e02391a50df13a7c53bf4f75dafeb4f5b364
Instruction ID: 19c1df5bb5913bde600566c1a6591276ec5db5183fd4e9af256efeb0dae5d051
Opcode Fuzzy Hash: 9813aa356283ff4b0dde2da09713e02391a50df13a7c53bf4f75dafeb4f5b364
Instruction Fuzzy Hash: CB014F75A10259EFDB04DFA9D845AEEB7F8EF48310F18405AE501AB280D774EA01CB95

Function 0316724D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction ID: 6b47ca5cb7cd5c60a5c7434da2bdb5a31740af9e971089b9f4f1abeb9fe471b8
Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction Fuzzy Hash: B5F0F675A113556BEB14E7EA8940FABB7A89F8C614F0C8599BD029B180DB30E950C790

Function 032053FC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a6c7aef55571ef3cba24998df79c32a68cc11bc7406534dd0ab55eacbeb8045
Instruction ID: e9c6ca7cfadba662faa881cd2a2db0dd6286c0466d2ebaeea36ada234703483e
Opcode Fuzzy Hash: 4a6c7aef55571ef3cba24998df79c32a68cc11bc7406534dd0ab55eacbeb8045
Instruction Fuzzy Hash: E9011A74A1020AEFDB04DFA9D545B9EF7F4FF08300F148269A519EB382EB749A448B91

Function 0312C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a51471b13dd5ff20324fd4de8ca6695535e8b984d140d9e15a8c1fce2de159c
Instruction ID: db866099a82e8bcd71721c282e3c6082c68546ef38c38fdaf229ed43e3dcdc4d
Opcode Fuzzy Hash: 9a51471b13dd5ff20324fd4de8ca6695535e8b984d140d9e15a8c1fce2de159c
Instruction Fuzzy Hash: D4F024712043249BE714E6599D02B663A9AEBCC750F29806AEB058F2C0EBB0EC5183D4

Function 03203749 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction ID: 1be17427c5f22365bb288cd1d39e68e4e97735814c23dd389fa1904493f79f48
Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction Fuzzy Hash: 47F0447A540304BFE711DB64CD41FDA77BCDB04710F100165A615DB1D0E670AA44CB90

Function 031D437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: c51ea3f22e078bae8bbd872be2ff3c7239f8eee33453b02b1b07afc961e8f772
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 3AF0E935745F3267D735EA6F8410B2FE2569F8A900B4D052C9451CFE80DF30D8108780

Function 031EF3E6 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee0296622b9d804449ace40d91db41143b0a83672b2dee77ab2d6b62fa701d5
Instruction ID: b0efc83d443646fe8ec5766b03eba10255127c09b02e0f3fafabe03a8c32a105
Opcode Fuzzy Hash: 5ee0296622b9d804449ace40d91db41143b0a83672b2dee77ab2d6b62fa701d5
Instruction Fuzzy Hash: 4BF03779A01248EFCB04EFA9D945A9EB7F4EF08300F448069B945EB381EB74EA01CB55

Function 031292FF Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abc4f6306ac6f89331b69693a416b06cb15d9f75c795118939d04ee7d248baa9
Instruction ID: 8a08afcc61add718b2194d3bad19bec31b67da587d8090f119e584b91ffe852f
Opcode Fuzzy Hash: abc4f6306ac6f89331b69693a416b06cb15d9f75c795118939d04ee7d248baa9
Instruction Fuzzy Hash: B0F0FA36200340ABC731EB29DC08F9ABBEDEF88B00F080569A94283090C7A0A929C660

Function 031347FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f027aec4d8f8cfa8c093c502ab7886554d683f7aa1f2f6848cdbbc09ea3af9
Instruction ID: 06774921d42f1b7f09a13f371015d8c9ce5b2466a5ea5b98d430da52050e0279
Opcode Fuzzy Hash: b9f027aec4d8f8cfa8c093c502ab7886554d683f7aa1f2f6848cdbbc09ea3af9
Instruction Fuzzy Hash: 77F0BE399127E09FD732DBEBC544B21B7D8DB0E760F0D89EAD48987561CF64D881CA90

Function 031EF6C7 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d171f96b2981727c40c025ff1a0b31b8a6428f817beef34ef85ce9d37f6aa06
Instruction ID: 87ac101b9bdb6588f6ea48ca777648197d79522573bdb0f296130e423ea14b85
Opcode Fuzzy Hash: 7d171f96b2981727c40c025ff1a0b31b8a6428f817beef34ef85ce9d37f6aa06
Instruction Fuzzy Hash: 8AF06D79A10348EBDB04EFA9D805EAEB7F4AF08304F444069E901EB281EB74DA01CB54

