Edit tour

Windows Analysis Report
New Order #60-958400861900.exe

Overview

General Information

Sample name:	New Order #60-958400861900.exe
Analysis ID:	1522519
MD5:	1f722c0fe2a947b86676925fe00d40bf
SHA1:	1b21430ab7ac416ffe9cc6a1d78c60e4b35d45a2
SHA256:	b16f599225a875a9f8dd55e32467522916d48337bfa30939d4e48ee50cf96a88
Tags:	exeFormbookuser-abuse_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to resolve many domain names, but no domain seems valid

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

New Order #60-958400861900.exe (PID: 5060 cmdline: "C:\Users\user\Desktop\New Order #60-958400861900.exe" MD5: 1F722C0FE2A947B86676925FE00D40BF)

svchost.exe (PID: 3404 cmdline: "C:\Users\user\Desktop\New Order #60-958400861900.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

explorer.exe (PID: 4084 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

raserver.exe (PID: 5432 cmdline: "C:\Windows\SysWOW64\raserver.exe" MD5: D1053D114847677185F248FF98C3F255)

cmd.exe (PID: 5856 cmdline: /c del "C:\Windows\SysWOW64\svchost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.orsaperevod.online/e62s/"], "decoy": ["ellinksa.shop", "uckyspinph.xyz", "owdark.net", "arriage-therapy-72241.bond", "w7ijko4rv4p97b.top", "heirbuzzwords.buzz", "aspart.shop", "ctivemail5-kagoya-com.info", "shacertification9.shop", "zitcd65k3.buzz", "llkosoi.info", "ru8.info", "rhgtrdjdjykyetrdjftd.buzz", "yschoollist.kiwi", "oftfolio.online", "rograma-de-almacen-2.online", "oudoarms.top", "mwquas.xyz", "orjagaucha.website", "nlinechat-mh.online", "nlinebankingrates.net", "3llyb.vip", "42du394dr.autos", "ahealthcaretrends2.bond", "gbox.net", "anatanwater.net", "amearcade.shop", "ighrane.online", "01599.xyz", "ams.zone", "-mart.vip", "42bet.xyz", "6snf.shop", "nitycacao.shop", "arageflooringepoxynearme1.today", "c7qkaihvsc.top", "amingacor.click", "airosstudio.tech", "iktokonline.pro", "homasotooleboxing.net", "ashforhouse24.online", "1539.app", "atangtoto4.click", "ndex.autos", "atorengineered.tech", "angkalantogel.company", "ajudepo777.top", "jacksontimepiece.net", "gstudio-ai.homes", "unter-saaaa.buzz", "atageneral.sbs", "ingston-saaab.buzz", "i5t3.christmas", "ampanyaak.click", "dneshima.today", "angbaojia.top", "ubuz.net", "pp-games-delearglu.xyz", "insgw.bond", "7f243xb.skin", "roliig.top", "wdie3162.vip", "reechagroup.vip", "op-phone-deal.today"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1613319685.0000000003780000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.1613319685.0000000003780000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1613319685.0000000003780000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.1613319685.0000000003780000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.1613319685.0000000003780000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.3954288181.0000000002F10000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.3954288181.0000000002F10000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3954288181.0000000002F10000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.3954288181.0000000002F10000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.3954288181.0000000002F10000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.3970385739.0000000010ED1000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xb02:$a2: pass 0xb08:$a3: email 0xb0f:$a4: login 0xb16:$a5: signin 0xb27:$a6: persistent 0xcfa:$r1: C:\Users\user\AppData\Roaming\6N737633\6N7log.ini
00000004.00000002.3954486006.00000000033C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.3954486006.00000000033C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3954486006.00000000033C0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.3954486006.00000000033C0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.3954486006.00000000033C0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.1613274828.0000000003750000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.1613274828.0000000003750000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1613274828.0000000003750000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.1613274828.0000000003750000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.1613274828.0000000003750000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.3954455365.0000000003390000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.3954455365.0000000003390000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3954455365.0000000003390000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.3954455365.0000000003390000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.3954455365.0000000003390000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: svchost.exe PID: 3404	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ec56:$a1: 3C 30 50 4F 53 54 74 09 40 0xcb8b9:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: raserver.exe PID: 5432	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xa1dab:$a1: 3C 30 50 4F 53 54 74 09 40 0x114e38:$a1: 3C 30 50 4F 53 54 74 09 40 0x17fa90:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.svchost.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bafa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.svchost.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a19:$sqlite3step: 68 34 1C 7B E1 0x17b2c:$sqlite3step: 68 34 1C 7B E1 0x17a48:$sqlite3text: 68 38 2A 90 C5 0x17b6d:$sqlite3text: 68 38 2A 90 C5 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.svchost.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.svchost.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\New Order #60-958400861900.exe", CommandLine: "C:\Users\user\Desktop\New Order #60-958400861900.exe", CommandLine|base64offset|contains: :^, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\New Order #60-958400861900.exe", ParentImage: C:\Users\user\Desktop\New Order #60-958400861900.exe, ParentProcessId: 5060, ParentProcessName: New Order #60-958400861900.exe, ProcessCommandLine: "C:\Users\user\Desktop\New Order #60-958400861900.exe", ProcessId: 3404, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\New Order #60-958400861900.exe", CommandLine: "C:\Users\user\Desktop\New Order #60-958400861900.exe", CommandLine|base64offset|contains: :^, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\New Order #60-958400861900.exe", ParentImage: C:\Users\user\Desktop\New Order #60-958400861900.exe, ParentProcessId: 5060, ParentProcessName: New Order #60-958400861900.exe, ProcessCommandLine: "C:\Users\user\Desktop\New Order #60-958400861900.exe", ProcessId: 3404, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-30T10:01:56.079711+0200	2031453	1	Malware Command and Control Activity Detected	192.168.2.8	63786	54.37.173.127	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: New Order #60-958400861900.exe

Avira: detected

Found malware configuration

Source: 00000002.00000002.1613319685.0000000003780000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.orsaperevod.online/e62s/"], "decoy": ["ellinksa.shop", "uckyspinph.xyz", "owdark.net", "arriage-therapy-72241.bond", "w7ijko4rv4p97b.top", "heirbuzzwords.buzz", "aspart.shop", "ctivemail5-kagoya-com.info", "shacertification9.shop", "zitcd65k3.buzz", "llkosoi.info", "ru8.info", "rhgtrdjdjykyetrdjftd.buzz", "yschoollist.kiwi", "oftfolio.online", "rograma-de-almacen-2.online", "oudoarms.top", "mwquas.xyz", "orjagaucha.website", "nlinechat-mh.online", "nlinebankingrates.net", "3llyb.vip", "42du394dr.autos", "ahealthcaretrends2.bond", "gbox.net", "anatanwater.net", "amearcade.shop", "ighrane.online", "01599.xyz", "ams.zone", "-mart.vip", "42bet.xyz", "6snf.shop", "nitycacao.shop", "arageflooringepoxynearme1.today", "c7qkaihvsc.top", "amingacor.click", "airosstudio.tech", "iktokonline.pro", "homasotooleboxing.net", "ashforhouse24.online", "1539.app", "atangtoto4.click", "ndex.autos", "atorengineered.tech", "angkalantogel.company", "ajudepo777.top", "jacksontimepiece.net", "gstudio-ai.homes", "unter-saaaa.buzz", "atageneral.sbs", "ingston-saaab.buzz", "i5t3.christmas", "ampanyaak.click", "dneshima.today", "angbaojia.top", "ubuz.net", "pp-games-delearglu.xyz", "insgw.bond", "7f243xb.skin", "roliig.top", "wdie3162.vip", "reechagroup.vip", "op-phone-deal.today"]}

Multi AV Scanner detection for submitted file

Source: New Order #60-958400861900.exe	ReversingLabs: Detection: 65%
Source: New Order #60-958400861900.exe	Virustotal: Detection: 33%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1613319685.0000000003780000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3954288181.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3954486006.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1613274828.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3954455365.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: New Order #60-958400861900.exe

Joe Sandbox ML: detected

Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_00C30115 SysStringLen,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SysStringLen,SysStringLen,CryptImportKey,free,SysStringLen,CryptDecrypt,SysAllocStringByteLen,SysFreeString,free,	4_2_00C30115
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_00C2FD30 CryptExportKey,GetLastError,malloc,CryptExportKey,GetLastError,free,	4_2_00C2FD30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_00C2DAFB CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,	4_2_00C2DAFB
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_00C2FA58 CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGenKey,GetLastError,GetLastError,	4_2_00C2FA58
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_00C2FE35 CryptBinaryToStringW,GetLastError,malloc,CryptBinaryToStringW,GetLastError,free,SysFreeString,	4_2_00C2FE35
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_00C30383 __EH_prolog3_GS,SysStringLen,CryptImportKey,GetLastError,CryptGenKey,GetLastError,CryptEncrypt,GetLastError,free,malloc,memset,memcpy,CryptEncrypt,GetLastError,free,SysFreeString,SysFreeString,CryptDestroyKey,CryptDestroyKey,SysFreeString,	4_2_00C30383
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_00C2FF58 CryptStringToBinaryW,GetLastError,malloc,CryptStringToBinaryW,GetLastError,	4_2_00C2FF58