Function 031F0115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65e9da66aecdbc935d23a0d14dc9cf0c82aaa710ae63ea10648a4bf5b6d90814
Instruction ID: 8796943b66d7b3cecc31d6ae4d272702419bbdf6f9ca70e3891001d1e7f10a67
Opcode Fuzzy Hash: 65e9da66aecdbc935d23a0d14dc9cf0c82aaa710ae63ea10648a4bf5b6d90814
Instruction Fuzzy Hash: 78F0277B41EBC06FCF31FB287C54391AF59975E010F1E2085CAA15B206CBB9C483C620

Function 0320539D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c6badbbb101edbb3a79c5660b6e833ad0ebe0e0d018fb35f5933d5b3caf83b
Instruction ID: df2a83cc18595dc99ebd1142129cef556bbc7cf9c40e8016e6e852be3f206a03
Opcode Fuzzy Hash: a2c6badbbb101edbb3a79c5660b6e833ad0ebe0e0d018fb35f5933d5b3caf83b
Instruction Fuzzy Hash: 32F0BE74A2034CAFDB04EBB9E845EAEB7B4EF08300F248458E501EB281DBB4D901CB24

Function 03205283 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b350a7e33adf474389fbfb7350be8ed617a9036028faa5efcb3e1085150f7f
Instruction ID: bdcb3084db7ea943c405a4dad1d29fac0b64c5ab08b803866ed4930e4d2e1dc7
Opcode Fuzzy Hash: 25b350a7e33adf474389fbfb7350be8ed617a9036028faa5efcb3e1085150f7f
Instruction Fuzzy Hash: 3DF0BE78A20308EFDB04EBB9E905EAEB7B4BF08300F544858A451EB2C1EB74D9008B50

Function 032052E2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f499de466f2be0e5a834aa2569c84bf06fb9fa584ddfdbfd2aa4ce80b421a16f
Instruction ID: 3b0584567a7a56853e77cebbe8dc70a771d94b40aa885719cea5dbfd2a488811
Opcode Fuzzy Hash: f499de466f2be0e5a834aa2569c84bf06fb9fa584ddfdbfd2aa4ce80b421a16f
Instruction Fuzzy Hash: 25F0BE74A20348ABDB04EFB9E905EAEB3B4AF08300F544458A401EB2C1EB74D900CB54

Function 03172619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 6fa998c694cd13f42dcf58fca3f36ee0b88f23f6b0aa79b6e5de9c8d121c0d7a
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 89E092723006002BD721DE59CC80F47B77EAF8AB10F08047AB9045E251CBE29C1A82A4

Function 03205341 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8bde3893eed839d8da10957f7de22c888313ddaa67337d8b46ebf8902468fa8
Instruction ID: 7e330bbe16e0c3f534d4582330eb1f811dea14dd4a9824a5c16aa9aeb4cb20fc
Opcode Fuzzy Hash: e8bde3893eed839d8da10957f7de22c888313ddaa67337d8b46ebf8902468fa8
Instruction Fuzzy Hash: B6F02074A1430CEBCB04EBB9E849E9EB7B8EF0A300F640458E412EB2D1EA74D9008B14

Function 03205227 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac0b4bfef3ba7b967c99843e09549f2494977133035c262231443cab51f7f6b6
Instruction ID: adbc65f7761cd9eb41885bf39edc25e9656fa7693b6771f78ff87dbb70c45fdc
Opcode Fuzzy Hash: ac0b4bfef3ba7b967c99843e09549f2494977133035c262231443cab51f7f6b6
Instruction Fuzzy Hash: 20F08274A24349AFDB14EBA9E915EAEB3B8AF08704F540458A911EB2C1EB74D9008755

Function 03167208 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63fc87744e47fc9a8b95319d570bc81a6cbf9a7ce4b20abb36d64edccced1d86
Instruction ID: 5786acedee2c8c9c40693b5ed429321ddc45367d9c69391f99d7d347ffd9b9ba
Opcode Fuzzy Hash: 63fc87744e47fc9a8b95319d570bc81a6cbf9a7ce4b20abb36d64edccced1d86
Instruction Fuzzy Hash: 31F02779A11A84AFC721D32EC184B11B3D99F0C772F0D80A0D4058F742CFA8C880C290

Function 032051CB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1bc0ea49dab11e1496a8cb3a8366783732042f74d61eee7335c3c81e6e59dbf
Instruction ID: 7efd2ab31317b23ee54e2e1630920ddb64206a74393a12f92945fbf1bee0dec2
Opcode Fuzzy Hash: d1bc0ea49dab11e1496a8cb3a8366783732042f74d61eee7335c3c81e6e59dbf
Instruction Fuzzy Hash: BFF08274A24249EFDB04EBA9D905E6EB3B4EF08304F540459A911EB2C5EB74E900CB55

Function 031EF72E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0192a4ca45cf6c8cd8576b00b8512d10e1bfb5e99e7794954327f5d1752d1eb7
Instruction ID: 62203b379a68aa32c748fb5d42613abd9b83b333a28cf64dfc1f2a6bc2910e84
Opcode Fuzzy Hash: 0192a4ca45cf6c8cd8576b00b8512d10e1bfb5e99e7794954327f5d1752d1eb7
Instruction Fuzzy Hash: 84F02774A00348EBDB04EBB9D949E9E77B4EF0C700F050054E501EF2C0DA74D9019714

Function 03130710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: d6b1cfa87f2b5cd3148b9712996f929a26710439b9a9b58fe1cdf1e94a8a5f78
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 27F06D3E2047449BDB1ADF1AD450AA57BE8EB4E360B0504D5E8968B351EB32E982CF94

Function 032037B6 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction ID: 4c8f31785831f9fc70a76c4a86abf2c420e6543a4e987e67816d09336d21509b
Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction Fuzzy Hash: F5E06D76220200AFE764DB58CD05FA673ACEB04720F180258B225970E0DBB0AE85CA60

Function 031EB3D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction ID: f19568053fd69578cd1f5725ac28e67940404d147d0e2d8cd6850b05718c1b73
Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction Fuzzy Hash: 74E0CD35248714B7DB22AA40CC00F697B15DB547D0F108031FB085E650C7719CA1D6D4

Function 0312823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 87a26a80cba14d0ad9a869a37b994def3180b19079050013a60cce90d3f066f8
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: B8E08C35105A20EFDB31EF15DC04B527AB5FB4CB10F298C6AE0810A4A48770A8A3DA48

Function 031B92BC Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd4e09338e29685701057afcfec61bb759d1e1dc1193ba8f7bcdde9ed00f1e7e
Instruction ID: 8da16dcabd25180f676cf2c786b36ca9c15314e0f2b660620f037f332f4349c5
Opcode Fuzzy Hash: bd4e09338e29685701057afcfec61bb759d1e1dc1193ba8f7bcdde9ed00f1e7e
Instruction Fuzzy Hash: 7FF06534601B80CFE32ADF08D1E2B91B3B9FB59B00F504098D4428BBA1C33AAD42CA40

Function 03132050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b2205013548d5aaa0e1fdb2d605566eed55e4b5288e2524485b1547bba8db6
Instruction ID: b739cd6600eb0653def673f094806cb7716743f8356ce20897a2a307cb99a903
Opcode Fuzzy Hash: e6b2205013548d5aaa0e1fdb2d605566eed55e4b5288e2524485b1547bba8db6
Instruction Fuzzy Hash: 63E0C2332006506BC321FB5DED00F5A739EEFAA360F004121F1508B694CB74AC01C794

Function 026E72F1 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1853760130.00000000026D1000.00000020.80000000.00040000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.1853715227.00000000026D0000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853846127.00000000026EF000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 00000001.00000002.1853875666.00000000026F0000.00000020.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30d0c81b38aae8fca740e93c04b2a23338cdde90d995c001ba0cef52608088b3
Instruction ID: 62b5f72fcd9324a3691b89c5e4cb734189626e2042c2d7c2bf0dd2ecc81b781d
Opcode Fuzzy Hash: 30d0c81b38aae8fca740e93c04b2a23338cdde90d995c001ba0cef52608088b3
Instruction Fuzzy Hash: B5C04C07B89155118510889E395057EF764D1EB135A6077B7D97CF3291D40286161299

Function 0312A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 9e243c63e8e16400041b3cfaafbc0a26df7547ce8b48363776cb8f1db3341c96
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: BBD0123631617097CB29E6556914F67AD199F89AA4F1A006D780AD7900CA158C93D6E0