Source: New Order #60-958400861900.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: svchost.exe, 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1554875967.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1556352418.0000000003200000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000004.00000002.3954891304.000000000523E000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000004.00000002.3954891304.00000000050A0000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000004.00000003.1614787383.0000000004EF3000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000004.00000003.1612845371.0000000004D4D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1554875967.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1556352418.0000000003200000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, raserver.exe, 00000004.00000002.3954891304.000000000523E000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000004.00000002.3954891304.00000000050A0000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000004.00000003.1614787383.0000000004EF3000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000004.00000003.1612845371.0000000004D4D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RAServer.pdb source: svchost.exe, 00000002.00000003.1612050019.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1612209333.0000000002E35000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1613543357.00000000050C0000.00000040.10000000.00040000.00000000.sdmp, raserver.exe, raserver.exe, 00000004.00000002.3954172158.0000000000C20000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.3970084309.000000001013F000.00000004.80000000.00040000.00000000.sdmp, raserver.exe, 00000004.00000002.3954599706.00000000034AC000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000004.00000002.3955376616.00000000055EF000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: RAServer.pdbGCTL source: svchost.exe, 00000002.00000003.1612050019.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1612209333.0000000002E35000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1613543357.00000000050C0000.00000040.10000000.00040000.00000000.sdmp, raserver.exe, 00000004.00000002.3954172158.0000000000C20000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.3970084309.000000001013F000.00000004.80000000.00040000.00000000.sdmp, raserver.exe, 00000004.00000002.3954599706.00000000034AC000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000004.00000002.3955376616.00000000055EF000.00000004.10000000.00040000.00000000.sdmp

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then pop esi		2_2_004172F1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4x nop then pop esi		4_2_02F272F1

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:63786 -> 54.37.173.127:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:63786 -> 54.37.173.127:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:63786 -> 54.37.173.127:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.orsaperevod.online/e62s/

Performs DNS queries to domains with low reputation

Source:

DNS query: www.pp-games-delearglu.xyz

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: www.dneshima.today replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.atangtoto4.click replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.nlinechat-mh.online replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.yschoollist.kiwi replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.insgw.bond replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.orsaperevod.online replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.arriage-therapy-72241.bond replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.pp-games-delearglu.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.amingacor.click replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.anatanwater.net replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: www.nlinechat-mh.online
Source: global traffic	DNS traffic detected: DNS query: www.atangtoto4.click
Source: global traffic	DNS traffic detected: DNS query: www.pp-games-delearglu.xyz
Source: global traffic	DNS traffic detected: DNS query: www.amingacor.click
Source: global traffic	DNS traffic detected: DNS query: www.dneshima.today
Source: global traffic	DNS traffic detected: DNS query: www.anatanwater.net
Source: global traffic	DNS traffic detected: DNS query: www.orsaperevod.online
Source: global traffic	DNS traffic detected: DNS query: www.insgw.bond
Source: global traffic	DNS traffic detected: DNS query: www.yschoollist.kiwi
Source: global traffic	DNS traffic detected: DNS query: www.arriage-therapy-72241.bond
Source: global traffic	DNS traffic detected: DNS query: www.ubuz.net

Source: explorer.exe, 00000003.00000003.3076208326.0000000009269000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562460547.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562460547.0000000009269000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3958432819.0000000009269000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000003.00000003.3076208326.0000000009269000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562460547.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562460547.0000000009269000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3958432819.0000000009269000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000003.00000000.1562460547.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3958432819.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076208326.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076208326.0000000009269000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562460547.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562460547.0000000009269000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3958432819.0000000009269000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000003.00000002.3955844536.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560467949.0000000004405000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobeS
Source: explorer.exe, 00000003.00000003.3076208326.0000000009269000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562460547.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562460547.0000000009269000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3958432819.0000000009269000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000003.00000002.3958104656.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562460547.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000003.00000002.3957258239.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1559099867.0000000002C80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1561599519.0000000007710000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.42bet.xyz
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.42bet.xyz/e62s/
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.42bet.xyz/e62s/www.aspart.shop
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.42bet.xyzReferer:
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amingacor.click
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amingacor.click/e62s/
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amingacor.click/e62s/www.mwquas.xyz
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amingacor.clickReferer:
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ams.zone
Source: explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ams.zone/e62s/
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ams.zoneReferer:
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anatanwater.net
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anatanwater.net/e62s/
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anatanwater.net/e62s/www.orsaperevod.online
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anatanwater.netReferer:
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arriage-therapy-72241.bond
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arriage-therapy-72241.bond/e62s/
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arriage-therapy-72241.bond/e62s/www.ubuz.net
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.arriage-therapy-72241.bondReferer:
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aspart.shop
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aspart.shop/e62s/
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aspart.shop/e62s/www.uckyspinph.xyz
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aspart.shopReferer:
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.atangtoto4.click
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.atangtoto4.click/e62s/
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.atangtoto4.click/e62s/www.pp-games-delearglu.xyz
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.atangtoto4.clickReferer:
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dneshima.today
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dneshima.today/e62s/
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dneshima.today/e62s/www.anatanwater.net
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dneshima.todayReferer:
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.insgw.bond
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.insgw.bond/e62s/
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.insgw.bond/e62s/www.yschoollist.kiwi
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.insgw.bondReferer:
Source: explorer.exe, 00000003.00000000.1562460547.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3958432819.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076208326.0000000009237000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mwquas.xyz
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mwquas.xyz/e62s/
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mwquas.xyz/e62s/www.dneshima.today
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mwquas.xyzReferer:
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nlinechat-mh.online
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nlinechat-mh.online/e62s/
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nlinechat-mh.online/e62s/www.atangtoto4.click
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nlinechat-mh.onlineReferer:
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.orsaperevod.online
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.orsaperevod.online/e62s/
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.orsaperevod.online/e62s/www.insgw.bond
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.orsaperevod.onlineReferer:
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pp-games-delearglu.xyz
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pp-games-delearglu.xyz/e62s/
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pp-games-delearglu.xyz/e62s/www.amingacor.click
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pp-games-delearglu.xyzReferer:
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ubuz.net
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ubuz.net/e62s/
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ubuz.net/e62s/www.42bet.xyz
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ubuz.netReferer:
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uckyspinph.xyz
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uckyspinph.xyz/e62s/
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uckyspinph.xyz/e62s/www.ams.zone
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uckyspinph.xyzReferer:
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yschoollist.kiwi
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yschoollist.kiwi/e62s/
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yschoollist.kiwi/e62s/www.arriage-therapy-72241.bond
Source: explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yschoollist.kiwiReferer:
Source: explorer.exe, 00000003.00000002.3965775431.000000000BCBC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1564976586.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076644181.000000000BCBC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284687253.000000000BCB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000003.00000002.3965775431.000000000BCBC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1564976586.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076644181.000000000BCBC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284687253.000000000BCB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000003.00000002.3965775431.000000000BCBC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1564976586.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076644181.000000000BCBC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284687253.000000000BCB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSA4
Source: explorer.exe, 00000003.00000002.3965775431.000000000BCBC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1564976586.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076644181.000000000BCBC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284687253.000000000BCB9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSd
Source: explorer.exe, 00000003.00000000.1560967018.000000000702D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956838586.000000000704E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284437015.000000000704B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000003.00000002.3958104656.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562460547.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3958104656.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562460547.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000003.00000002.3958104656.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562460547.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
Source: explorer.exe, 00000003.00000000.1564976586.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3965775431.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
Source: explorer.exe, 00000003.00000000.1564976586.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3965775431.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000003.00000000.1564976586.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3965775431.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comer
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000000.1564976586.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284687253.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/EM0
Source: explorer.exe, 00000003.00000000.1564976586.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3965775431.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com48
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1613319685.0000000003780000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3954288181.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3954486006.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1613274828.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3954455365.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_00C30115 SysStringLen,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SysStringLen,SysStringLen,CryptImportKey,free,SysStringLen,CryptDecrypt,SysAllocStringByteLen,SysFreeString,free,		4_2_00C30115
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_00C30383 __EH_prolog3_GS,SysStringLen,CryptImportKey,GetLastError,CryptGenKey,GetLastError,CryptEncrypt,GetLastError,free,malloc,memset,memcpy,CryptEncrypt,GetLastError,free,SysFreeString,SysFreeString,CryptDestroyKey,CryptDestroyKey,SysFreeString,		4_2_00C30383

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1613319685.0000000003780000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1613319685.0000000003780000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1613319685.0000000003780000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3954288181.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3954288181.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.3954288181.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.3970385739.0000000010ED1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000004.00000002.3954486006.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3954486006.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.3954486006.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1613274828.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1613274828.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1613274828.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3954455365.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3954455365.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.3954455365.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: svchost.exe PID: 3404, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: raserver.exe PID: 5432, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: New Order #60-958400861900.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A330 NtCreateFile,	2_2_0041A330
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A3E0 NtReadFile,	2_2_0041A3E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A460 NtClose,	2_2_0041A460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A510 NtAllocateVirtualMemory,	2_2_0041A510
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A2EA NtCreateFile,	2_2_0041A2EA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A50A NtAllocateVirtualMemory,	2_2_0041A50A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A58B NtAllocateVirtualMemory,	2_2_0041A58B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472B60 NtClose,LdrInitializeThunk,	2_2_03472B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_03472BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472AD0 NtReadFile,LdrInitializeThunk,	2_2_03472AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472F30 NtCreateSection,LdrInitializeThunk,	2_2_03472F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472FE0 NtCreateFile,LdrInitializeThunk,	2_2_03472FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472F90 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_03472F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472FB0 NtResumeThread,LdrInitializeThunk,	2_2_03472FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472E80 NtReadVirtualMemory,LdrInitializeThunk,	2_2_03472E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_03472EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472D10 NtMapViewOfSection,LdrInitializeThunk,	2_2_03472D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472D30 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_03472D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472DD0 NtDelayExecution,LdrInitializeThunk,	2_2_03472DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03472DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472CA0 NtQueryInformationToken,LdrInitializeThunk,	2_2_03472CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03474340 NtSetContextThread,	2_2_03474340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473010 NtOpenDirectoryObject,	2_2_03473010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473090 NtSetValueKey,	2_2_03473090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03474650 NtSuspendThread,	2_2_03474650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034735C0 NtCreateMutant,	2_2_034735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472BE0 NtQueryValueKey,	2_2_03472BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472B80 NtQueryInformationFile,	2_2_03472B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472BA0 NtEnumerateValueKey,	2_2_03472BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472AF0 NtWriteFile,	2_2_03472AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472AB0 NtWaitForSingleObject,	2_2_03472AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034739B0 NtGetContextThread,	2_2_034739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472F60 NtCreateProcessEx,	2_2_03472F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472FA0 NtQuerySection,	2_2_03472FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472E30 NtWriteVirtualMemory,	2_2_03472E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472EE0 NtQueueApcThread,	2_2_03472EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473D70 NtOpenThread,	2_2_03473D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472D00 NtSetInformationFile,	2_2_03472D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03473D10 NtOpenProcessToken,	2_2_03473D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472DB0 NtEnumerateKey,	2_2_03472DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472C60 NtCreateKey,	2_2_03472C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472C70 NtFreeVirtualMemory,	2_2_03472C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472C00 NtQueryInformationProcess,	2_2_03472C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472CC0 NtQueryVirtualMemory,	2_2_03472CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472CF0 NtOpenProcess,	2_2_03472CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,	2_2_038FA036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA042 NtQueryInformationProcess,	2_2_038FA042
Source: C:\Windows\explorer.exe	Code function: 3_2_10EB9232 NtCreateFile,	3_2_10EB9232
Source: C:\Windows\explorer.exe	Code function: 3_2_10EBAE12 NtProtectVirtualMemory,	3_2_10EBAE12
Source: C:\Windows\explorer.exe	Code function: 3_2_10EBAE0A NtProtectVirtualMemory,	3_2_10EBAE0A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_051135C0 NtCreateMutant,LdrInitializeThunk,	4_2_051135C0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_05112D10
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112DD0 NtDelayExecution,LdrInitializeThunk,	4_2_05112DD0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_05112DF0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_05112C70
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112C60 NtCreateKey,LdrInitializeThunk,	4_2_05112C60
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_05112CA0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112F30 NtCreateSection,LdrInitializeThunk,	4_2_05112F30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112FE0 NtCreateFile,LdrInitializeThunk,	4_2_05112FE0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	4_2_05112EA0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112B60 NtClose,LdrInitializeThunk,	4_2_05112B60
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_05112BF0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_05112BE0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112AD0 NtReadFile,LdrInitializeThunk,	4_2_05112AD0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05114650 NtSuspendThread,	4_2_05114650
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05113010 NtOpenDirectoryObject,	4_2_05113010
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05113090 NtSetValueKey,	4_2_05113090
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05114340 NtSetContextThread,	4_2_05114340
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05113D10 NtOpenProcessToken,	4_2_05113D10
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112D00 NtSetInformationFile,	4_2_05112D00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112D30 NtUnmapViewOfSection,	4_2_05112D30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05113D70 NtOpenThread,	4_2_05113D70
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112DB0 NtEnumerateKey,	4_2_05112DB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112C00 NtQueryInformationProcess,	4_2_05112C00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112CC0 NtQueryVirtualMemory,	4_2_05112CC0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112CF0 NtOpenProcess,	4_2_05112CF0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112F60 NtCreateProcessEx,	4_2_05112F60
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112F90 NtProtectVirtualMemory,	4_2_05112F90
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112FB0 NtResumeThread,	4_2_05112FB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112FA0 NtQuerySection,	4_2_05112FA0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112E30 NtWriteVirtualMemory,	4_2_05112E30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112E80 NtReadVirtualMemory,	4_2_05112E80
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112EE0 NtQueueApcThread,	4_2_05112EE0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_051139B0 NtGetContextThread,	4_2_051139B0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112B80 NtQueryInformationFile,	4_2_05112B80
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112BA0 NtEnumerateValueKey,	4_2_05112BA0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112AB0 NtWaitForSingleObject,	4_2_05112AB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05112AF0 NtWriteFile,	4_2_05112AF0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_02F2A3E0 NtReadFile,	4_2_02F2A3E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_02F2A330 NtCreateFile,	4_2_02F2A330
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_02F2A460 NtClose,	4_2_02F2A460
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_02F2A510 NtAllocateVirtualMemory,	4_2_02F2A510
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_02F2A2EA NtCreateFile,	4_2_02F2A2EA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_02F2A58B NtAllocateVirtualMemory,	4_2_02F2A58B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_02F2A50A NtAllocateVirtualMemory,	4_2_02F2A50A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_04E4A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	4_2_04E4A036
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_04E49BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	4_2_04E49BAF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_04E4A042 NtQueryInformationProcess,	4_2_04E4A042
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_04E49BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_04E49BB2

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401026	2_2_00401026
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E0EA	2_2_0041E0EA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041EAD0	2_2_0041EAD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041DA81	2_2_0041DA81
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041DB72	2_2_0041DB72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E43E	2_2_0041E43E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D569	2_2_0041D569
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D576	2_2_0041D576
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00409E5B	2_2_00409E5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00409E60	2_2_00409E60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041EE34	2_2_0041EE34
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E743	2_2_0041E743
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342D34C	2_2_0342D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA352	2_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F132D	2_2_034F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035003E6	2_2_035003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0348739A	2_2_0348739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345B2C0	2_2_0345B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E12ED	2_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034452A0	2_2_034452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347516C	2_2_0347516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350B16B	2_2_0350B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430100	2_2_03430100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F81CC	2_2_034F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344B1B0	2_2_0344B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035001AA	2_2_035001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EF0CC	2_2_034EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034470C0	2_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F70E9	2_2_034F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FF0E0	2_2_034FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03464750	2_2_03464750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343C7C0	2_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FF7B0	2_2_034FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F16CC	2_2_034F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345C6E0	2_2_0345C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F7571	2_2_034F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440535	2_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03500591	2_2_03500591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DD5B0	2_2_034DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F2446	2_2_034F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03431460	2_2_03431460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FF43F	2_2_034FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EE4F6	2_2_034EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FAB40	2_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFB76	2_2_034FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F6BD7	2_2_034F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0347DBF9	2_2_0347DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345FB80	2_2_0345FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFA49	2_2_034FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F7A46	2_2_034F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B3A6C	2_2_034B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EDAC6	2_2_034EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343EA80	2_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DDAAC	2_2_034DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03485AA0	2_2_03485AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03449950	2_2_03449950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345B950	2_2_0345B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03456962	2_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034429A0	2_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350A9A6	2_2_0350A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03442840	2_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344A840	2_2_0344A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AD800	2_2_034AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034438E0	2_2_034438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E8F0	2_2_0346E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034268B8	2_2_034268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4F40	2_2_034B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFF09	2_2_034FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03482F28	2_2_03482F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460F30	2_2_03460F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432FC8	2_2_03432FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344CFE0	2_2_0344CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03441F92	2_2_03441F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFFB1	2_2_034FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440E59	2_2_03440E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FEE26	2_2_034FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FEEDB	2_2_034FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03452E90	2_2_03452E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FCE93	2_2_034FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03449EB0	2_2_03449EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03443D40	2_2_03443D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F1D5A	2_2_034F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F7D73	2_2_034F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344AD00	2_2_0344AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345FDC0	2_2_0345FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343ADE0	2_2_0343ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03458DBF	2_2_03458DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440C00	2_2_03440C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B9C32	2_2_034B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430CF2	2_2_03430CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FFCF2	2_2_034FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0CB5	2_2_034E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA036	2_2_038FA036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FB232	2_2_038FB232
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F1082	2_2_038F1082
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FE5CD	2_2_038FE5CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F5B32	2_2_038F5B32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F5B30	2_2_038F5B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F8912	2_2_038F8912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F2D02	2_2_038F2D02
Source: C:\Windows\explorer.exe	Code function: 3_2_0E17A232	3_2_0E17A232
Source: C:\Windows\explorer.exe	Code function: 3_2_0E174B32	3_2_0E174B32
Source: C:\Windows\explorer.exe	Code function: 3_2_0E174B30	3_2_0E174B30
Source: C:\Windows\explorer.exe	Code function: 3_2_0E179036	3_2_0E179036
Source: C:\Windows\explorer.exe	Code function: 3_2_0E170082	3_2_0E170082
Source: C:\Windows\explorer.exe	Code function: 3_2_0E177912	3_2_0E177912
Source: C:\Windows\explorer.exe	Code function: 3_2_0E171D02	3_2_0E171D02
Source: C:\Windows\explorer.exe	Code function: 3_2_0E17D5CD	3_2_0E17D5CD
Source: C:\Windows\explorer.exe	Code function: 3_2_10EB9232	3_2_10EB9232
Source: C:\Windows\explorer.exe	Code function: 3_2_10EAF082	3_2_10EAF082
Source: C:\Windows\explorer.exe	Code function: 3_2_10EB8036	3_2_10EB8036
Source: C:\Windows\explorer.exe	Code function: 3_2_10EBC5CD	3_2_10EBC5CD
Source: C:\Windows\explorer.exe	Code function: 3_2_10EB3B32	3_2_10EB3B32
Source: C:\Windows\explorer.exe	Code function: 3_2_10EB3B30	3_2_10EB3B30
Source: C:\Windows\explorer.exe	Code function: 3_2_10EB0D02	3_2_10EB0D02
Source: C:\Windows\explorer.exe	Code function: 3_2_10EB6912	3_2_10EB6912
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_00C25F64	4_2_00C25F64
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050E0535	4_2_050E0535
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05197571	4_2_05197571
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_051A0591	4_2_051A0591
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_0517D5B0	4_2_0517D5B0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_0519F43F	4_2_0519F43F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05192446	4_2_05192446
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050D1460	4_2_050D1460
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_0518E4F6	4_2_0518E4F6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05104750	4_2_05104750
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050E0770	4_2_050E0770
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_0519F7B0	4_2_0519F7B0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050DC7C0	4_2_050DC7C0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_051916CC	4_2_051916CC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050FC6E0	4_2_050FC6E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050D0100	4_2_050D0100
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_0517A118	4_2_0517A118
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_051AB16B	4_2_051AB16B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_0511516C	4_2_0511516C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050CF172	4_2_050CF172
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_051A01AA	4_2_051A01AA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050EB1B0	4_2_050EB1B0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_051981CC	4_2_051981CC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050E70C0	4_2_050E70C0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_0518F0CC	4_2_0518F0CC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_051970E9	4_2_051970E9
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_0519F0E0	4_2_0519F0E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_0519132D	4_2_0519132D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050CD34C	4_2_050CD34C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_0519A352	4_2_0519A352
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_0512739A	4_2_0512739A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_051A03E6	4_2_051A03E6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050EE3F0	4_2_050EE3F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05180274	4_2_05180274
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050E52A0	4_2_050E52A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050FB2C0	4_2_050FB2C0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_051812ED	4_2_051812ED
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050EAD00	4_2_050EAD00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05191D5A	4_2_05191D5A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050E3D40	4_2_050E3D40
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05197D73	4_2_05197D73
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050F8DBF	4_2_050F8DBF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050FFDC0	4_2_050FFDC0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050DADE0	4_2_050DADE0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050E0C00	4_2_050E0C00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05159C32	4_2_05159C32
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05180CB5	4_2_05180CB5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_0519FCF2	4_2_0519FCF2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050D0CF2	4_2_050D0CF2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_0519FF09	4_2_0519FF09
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05100F30	4_2_05100F30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05122F28	4_2_05122F28
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05154F40	4_2_05154F40
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050E1F92	4_2_050E1F92
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_0519FFB1	4_2_0519FFB1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050D2FC8	4_2_050D2FC8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050ECFE0	4_2_050ECFE0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_0519EE26	4_2_0519EE26
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050E0E59	4_2_050E0E59
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_0519CE93	4_2_0519CE93
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050F2E90	4_2_050F2E90
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050E9EB0	4_2_050E9EB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_0519EEDB	4_2_0519EEDB
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050E9950	4_2_050E9950
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050FB950	4_2_050FB950
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050F6962	4_2_050F6962
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050E29A0	4_2_050E29A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_051AA9A6	4_2_051AA9A6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_0514D800	4_2_0514D800
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050E2840	4_2_050E2840
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050EA840	4_2_050EA840
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050C68B8	4_2_050C68B8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_0510E8F0	4_2_0510E8F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050E38E0	4_2_050E38E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_0519AB40	4_2_0519AB40
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_0519FB76	4_2_0519FB76
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050FFB80	4_2_050FFB80
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05196BD7	4_2_05196BD7
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_0511DBF9	4_2_0511DBF9
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_0519FA49	4_2_0519FA49
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05197A46	4_2_05197A46
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05153A6C	4_2_05153A6C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050DEA80	4_2_050DEA80
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_05125AA0	4_2_05125AA0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_0517DAAC	4_2_0517DAAC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_0518DAC6	4_2_0518DAC6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_02F2E743	4_2_02F2E743
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_02F2D576	4_2_02F2D576
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_02F2D569	4_2_02F2D569
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_02F2EAD0	4_2_02F2EAD0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_02F2DA81	4_2_02F2DA81
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_02F19E60	4_2_02F19E60
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_02F19E5B	4_2_02F19E5B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_02F2EE34	4_2_02F2EE34
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_02F12FB0	4_2_02F12FB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_02F12D90	4_2_02F12D90
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_04E4A036	4_2_04E4A036
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_04E4E5CD	4_2_04E4E5CD
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_04E42D02	4_2_04E42D02
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_04E41082	4_2_04E41082
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_04E48912	4_2_04E48912
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_04E4B232	4_2_04E4B232
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_04E45B30	4_2_04E45B30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_04E45B32	4_2_04E45B32