Function 031402A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 52d48c88ef8627515984fae31311799e14890c10509c8ed6ded3d9e1f044459d
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 55D09235212E80CFD61ACB0AC5A4F16B3A8BB4CA44F850490E501CBB61D768E980CA00

Function 031B930B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction ID: ea5498cd0ccbfd84e3b8f889ef6fe9f614afe0043327861b2ab0b6de37f330a4
Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction Fuzzy Hash: C5D01735945AC48FE727CB18C1A5B907BF8F709B40F890098E04247BA2C37C9985CB10

Function 0316C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 918163d6f77de54b6a1b5c80e60cea33c53aeafe899be7e2ad6d4531b0f8c612
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 91C0123A290648AFC712EA98CD01F027BA9EB98B40F004422F2048B670C631E821EA84

Function 03150310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: c4e878206b2dfb9189ab3a8a82729bd6c224cf8e345ab549b048ea4b7f3de109
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: A9D01236100248EFCB01DF81C890D9A772AFBDC710F148019FD190B7108A31ED62DA50

Function 03130750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 2ba736aa4907beb2bae8de1c527e5379af22e6f81fe8d15cec1447cbda8355c0
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: D1C04879B01A418FCF15EB2AD694F4977E8FB48750F1908D0E809CBB21E724E811CA20

Function 03174340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ad42fb7355fbb98f21aa88fda3809380a07b8cfb5f4cd7c62030472c2583fe
Instruction ID: 2843a2f206b27ee3288c610a871e3ae6f62c86d57654307c3ff70ba79b69b774
Opcode Fuzzy Hash: 24ad42fb7355fbb98f21aa88fda3809380a07b8cfb5f4cd7c62030472c2583fe
Instruction Fuzzy Hash: 19900231605804139140B25849C4586400697E4301B95D011E0425558C8B148A565765

Function 03173010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec7ed5661991b5cf32a57473c782358921d495334b6ab4872655cb1bfed626e4
Instruction ID: 8459cb7e427f850bd36c7388e0df1ba25eb3854d61df8999af2f1c40eadea5e8
Opcode Fuzzy Hash: ec7ed5661991b5cf32a57473c782358921d495334b6ab4872655cb1bfed626e4
Instruction Fuzzy Hash: EC90022120184843D140B3584944B4F410687E5302FD5D019A4157558CCB1589555B25

Function 03173090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b636440f32d7c32d7f7d019ef2a3c5624da4364f9a93f668503e13611cf264
Instruction ID: 5611cac3bdf517be209ca9adb75c04f7fb3315afd3dc0e84c4e275860a5b31bd
Opcode Fuzzy Hash: d1b636440f32d7c32d7f7d019ef2a3c5624da4364f9a93f668503e13611cf264
Instruction Fuzzy Hash: 8990022124140C03D140B25885547470007C7D4701F95D011A0025558D87168A656AB5

Function 03174650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f8723c5a79379a9e0c94251ab81fbea86305558b3bb20d22917614ca033253d
Instruction ID: a814c513ebc8e15b660df8954e35f3bf8aa118457bdd202da19852d7fdaf781d
Opcode Fuzzy Hash: 3f8723c5a79379a9e0c94251ab81fbea86305558b3bb20d22917614ca033253d
Instruction Fuzzy Hash: A8900471701504434140F35C4D444477007D7F53013D5D115F0555574CC71CCD55D77D

Function 031735C0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 312dd022fafde603784f4c1b8b24aaf897b67fbeb57bb2c8ec62f4dd96ee6afb
Instruction ID: 3f2e3322127b40667e86dd57f903944c991eff87cf0bbe452cd1680972d53015
Opcode Fuzzy Hash: 312dd022fafde603784f4c1b8b24aaf897b67fbeb57bb2c8ec62f4dd96ee6afb
Instruction Fuzzy Hash: B590023160550803D100B2584654746100687D4301FA5D411A042556CD87958A5169A6

Function 03172B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 280c11c4bac041466c3c780174010b4b9a1315b20154d91ef4175de916380ac8
Instruction ID: a31055ae87ab0bb0054d41c6f3ff4916c984d54b5ee931c32bed63120e0eb050
Opcode Fuzzy Hash: 280c11c4bac041466c3c780174010b4b9a1315b20154d91ef4175de916380ac8
Instruction Fuzzy Hash: A390023120140C03D104B25849446C6000687D4301F95D011A6025659E976589917535