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0342B970 appears 268 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03475130 appears 36 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03487E54 appears 89 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034BF290 appears 105 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 05115130 appears 36 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 0515F290 appears 105 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 05127E54 appears 89 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 050CB970 appears 268 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 00C30FD2 appears 117 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 0514EA12 appears 86 times

Source: New Order #60-958400861900.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1613319685.0000000003780000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1613319685.0000000003780000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1613319685.0000000003780000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3954288181.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3954288181.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.3954288181.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.3970385739.0000000010ED1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000004.00000002.3954486006.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3954486006.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.3954486006.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1613274828.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1613274828.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1613274828.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3954455365.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3954455365.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.3954455365.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: svchost.exe PID: 3404, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: raserver.exe PID: 5432, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/1@11/0

Source: C:\Windows\SysWOW64\raserver.exe

Code function: 4_2_00C2A010 CoCreateInstance,

4_2_00C2A010

Source: C:\Windows\SysWOW64\raserver.exe

Code function: 4_2_00C252BB __EH_prolog3_catch_GS,LoadLibraryExW,FindResourceExW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

4_2_00C252BB

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3652:120:WilError_03

Source: C:\Users\user\Desktop\New Order #60-958400861900.exe

File created: C:\Users\user\AppData\Local\Temp\colliquefaction

Jump to behavior

Source: C:\Windows\SysWOW64\raserver.exe

Command line argument: offerraupdate

4_2_00C29AC5

Source: New Order #60-958400861900.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\New Order #60-958400861900.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\New Order #60-958400861900.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: New Order #60-958400861900.exe	ReversingLabs: Detection: 65%
Source: New Order #60-958400861900.exe	Virustotal: Detection: 33%

Source: C:\Users\user\Desktop\New Order #60-958400861900.exe

File read: C:\Users\user\Desktop\New Order #60-958400861900.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\New Order #60-958400861900.exe "C:\Users\user\Desktop\New Order #60-958400861900.exe"
Source: C:\Users\user\Desktop\New Order #60-958400861900.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\New Order #60-958400861900.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe"
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\New Order #60-958400861900.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\New Order #60-958400861900.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\New Order #60-958400861900.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order #60-958400861900.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order #60-958400861900.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order #60-958400861900.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order #60-958400861900.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order #60-958400861900.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order #60-958400861900.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order #60-958400861900.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order #60-958400861900.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order #60-958400861900.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\New Order #60-958400861900.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Users\user\Desktop\New Order #60-958400861900.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: New Order #60-958400861900.exe

Static file information: File size 1095969 > 1048576

Source:	Binary string: wntdll.pdbUGP source: svchost.exe, 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1554875967.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1556352418.0000000003200000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000004.00000002.3954891304.000000000523E000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000004.00000002.3954891304.00000000050A0000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000004.00000003.1614787383.0000000004EF3000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000004.00000003.1612845371.0000000004D4D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1554875967.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1556352418.0000000003200000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, raserver.exe, 00000004.00000002.3954891304.000000000523E000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000004.00000002.3954891304.00000000050A0000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000004.00000003.1614787383.0000000004EF3000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000004.00000003.1612845371.0000000004D4D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RAServer.pdb source: svchost.exe, 00000002.00000003.1612050019.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1612209333.0000000002E35000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1613543357.00000000050C0000.00000040.10000000.00040000.00000000.sdmp, raserver.exe, raserver.exe, 00000004.00000002.3954172158.0000000000C20000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.3970084309.000000001013F000.00000004.80000000.00040000.00000000.sdmp, raserver.exe, 00000004.00000002.3954599706.00000000034AC000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000004.00000002.3955376616.00000000055EF000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: RAServer.pdbGCTL source: svchost.exe, 00000002.00000003.1612050019.0000000002E1C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1612209333.0000000002E35000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1613543357.00000000050C0000.00000040.10000000.00040000.00000000.sdmp, raserver.exe, 00000004.00000002.3954172158.0000000000C20000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.3970084309.000000001013F000.00000004.80000000.00040000.00000000.sdmp, raserver.exe, 00000004.00000002.3954599706.00000000034AC000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000004.00000002.3955376616.00000000055EF000.00000004.10000000.00040000.00000000.sdmp

Source: C:\Windows\SysWOW64\raserver.exe

Code function: 4_2_00C2ACA0 LoadLibraryW,GetProcAddress,GetProcAddress,WTSEnumerateSessionsW,GetProcessHeap,HeapAlloc,WTSFreeMemory,WTSFreeMemory,WTSQuerySessionInformationW,WTSQuerySessionInformationW,StrCmpIW,GetProcessHeap,HeapAlloc,SafeArrayCreateVector,SafeArrayAccessData,SysAllocString,SafeArrayUnaccessData,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WTSFreeMemory,WTSFreeMemory,WTSFreeMemory,SafeArrayDestroy,SysFreeString,