Function 03172BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 900d543cb7f82b1b150f1c7cb37b6656eae25e934334139b1d734c0fc49801b5
Instruction ID: 8a2d46a7028e914073a18995b59bab3b48caf53797f0cf6acedcd7823da70d2d
Opcode Fuzzy Hash: 900d543cb7f82b1b150f1c7cb37b6656eae25e934334139b1d734c0fc49801b5
Instruction Fuzzy Hash: A390023160540C03D150B2584554786000687D4301F95D011A0025658D87558B557AA5

Function 03172BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51682210cb305b6c406f3345b537fd3b7db5f38f8c85237363aefd66b7e599e3
Instruction ID: 22fbf2272ad860c407ad87415b7fe98c93a195f569787cbd0b6a75eb7d1f720c
Opcode Fuzzy Hash: 51682210cb305b6c406f3345b537fd3b7db5f38f8c85237363aefd66b7e599e3
Instruction Fuzzy Hash: 2790023120544C43D140B2584544A86001687D4305F95D011A0065698D97258E55BA65

Function 03172AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c0830a697a7e7fd9b81358ffba674d7e7990a364ba7db08a66f93bf6ff49ef
Instruction ID: a1ffbd317c82738b439945f133dc11e24c810b418841c10756aa5f7b4cb6b010
Opcode Fuzzy Hash: 05c0830a697a7e7fd9b81358ffba674d7e7990a364ba7db08a66f93bf6ff49ef
Instruction Fuzzy Hash: F99002A1201544934500F3588544B4A450687E4301B95D016E1055564CC72589519539

Function 03172AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b092d6bea5ba95e8feaaef6ba9b58fa43d52e83d1917b7dfb626e95a8a909b
Instruction ID: 06ced77af00cf33740033a1a778df5749af3a3f9c46fdf0b984e672c6f91faf3
Opcode Fuzzy Hash: 34b092d6bea5ba95e8feaaef6ba9b58fa43d52e83d1917b7dfb626e95a8a909b
Instruction Fuzzy Hash: EC900225221404030145F658074454B044697DA3513D5D015F1417594CC72189655725

Function 031739B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b24d058ab5906c04967d2143fdbdfa22a734111ba97eb3eb144186eaf81885f9
Instruction ID: 58adfac8380c1fc0d21cd7130be18f3159453e4ddbe93a951efe0c43b592cbd4
Opcode Fuzzy Hash: b24d058ab5906c04967d2143fdbdfa22a734111ba97eb3eb144186eaf81885f9
Instruction Fuzzy Hash: 0590022124545503D150B25C45446564006A7E4301F95D021A0815598D875589556625

Function 03172F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0cfc659ea9b969246e392dbe6b780cbe5706c86ea2f6a2fd06aa10ea72d30b8
Instruction ID: 6270bb811d58d3cb7f26f69994af74e1eb56cf41931ac510eb7d5ed832e0e501
Opcode Fuzzy Hash: a0cfc659ea9b969246e392dbe6b780cbe5706c86ea2f6a2fd06aa10ea72d30b8
Instruction Fuzzy Hash: 0090026121140443D104B2584544746004687E5301F95D012A2155558CC7298D615529

Function 03172FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65f75c449c9e698448b6845b6dfdfda69cf0044d73c5dcc85303d769e257a655
Instruction ID: 647e64486212dc5d510487111e0df8dbe22fd2c5c77c6e979c46da6fef4a0976
Opcode Fuzzy Hash: 65f75c449c9e698448b6845b6dfdfda69cf0044d73c5dcc85303d769e257a655
Instruction Fuzzy Hash: B790023120180803D100B2584948787000687D4302F95D011A5165559E8765C9916935

Function 03172890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0317293C
___swprintf_l.LIBCMT ref: 0317295E
___swprintf_l.LIBCMT ref: 031729A3
___swprintf_l.LIBCMT ref: 031AA52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 031AA54E
::%hs%u.%u.%u.%u, xrefs: 031AA527
:%u.%u.%u.%u, xrefs: 031AA5B8
ffff:, xrefs: 031AA504

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: dbc252cd5ef87deead29e9e377c2de5984a575cf130dd1f5080131eec1f46148
Instruction ID: 4d1742479f51f6a917d2106745c7cd1e54111c1ef1f8cd807b7c8f681a667c84
Opcode Fuzzy Hash: dbc252cd5ef87deead29e9e377c2de5984a575cf130dd1f5080131eec1f46148
Instruction Fuzzy Hash: 4E51E7B9A04616BFCB14DB9C889097EF7F8BF0C201B1C8569E4A5D7641D374DE52CBA0