4_2_00C2ACA0

Source: New Order #60-958400861900.exe

Static PE information: real checksum: 0xa961f should be: 0x1125dd

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D4D2 push eax; ret	2_2_0041D4D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D4DB push eax; ret	2_2_0041D542
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D485 push eax; ret	2_2_0041D4D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D53C push eax; ret	2_2_0041D542
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041275B push ss; retf	2_2_0041275D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034309AD push ecx; mov dword ptr [esp], ecx	2_2_034309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FEB02 push esp; retn 0000h	2_2_038FEB03
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FEB1E push esp; retn 0000h	2_2_038FEB1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FE9B5 push esp; retn 0000h	2_2_038FEAE7
Source: C:\Windows\explorer.exe	Code function: 3_2_0E17DB1E push esp; retn 0000h	3_2_0E17DB1F
Source: C:\Windows\explorer.exe	Code function: 3_2_0E17DB02 push esp; retn 0000h	3_2_0E17DB03
Source: C:\Windows\explorer.exe	Code function: 3_2_0E17D9B5 push esp; retn 0000h	3_2_0E17DAE7
Source: C:\Windows\explorer.exe	Code function: 3_2_10EBC9B5 push esp; retn 0000h	3_2_10EBCAE7
Source: C:\Windows\explorer.exe	Code function: 3_2_10EBCB02 push esp; retn 0000h	3_2_10EBCB03
Source: C:\Windows\explorer.exe	Code function: 3_2_10EBCB1E push esp; retn 0000h	3_2_10EBCB1F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_00C340C0 push eax; ret	4_2_00C340C2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_00C340B7 push eax; ret	4_2_00C340BA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_00C340B5 push eax; ret	4_2_00C340B6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_00C340BD push eax; ret	4_2_00C340BE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_00C34078 push ecx; ret	4_2_00C34082
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_00C33DCB push ss; ret	4_2_00C33DDE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_00C335DC push 0000002Ch; ret	4_2_00C335DE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_00C335EB push dword ptr [ebp+2Ch]; ret	4_2_00C335EE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_00C329BD push ecx; ret	4_2_00C329D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_00C3252C push ecx; ret	4_2_00C3253F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_00C332D3 push eax; ret	4_2_00C332D4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_00C33EF1 push ecx; ret	4_2_00C33EF2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_00C33A8B push esi; ret	4_2_00C33A8D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_00C33E8C push ecx; ret	4_2_00C33E9A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_00C332B3 push eax; ret	4_2_00C332B4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_050D09AD push ecx; mov dword ptr [esp], ecx	4_2_050D09B6

Source: C:\Users\user\Desktop\New Order #60-958400861900.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\New Order #60-958400861900.exe	API/Special instruction interceptor: Address: 407325C
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFBCB7B0774
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFBCB7B0154
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFBCB7AD8A4
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA44
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Windows\SysWOW64\raserver.exe	API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Windows\SysWOW64\raserver.exe	API/Special instruction interceptor: Address: 7FFBCB7B0774
Source: C:\Windows\SysWOW64\raserver.exe	API/Special instruction interceptor: Address: 7FFBCB7AD944
Source: C:\Windows\SysWOW64\raserver.exe	API/Special instruction interceptor: Address: 7FFBCB7AD504
Source: C:\Windows\SysWOW64\raserver.exe	API/Special instruction interceptor: Address: 7FFBCB7AD544
Source: C:\Windows\SysWOW64\raserver.exe	API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Windows\SysWOW64\raserver.exe	API/Special instruction interceptor: Address: 7FFBCB7B0154
Source: C:\Windows\SysWOW64\raserver.exe	API/Special instruction interceptor: Address: 7FFBCB7AD8A4
Source: C:\Windows\SysWOW64\raserver.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 2F19904 second address: 2F1990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 2F19B7E second address: 2F19B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00409AB0 rdtsc

2_2_00409AB0

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 6913	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3028	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 878	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 875	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Window / User API: threadDelayed 3906	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Window / User API: threadDelayed 6066	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 2.3 %
Source: C:\Windows\SysWOW64\raserver.exe	API coverage: 1.6 %

Source: C:\Windows\explorer.exe TID: 6504	Thread sleep count: 6913 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6504	Thread sleep time: -13826000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6504	Thread sleep count: 3028 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6504	Thread sleep time: -6056000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe TID: 568	Thread sleep count: 3906 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe TID: 568	Thread sleep time: -7812000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe TID: 568	Thread sleep count: 6066 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe TID: 568	Thread sleep time: -12132000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\raserver.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\raserver.exe	Last function: Thread delayed

Source: explorer.exe, 00000003.00000002.3958104656.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562460547.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en\volume.inf_loc
Source: explorer.exe, 00000003.00000000.1558115200.0000000000A28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000003.00000003.2285594835.0000000009330000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
Source: explorer.exe, 00000003.00000002.3958432819.0000000009269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000003.00000000.1558115200.0000000000A28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00=
Source: explorer.exe, 00000003.00000000.1562460547.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3958432819.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076208326.0000000009255000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000000.1562460547.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000003.00000002.3958104656.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562460547.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000000.1558115200.0000000000A28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000003.00000003.2285594835.0000000009330000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000002.3958432819.0000000009269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000003.00000000.1558115200.0000000000A28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00409AB0 rdtsc

2_2_00409AB0

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0040ACF0 LdrLoadDll,

2_2_0040ACF0

Source: C:\Windows\SysWOW64\raserver.exe

4_2_00C2ACA0

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]	2_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342D34C mov eax, dword ptr fs:[00000030h]	2_2_0342D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342D34C mov eax, dword ptr fs:[00000030h]	2_2_0342D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03505341 mov eax, dword ptr fs:[00000030h]	2_2_03505341
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03429353 mov eax, dword ptr fs:[00000030h]	2_2_03429353
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03429353 mov eax, dword ptr fs:[00000030h]	2_2_03429353
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov ecx, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]	2_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FA352 mov eax, dword ptr fs:[00000030h]	2_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EF367 mov eax, dword ptr fs:[00000030h]	2_2_034EF367
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D437C mov eax, dword ptr fs:[00000030h]	2_2_034D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03437370 mov eax, dword ptr fs:[00000030h]	2_2_03437370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03437370 mov eax, dword ptr fs:[00000030h]	2_2_03437370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03437370 mov eax, dword ptr fs:[00000030h]	2_2_03437370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B930B mov eax, dword ptr fs:[00000030h]	2_2_034B930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B930B mov eax, dword ptr fs:[00000030h]	2_2_034B930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B930B mov eax, dword ptr fs:[00000030h]	2_2_034B930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]	2_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]	2_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]	2_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C310 mov ecx, dword ptr fs:[00000030h]	2_2_0342C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03450310 mov ecx, dword ptr fs:[00000030h]	2_2_03450310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F132D mov eax, dword ptr fs:[00000030h]	2_2_034F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F132D mov eax, dword ptr fs:[00000030h]	2_2_034F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345F32A mov eax, dword ptr fs:[00000030h]	2_2_0345F32A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03427330 mov eax, dword ptr fs:[00000030h]	2_2_03427330
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EC3CD mov eax, dword ptr fs:[00000030h]	2_2_034EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]	2_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EB3D0 mov ecx, dword ptr fs:[00000030h]	2_2_034EB3D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EF3E6 mov eax, dword ptr fs:[00000030h]	2_2_034EF3E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035053FC mov eax, dword ptr fs:[00000030h]	2_2_035053FC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]	2_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034663FF mov eax, dword ptr fs:[00000030h]	2_2_034663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]	2_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]	2_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]	2_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]	2_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]	2_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350539D mov eax, dword ptr fs:[00000030h]	2_2_0350539D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0348739A mov eax, dword ptr fs:[00000030h]	2_2_0348739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0348739A mov eax, dword ptr fs:[00000030h]	2_2_0348739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]	2_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]	2_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]	2_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034533A5 mov eax, dword ptr fs:[00000030h]	2_2_034533A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034633A0 mov eax, dword ptr fs:[00000030h]	2_2_034633A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034633A0 mov eax, dword ptr fs:[00000030h]	2_2_034633A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03429240 mov eax, dword ptr fs:[00000030h]	2_2_03429240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03429240 mov eax, dword ptr fs:[00000030h]	2_2_03429240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346724D mov eax, dword ptr fs:[00000030h]	2_2_0346724D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A250 mov eax, dword ptr fs:[00000030h]	2_2_0342A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EB256 mov eax, dword ptr fs:[00000030h]	2_2_034EB256
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EB256 mov eax, dword ptr fs:[00000030h]	2_2_034EB256
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436259 mov eax, dword ptr fs:[00000030h]	2_2_03436259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]	2_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]	2_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]	2_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FD26B mov eax, dword ptr fs:[00000030h]	2_2_034FD26B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034FD26B mov eax, dword ptr fs:[00000030h]	2_2_034FD26B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342826B mov eax, dword ptr fs:[00000030h]	2_2_0342826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03459274 mov eax, dword ptr fs:[00000030h]	2_2_03459274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03471270 mov eax, dword ptr fs:[00000030h]	2_2_03471270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03471270 mov eax, dword ptr fs:[00000030h]	2_2_03471270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]	2_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03467208 mov eax, dword ptr fs:[00000030h]	2_2_03467208
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03467208 mov eax, dword ptr fs:[00000030h]	2_2_03467208
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03505227 mov eax, dword ptr fs:[00000030h]	2_2_03505227
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342823B mov eax, dword ptr fs:[00000030h]	2_2_0342823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345B2C0 mov eax, dword ptr fs:[00000030h]	2_2_0345B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345B2C0 mov eax, dword ptr fs:[00000030h]	2_2_0345B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345B2C0 mov eax, dword ptr fs:[00000030h]	2_2_0345B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345B2C0 mov eax, dword ptr fs:[00000030h]	2_2_0345B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345B2C0 mov eax, dword ptr fs:[00000030h]	2_2_0345B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345B2C0 mov eax, dword ptr fs:[00000030h]	2_2_0345B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345B2C0 mov eax, dword ptr fs:[00000030h]	2_2_0345B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034392C5 mov eax, dword ptr fs:[00000030h]	2_2_034392C5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034392C5 mov eax, dword ptr fs:[00000030h]	2_2_034392C5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342B2D3 mov eax, dword ptr fs:[00000030h]	2_2_0342B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342B2D3 mov eax, dword ptr fs:[00000030h]	2_2_0342B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342B2D3 mov eax, dword ptr fs:[00000030h]	2_2_0342B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345F2D0 mov eax, dword ptr fs:[00000030h]	2_2_0345F2D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345F2D0 mov eax, dword ptr fs:[00000030h]	2_2_0345F2D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E12ED mov eax, dword ptr fs:[00000030h]	2_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E12ED mov eax, dword ptr fs:[00000030h]	2_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E12ED mov eax, dword ptr fs:[00000030h]	2_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E12ED mov eax, dword ptr fs:[00000030h]	2_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E12ED mov eax, dword ptr fs:[00000030h]	2_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E12ED mov eax, dword ptr fs:[00000030h]	2_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E12ED mov eax, dword ptr fs:[00000030h]	2_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E12ED mov eax, dword ptr fs:[00000030h]	2_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E12ED mov eax, dword ptr fs:[00000030h]	2_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E12ED mov eax, dword ptr fs:[00000030h]	2_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E12ED mov eax, dword ptr fs:[00000030h]	2_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E12ED mov eax, dword ptr fs:[00000030h]	2_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E12ED mov eax, dword ptr fs:[00000030h]	2_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E12ED mov eax, dword ptr fs:[00000030h]	2_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]	2_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]	2_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]	2_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035052E2 mov eax, dword ptr fs:[00000030h]	2_2_035052E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EF2F8 mov eax, dword ptr fs:[00000030h]	2_2_034EF2F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034292FF mov eax, dword ptr fs:[00000030h]	2_2_034292FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]	2_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]	2_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]	2_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]	2_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]	2_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03505283 mov eax, dword ptr fs:[00000030h]	2_2_03505283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346329E mov eax, dword ptr fs:[00000030h]	2_2_0346329E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346329E mov eax, dword ptr fs:[00000030h]	2_2_0346329E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]	2_2_034402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]	2_2_034402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034452A0 mov eax, dword ptr fs:[00000030h]	2_2_034452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034452A0 mov eax, dword ptr fs:[00000030h]	2_2_034452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034452A0 mov eax, dword ptr fs:[00000030h]	2_2_034452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034452A0 mov eax, dword ptr fs:[00000030h]	2_2_034452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F92A6 mov eax, dword ptr fs:[00000030h]	2_2_034F92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F92A6 mov eax, dword ptr fs:[00000030h]	2_2_034F92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F92A6 mov eax, dword ptr fs:[00000030h]	2_2_034F92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F92A6 mov eax, dword ptr fs:[00000030h]	2_2_034F92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]	2_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C72A0 mov eax, dword ptr fs:[00000030h]	2_2_034C72A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C72A0 mov eax, dword ptr fs:[00000030h]	2_2_034C72A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B92BC mov eax, dword ptr fs:[00000030h]	2_2_034B92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B92BC mov eax, dword ptr fs:[00000030h]	2_2_034B92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B92BC mov ecx, dword ptr fs:[00000030h]	2_2_034B92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B92BC mov ecx, dword ptr fs:[00000030h]	2_2_034B92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03505152 mov eax, dword ptr fs:[00000030h]	2_2_03505152
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov ecx, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]	2_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03429148 mov eax, dword ptr fs:[00000030h]	2_2_03429148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03429148 mov eax, dword ptr fs:[00000030h]	2_2_03429148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03429148 mov eax, dword ptr fs:[00000030h]	2_2_03429148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03429148 mov eax, dword ptr fs:[00000030h]	2_2_03429148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03437152 mov eax, dword ptr fs:[00000030h]	2_2_03437152
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C156 mov eax, dword ptr fs:[00000030h]	2_2_0342C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]	2_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]	2_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]	2_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C9179 mov eax, dword ptr fs:[00000030h]	2_2_034C9179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov ecx, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]	2_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F0115 mov eax, dword ptr fs:[00000030h]	2_2_034F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460124 mov eax, dword ptr fs:[00000030h]	2_2_03460124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03431131 mov eax, dword ptr fs:[00000030h]	2_2_03431131
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03431131 mov eax, dword ptr fs:[00000030h]	2_2_03431131
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342B136 mov eax, dword ptr fs:[00000030h]	2_2_0342B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342B136 mov eax, dword ptr fs:[00000030h]	2_2_0342B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342B136 mov eax, dword ptr fs:[00000030h]	2_2_0342B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342B136 mov eax, dword ptr fs:[00000030h]	2_2_0342B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]	2_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]	2_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346D1D0 mov eax, dword ptr fs:[00000030h]	2_2_0346D1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346D1D0 mov ecx, dword ptr fs:[00000030h]	2_2_0346D1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035051CB mov eax, dword ptr fs:[00000030h]	2_2_035051CB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034551EF mov eax, dword ptr fs:[00000030h]	2_2_034551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034551EF mov eax, dword ptr fs:[00000030h]	2_2_034551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034551EF mov eax, dword ptr fs:[00000030h]	2_2_034551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034551EF mov eax, dword ptr fs:[00000030h]	2_2_034551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034551EF mov eax, dword ptr fs:[00000030h]	2_2_034551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034551EF mov eax, dword ptr fs:[00000030h]	2_2_034551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034551EF mov eax, dword ptr fs:[00000030h]	2_2_034551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034551EF mov eax, dword ptr fs:[00000030h]	2_2_034551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034551EF mov eax, dword ptr fs:[00000030h]	2_2_034551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034551EF mov eax, dword ptr fs:[00000030h]	2_2_034551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034551EF mov eax, dword ptr fs:[00000030h]	2_2_034551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034551EF mov eax, dword ptr fs:[00000030h]	2_2_034551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034551EF mov eax, dword ptr fs:[00000030h]	2_2_034551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034351ED mov eax, dword ptr fs:[00000030h]	2_2_034351ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035061E5 mov eax, dword ptr fs:[00000030h]	2_2_035061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034601F8 mov eax, dword ptr fs:[00000030h]	2_2_034601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03470185 mov eax, dword ptr fs:[00000030h]	2_2_03470185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]	2_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]	2_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]	2_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]	2_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]	2_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]	2_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03487190 mov eax, dword ptr fs:[00000030h]	2_2_03487190
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E11A4 mov eax, dword ptr fs:[00000030h]	2_2_034E11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E11A4 mov eax, dword ptr fs:[00000030h]	2_2_034E11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E11A4 mov eax, dword ptr fs:[00000030h]	2_2_034E11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034E11A4 mov eax, dword ptr fs:[00000030h]	2_2_034E11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344B1B0 mov eax, dword ptr fs:[00000030h]	2_2_0344B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03432050 mov eax, dword ptr fs:[00000030h]	2_2_03432050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D705E mov ebx, dword ptr fs:[00000030h]	2_2_034D705E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034D705E mov eax, dword ptr fs:[00000030h]	2_2_034D705E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345B052 mov eax, dword ptr fs:[00000030h]	2_2_0345B052