Function 03167630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 031A4655
CLIENT(ntdll): Processing section info %ws..., xrefs: 031A4787
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 031A4742
Execute=1, xrefs: 031A4713
ExecuteOptions, xrefs: 031A46A0
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 031A4725
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 031A46FC

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: fc95ed62eccf16316b377ba8f85d638368d10f8976ef452fcbacf6ae884d0f2b
Instruction ID: f0c251f4846576da7f64a35e71ad42e98902c819d1a286412b32878e99e6b6b9
Opcode Fuzzy Hash: fc95ed62eccf16316b377ba8f85d638368d10f8976ef452fcbacf6ae884d0f2b
Instruction Fuzzy Hash: BF511A75A003197BEF25EAE9DC49FED73B8AF0C305F0800E9D505AB1C1DB709A518B50

Function 0317B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0317B6BF

Strings

+, xrefs: 0317B65A
0, xrefs: 0317B66F
-, xrefs: 0317B650
0, xrefs: 0317B695

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: f1fe9991bc79b15d3ccc12a51fd92ddfd931f50e91a6e583ed1a8cfed61d4015
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: A1818F74E492499FDF28CE68C8917EEBBB6AF4D350F1CC259E861A73D0C73499808B50

Function 0315F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 031A02BD
RTL: Re-Waiting, xrefs: 031A031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 031A02E7

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: ccd3099eb8b38d61f410a4ae1643d8c0cba9822f92d23994cef441b6a0cd41df
Instruction ID: df6a9b2811a3438afd085930905daac72ffcc616705f63f1e9aca4b6221187fb
Opcode Fuzzy Hash: ccd3099eb8b38d61f410a4ae1643d8c0cba9822f92d23994cef441b6a0cd41df
Instruction Fuzzy Hash: B5E18B34604B41DFD725CF28C884B6AB7E4BF8C314F184A69F9A58B2E1D774D986CB42

Function 0316B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 031A728C

Strings

RTL: Re-Waiting, xrefs: 031A72C1
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 031A7294
RTL: Resource at %p, xrefs: 031A72A3

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: a92a604cbdb9c2085e92aa9c95bec8137efee5b9a42f6caaec4a0ab8b4296a5d
Instruction ID: fcd92a7e9e546e30492df6af9d5812aee769ec2d6c4875f31c7e821b129f7ee2
Opcode Fuzzy Hash: a92a604cbdb9c2085e92aa9c95bec8137efee5b9a42f6caaec4a0ab8b4296a5d
Instruction Fuzzy Hash: 4641F439704606ABC724DEA9CC41BAAB7A5FF4C711F144629F855DB280DB30E952C7D1

Function 03139126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 03139191
@, xrefs: 03139175

Memory Dump Source

Source File: 00000001.00000002.1854842954.0000000003100000.00000040.00001000.00020000.00000000.sdmp, Offset: 03100000, based on PE: true

Associated: 00000001.00000002.1854842954.0000000003229000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000322D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1854842954.000000000329E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3100000_svchost.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 6b3c0ea888e5b901f87a0160829cbb479e43cbdd70d5de83dbd3d42b6143d6d3
Instruction ID: 6101fc2016738b1ee8a5c685292e7739503637d06a95520f89dec0c18cfba0a8
Opcode Fuzzy Hash: 6b3c0ea888e5b901f87a0160829cbb479e43cbdd70d5de83dbd3d42b6143d6d3
Instruction Fuzzy Hash: D1811976D00269EBDB35DF54CC44BEAB7B8AF09710F0445EAA919B7280D7709E85CFA0

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report New Order #60-23095840024.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Idonna

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

Windows Analysis Report
New Order #60-23095840024.exe

Function 030BA036 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 481
nativeCOMMON

Function 035EA036 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 481
nativeCOMMON

Function 030BA042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163
nativeCOMMON

Function 035EA042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163
nativeCOMMON

Function 026EA50A Relevance: 1.6, APIs: 1, Instructions: 61
memorynativeCOMMON

Function 026EA2EA Relevance: 1.6, APIs: 1, Instructions: 57
filenativeCOMMON

Function 026EA58B Relevance: 1.6, APIs: 1, Instructions: 50
memorynativeCOMMON

Function 026EA330 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 026EA3E0 Relevance: 1.5, APIs: 1, Instructions: 36
filenativeCOMMON