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B106E mov eax, dword ptr fs:[00000030h]	2_2_034B106E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03505060 mov eax, dword ptr fs:[00000030h]	2_2_03505060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03441070 mov eax, dword ptr fs:[00000030h]	2_2_03441070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03441070 mov ecx, dword ptr fs:[00000030h]	2_2_03441070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03441070 mov eax, dword ptr fs:[00000030h]	2_2_03441070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03441070 mov eax, dword ptr fs:[00000030h]	2_2_03441070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03441070 mov eax, dword ptr fs:[00000030h]	2_2_03441070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03441070 mov eax, dword ptr fs:[00000030h]	2_2_03441070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03441070 mov eax, dword ptr fs:[00000030h]	2_2_03441070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03441070 mov eax, dword ptr fs:[00000030h]	2_2_03441070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03441070 mov eax, dword ptr fs:[00000030h]	2_2_03441070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03441070 mov eax, dword ptr fs:[00000030h]	2_2_03441070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03441070 mov eax, dword ptr fs:[00000030h]	2_2_03441070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03441070 mov eax, dword ptr fs:[00000030h]	2_2_03441070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03441070 mov eax, dword ptr fs:[00000030h]	2_2_03441070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345C073 mov eax, dword ptr fs:[00000030h]	2_2_0345C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AD070 mov ecx, dword ptr fs:[00000030h]	2_2_034AD070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4000 mov ecx, dword ptr fs:[00000030h]	2_2_034B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]	2_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A020 mov eax, dword ptr fs:[00000030h]	2_2_0342A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C020 mov eax, dword ptr fs:[00000030h]	2_2_0342C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F903E mov eax, dword ptr fs:[00000030h]	2_2_034F903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F903E mov eax, dword ptr fs:[00000030h]	2_2_034F903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F903E mov eax, dword ptr fs:[00000030h]	2_2_034F903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F903E mov eax, dword ptr fs:[00000030h]	2_2_034F903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034470C0 mov eax, dword ptr fs:[00000030h]	2_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034470C0 mov ecx, dword ptr fs:[00000030h]	2_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034470C0 mov ecx, dword ptr fs:[00000030h]	2_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034470C0 mov eax, dword ptr fs:[00000030h]	2_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034470C0 mov ecx, dword ptr fs:[00000030h]	2_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034470C0 mov ecx, dword ptr fs:[00000030h]	2_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034470C0 mov eax, dword ptr fs:[00000030h]	2_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034470C0 mov eax, dword ptr fs:[00000030h]	2_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034470C0 mov eax, dword ptr fs:[00000030h]	2_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034470C0 mov eax, dword ptr fs:[00000030h]	2_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034470C0 mov eax, dword ptr fs:[00000030h]	2_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034470C0 mov eax, dword ptr fs:[00000030h]	2_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034470C0 mov eax, dword ptr fs:[00000030h]	2_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034470C0 mov eax, dword ptr fs:[00000030h]	2_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034470C0 mov eax, dword ptr fs:[00000030h]	2_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034470C0 mov eax, dword ptr fs:[00000030h]	2_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034470C0 mov eax, dword ptr fs:[00000030h]	2_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034470C0 mov eax, dword ptr fs:[00000030h]	2_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035050D9 mov eax, dword ptr fs:[00000030h]	2_2_035050D9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AD0C0 mov eax, dword ptr fs:[00000030h]	2_2_034AD0C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AD0C0 mov eax, dword ptr fs:[00000030h]	2_2_034AD0C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B20DE mov eax, dword ptr fs:[00000030h]	2_2_034B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034590DB mov eax, dword ptr fs:[00000030h]	2_2_034590DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034550E4 mov eax, dword ptr fs:[00000030h]	2_2_034550E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034550E4 mov ecx, dword ptr fs:[00000030h]	2_2_034550E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0342A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034380E9 mov eax, dword ptr fs:[00000030h]	2_2_034380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0342C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034720F0 mov ecx, dword ptr fs:[00000030h]	2_2_034720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343208A mov eax, dword ptr fs:[00000030h]	2_2_0343208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342D08D mov eax, dword ptr fs:[00000030h]	2_2_0342D08D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03435096 mov eax, dword ptr fs:[00000030h]	2_2_03435096
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345D090 mov eax, dword ptr fs:[00000030h]	2_2_0345D090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345D090 mov eax, dword ptr fs:[00000030h]	2_2_0345D090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346909C mov eax, dword ptr fs:[00000030h]	2_2_0346909C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F60B8 mov eax, dword ptr fs:[00000030h]	2_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03443740 mov eax, dword ptr fs:[00000030h]	2_2_03443740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03443740 mov eax, dword ptr fs:[00000030h]	2_2_03443740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03443740 mov eax, dword ptr fs:[00000030h]	2_2_03443740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346674D mov esi, dword ptr fs:[00000030h]	2_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]	2_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]	2_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430750 mov eax, dword ptr fs:[00000030h]	2_2_03430750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]	2_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]	2_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03503749 mov eax, dword ptr fs:[00000030h]	2_2_03503749
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B4755 mov eax, dword ptr fs:[00000030h]	2_2_034B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342B765 mov eax, dword ptr fs:[00000030h]	2_2_0342B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342B765 mov eax, dword ptr fs:[00000030h]	2_2_0342B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342B765 mov eax, dword ptr fs:[00000030h]	2_2_0342B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342B765 mov eax, dword ptr fs:[00000030h]	2_2_0342B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03438770 mov eax, dword ptr fs:[00000030h]	2_2_03438770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]	2_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03437703 mov eax, dword ptr fs:[00000030h]	2_2_03437703
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03435702 mov eax, dword ptr fs:[00000030h]	2_2_03435702
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03435702 mov eax, dword ptr fs:[00000030h]	2_2_03435702
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C700 mov eax, dword ptr fs:[00000030h]	2_2_0346C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03430710 mov eax, dword ptr fs:[00000030h]	2_2_03430710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03460710 mov eax, dword ptr fs:[00000030h]	2_2_03460710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346F71F mov eax, dword ptr fs:[00000030h]	2_2_0346F71F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346F71F mov eax, dword ptr fs:[00000030h]	2_2_0346F71F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EF72E mov eax, dword ptr fs:[00000030h]	2_2_034EF72E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03433720 mov eax, dword ptr fs:[00000030h]	2_2_03433720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344F720 mov eax, dword ptr fs:[00000030h]	2_2_0344F720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344F720 mov eax, dword ptr fs:[00000030h]	2_2_0344F720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344F720 mov eax, dword ptr fs:[00000030h]	2_2_0344F720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F972B mov eax, dword ptr fs:[00000030h]	2_2_034F972B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]	2_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]	2_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350B73C mov eax, dword ptr fs:[00000030h]	2_2_0350B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350B73C mov eax, dword ptr fs:[00000030h]	2_2_0350B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350B73C mov eax, dword ptr fs:[00000030h]	2_2_0350B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350B73C mov eax, dword ptr fs:[00000030h]	2_2_0350B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03429730 mov eax, dword ptr fs:[00000030h]	2_2_03429730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03429730 mov eax, dword ptr fs:[00000030h]	2_2_03429730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03465734 mov eax, dword ptr fs:[00000030h]	2_2_03465734
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343973A mov eax, dword ptr fs:[00000030h]	2_2_0343973A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343973A mov eax, dword ptr fs:[00000030h]	2_2_0343973A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]	2_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346273C mov ecx, dword ptr fs:[00000030h]	2_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]	2_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AC730 mov eax, dword ptr fs:[00000030h]	2_2_034AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034357C0 mov eax, dword ptr fs:[00000030h]	2_2_034357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034357C0 mov eax, dword ptr fs:[00000030h]	2_2_034357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034357C0 mov eax, dword ptr fs:[00000030h]	2_2_034357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B07C3 mov eax, dword ptr fs:[00000030h]	2_2_034B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343D7E0 mov ecx, dword ptr fs:[00000030h]	2_2_0343D7E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]	2_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]	2_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]	2_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]	2_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]	2_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EF78A mov eax, dword ptr fs:[00000030h]	2_2_034EF78A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B97A9 mov eax, dword ptr fs:[00000030h]	2_2_034B97A9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BF7AF mov eax, dword ptr fs:[00000030h]	2_2_034BF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BF7AF mov eax, dword ptr fs:[00000030h]	2_2_034BF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BF7AF mov eax, dword ptr fs:[00000030h]	2_2_034BF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BF7AF mov eax, dword ptr fs:[00000030h]	2_2_034BF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034BF7AF mov eax, dword ptr fs:[00000030h]	2_2_034BF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035037B6 mov eax, dword ptr fs:[00000030h]	2_2_035037B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034307AF mov eax, dword ptr fs:[00000030h]	2_2_034307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345D7B0 mov eax, dword ptr fs:[00000030h]	2_2_0345D7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F7BA mov eax, dword ptr fs:[00000030h]	2_2_0342F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F7BA mov eax, dword ptr fs:[00000030h]	2_2_0342F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F7BA mov eax, dword ptr fs:[00000030h]	2_2_0342F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F7BA mov eax, dword ptr fs:[00000030h]	2_2_0342F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F7BA mov eax, dword ptr fs:[00000030h]	2_2_0342F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F7BA mov eax, dword ptr fs:[00000030h]	2_2_0342F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F7BA mov eax, dword ptr fs:[00000030h]	2_2_0342F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F7BA mov eax, dword ptr fs:[00000030h]	2_2_0342F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F7BA mov eax, dword ptr fs:[00000030h]	2_2_0342F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344C640 mov eax, dword ptr fs:[00000030h]	2_2_0344C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]	2_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]	2_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]	2_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]	2_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03469660 mov eax, dword ptr fs:[00000030h]	2_2_03469660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03469660 mov eax, dword ptr fs:[00000030h]	2_2_03469660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03462674 mov eax, dword ptr fs:[00000030h]	2_2_03462674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03461607 mov eax, dword ptr fs:[00000030h]	2_2_03461607
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE609 mov eax, dword ptr fs:[00000030h]	2_2_034AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346F603 mov eax, dword ptr fs:[00000030h]	2_2_0346F603
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]	2_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03433616 mov eax, dword ptr fs:[00000030h]	2_2_03433616
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03433616 mov eax, dword ptr fs:[00000030h]	2_2_03433616
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03472619 mov eax, dword ptr fs:[00000030h]	2_2_03472619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0344E627 mov eax, dword ptr fs:[00000030h]	2_2_0344E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F626 mov eax, dword ptr fs:[00000030h]	2_2_0342F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F626 mov eax, dword ptr fs:[00000030h]	2_2_0342F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F626 mov eax, dword ptr fs:[00000030h]	2_2_0342F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F626 mov eax, dword ptr fs:[00000030h]	2_2_0342F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F626 mov eax, dword ptr fs:[00000030h]	2_2_0342F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F626 mov eax, dword ptr fs:[00000030h]	2_2_0342F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F626 mov eax, dword ptr fs:[00000030h]	2_2_0342F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F626 mov eax, dword ptr fs:[00000030h]	2_2_0342F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0342F626 mov eax, dword ptr fs:[00000030h]	2_2_0342F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03466620 mov eax, dword ptr fs:[00000030h]	2_2_03466620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03505636 mov eax, dword ptr fs:[00000030h]	2_2_03505636
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03468620 mov eax, dword ptr fs:[00000030h]	2_2_03468620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343262C mov eax, dword ptr fs:[00000030h]	2_2_0343262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0346A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343B6C0 mov eax, dword ptr fs:[00000030h]	2_2_0343B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343B6C0 mov eax, dword ptr fs:[00000030h]	2_2_0343B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343B6C0 mov eax, dword ptr fs:[00000030h]	2_2_0343B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343B6C0 mov eax, dword ptr fs:[00000030h]	2_2_0343B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343B6C0 mov eax, dword ptr fs:[00000030h]	2_2_0343B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0343B6C0 mov eax, dword ptr fs:[00000030h]	2_2_0343B6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F16CC mov eax, dword ptr fs:[00000030h]	2_2_034F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F16CC mov eax, dword ptr fs:[00000030h]	2_2_034F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F16CC mov eax, dword ptr fs:[00000030h]	2_2_034F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034F16CC mov eax, dword ptr fs:[00000030h]	2_2_034F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034EF6C7 mov eax, dword ptr fs:[00000030h]	2_2_034EF6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034616CF mov eax, dword ptr fs:[00000030h]	2_2_034616CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C36EE mov eax, dword ptr fs:[00000030h]	2_2_034C36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C36EE mov eax, dword ptr fs:[00000030h]	2_2_034C36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C36EE mov eax, dword ptr fs:[00000030h]	2_2_034C36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C36EE mov eax, dword ptr fs:[00000030h]	2_2_034C36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C36EE mov eax, dword ptr fs:[00000030h]	2_2_034C36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034C36EE mov eax, dword ptr fs:[00000030h]	2_2_034C36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345D6E0 mov eax, dword ptr fs:[00000030h]	2_2_0345D6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0345D6E0 mov eax, dword ptr fs:[00000030h]	2_2_0345D6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034636EF mov eax, dword ptr fs:[00000030h]	2_2_034636EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]	2_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]	2_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034ED6F0 mov eax, dword ptr fs:[00000030h]	2_2_034ED6F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B368C mov eax, dword ptr fs:[00000030h]	2_2_034B368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B368C mov eax, dword ptr fs:[00000030h]	2_2_034B368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B368C mov eax, dword ptr fs:[00000030h]	2_2_034B368C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_034B368C mov eax, dword ptr fs:[00000030h]	2_2_034B368C

Source: C:\Windows\SysWOW64\raserver.exe

Code function: 4_2_00C2949C GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,

4_2_00C2949C

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_00C32000 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		4_2_00C32000
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4_2_00C326B0 SetUnhandledExceptionFilter,		4_2_00C326B0

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\New Order #60-958400861900.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 4084			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Thread register set: target process: 4084			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\svchost.exe

Section unmapped: C:\Windows\SysWOW64\raserver.exe base address: C20000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\New Order #60-958400861900.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 28C1008

Jump to behavior

Source: C:\Users\user\Desktop\New Order #60-958400861900.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\New Order #60-958400861900.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"			Jump to behavior

Source: C:\Windows\SysWOW64\raserver.exe

Code function: 4_2_00C2C9F6 AllocateAndInitializeSid,GetLastError,AllocateAndInitializeSid,GetLastError,GetLengthSid,GetProcessHeap,HeapAlloc,InitializeAcl,GetLastError,AddAccessAllowedAce,GetLastError,AddAccessAllowedAce,GetLastError,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,AllocateAndInitializeSid,GetLastError,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,IsValidSecurityDescriptor,GetLastError,GetProcessHeap,HeapFree,FreeSid,FreeSid,FreeSid,

4_2_00C2C9F6

Source: C:\Windows\SysWOW64\raserver.exe

4_2_00C2C9F6

Source: explorer.exe, 00000003.00000002.3956247905.00000000044D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562460547.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1558424673.0000000001090000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.1558424673.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3954776084.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3954386438.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.1558424673.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3954776084.0000000001090000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: explorer.exe, 00000003.00000000.1558424673.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3954776084.0000000001090000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000000.1562460547.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076085890.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3958432819.000000000936E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd]1Q
Source: New Order #60-958400861900.exe	Binary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Source: C:\Windows\SysWOW64\raserver.exe

Code function: 4_2_00C328C5 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

4_2_00C328C5

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1613319685.0000000003780000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3954288181.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3954486006.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1613274828.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3954455365.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1613319685.0000000003780000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3954288181.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3954486006.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1613274828.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3954455365.0000000003390000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	512 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	512 Process Injection	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	22 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
New Order #60-958400861900.exe	66%	ReversingLabs	Win32.Trojan.AutoitInject
New Order #60-958400861900.exe	33%	Virustotal		Browse
New Order #60-958400861900.exe	100%	Avira	HEUR/AGEN.1321293
New Order #60-958400861900.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://outlook.com	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.ubuz.net	54.37.173.127	true	true	unknown
www.pp-games-delearglu.xyz	unknown	unknown	true	unknown
www.atangtoto4.click	unknown	unknown	true	unknown
www.anatanwater.net	unknown	unknown	true	unknown
www.orsaperevod.online	unknown	unknown	true	unknown
www.arriage-therapy-72241.bond	unknown	unknown	true	unknown
www.insgw.bond	unknown	unknown	true	unknown
www.dneshima.today	unknown	unknown	true	unknown
www.nlinechat-mh.online	unknown	unknown	true	unknown
www.amingacor.click	unknown	unknown	true	unknown
www.yschoollist.kiwi	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.orsaperevod.online/e62s/	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://powerpoint.office.comer	explorer.exe, 00000003.00000000.1564976586.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3965775431.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.pp-games-delearglu.xyz	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ubuz.net/e62s/www.42bet.xyz	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOSA4	explorer.exe, 00000003.00000002.3965775431.000000000BCBC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1564976586.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076644181.000000000BCBC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284687253.000000000BCB9000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.yschoollist.kiwi/e62s/	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.anatanwater.net/e62s/	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world	explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3958104656.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562460547.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://excel.office.com	explorer.exe, 00000003.00000000.1564976586.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3965775431.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1	explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.atangtoto4.click/e62s/	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.anatanwater.net	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.pp-games-delearglu.xyzReferer:	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ams.zone/e62s/	explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.insgw.bond/e62s/www.yschoollist.kiwi	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.42bet.xyz	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.orsaperevod.online	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal	explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.mwquas.xyz/e62s/	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.microsoft.c	explorer.exe, 00000003.00000000.1562460547.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3958432819.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076208326.0000000009237000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.amingacor.clickReferer:	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOSd	explorer.exe, 00000003.00000002.3965775431.000000000BCBC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1564976586.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076644181.000000000BCBC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284687253.000000000BCB9000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.dneshima.today	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.dneshima.today/e62s/www.anatanwater.net	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi	explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ubuz.net	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.orsaperevod.onlineReferer:	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.uckyspinph.xyz/e62s/www.ams.zone	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.nlinechat-mh.onlineReferer:	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.aspart.shop/e62s/www.uckyspinph.xyz	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.insgw.bond	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.mwquas.xyz/e62s/www.dneshima.today	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.arriage-therapy-72241.bond/e62s/	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.yschoollist.kiwiReferer:	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://outlook.com	explorer.exe, 00000003.00000000.1564976586.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3965775431.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.pp-games-delearglu.xyz/e62s/	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.atangtoto4.clickReferer:	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.yschoollist.kiwi	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.aspart.shop	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000003.00000002.3965775431.000000000BCBC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1564976586.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076644181.000000000BCBC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284687253.000000000BCB9000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ams.zoneReferer:	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 00000003.00000002.3965775431.000000000BCBC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1564976586.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076644181.000000000BCBC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284687253.000000000BCB9000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.arriage-therapy-72241.bond	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg	explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.arriage-therapy-72241.bond/e62s/www.ubuz.net	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA	explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.amingacor.click/e62s/	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin	explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark	explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000003.00000002.3958104656.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1562460547.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.aspart.shop/e62s/	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.42bet.xyz/e62s/www.aspart.shop	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.anatanwater.netReferer:	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.amingacor.click/e62s/www.mwquas.xyz	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.mwquas.xyzReferer:	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.uckyspinph.xyzReferer:	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/	explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi	explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b	explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.micro	explorer.exe, 00000003.00000002.3957258239.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1559099867.0000000002C80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1561599519.0000000007710000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg	explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.insgw.bondReferer:	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://wns.windows.com/EM0	explorer.exe, 00000003.00000000.1564976586.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2284687253.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.atangtoto4.click	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.insgw.bond/e62s/	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt	explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.42bet.xyz/e62s/	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.dneshima.todayReferer:	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.anatanwater.net/e62s/www.orsaperevod.online	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mwquas.xyz	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it	explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09	explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.orsaperevod.online/e62s/	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.nlinechat-mh.online/e62s/www.atangtoto4.click	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ams.zone	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.arriage-therapy-72241.bondReferer:	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al	explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.aspart.shopReferer:	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.atangtoto4.click/e62s/www.pp-games-delearglu.xyz	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k	explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.nlinechat-mh.online/e62s/	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.pp-games-delearglu.xyz/e62s/www.amingacor.click	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.uckyspinph.xyz/e62s/	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ubuz.net/e62s/	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.dneshima.today/e62s/	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.uckyspinph.xyz	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://ns.adobeS	explorer.exe, 00000003.00000002.3955844536.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560467949.0000000004405000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.orsaperevod.online/e62s/www.insgw.bond	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark	explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.yschoollist.kiwi/e62s/www.arriage-therapy-72241.bond	explorer.exe, 00000003.00000003.2284276267.000000000C15D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3969112074.000000000C170000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3075599814.000000000C15D000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc	explorer.exe, 00000003.00000003.2284514686.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3956421912.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1560967018.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3076408278.0000000006F33000.00000004.00000001.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522519
Start date and time:	2024-09-30 09:56:17 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	New Order #60-958400861900.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/1@11/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 38 Number of non-executed functions: 299
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:57:41	API Interceptor	7496748x Sleep call for process: explorer.exe modified
03:58:15	API Interceptor	6709998x Sleep call for process: raserver.exe modified

Process:	C:\Users\user\Desktop\New Order #60-958400861900.exe
File Type:	data
Category:	dropped
Size (bytes):	189440
Entropy (8bit):	7.847545718952807
Encrypted:	false
SSDEEP:	3072:pXGRvUCfUv5wYVPM9+DrcW6GHQhF7ot1kMRTklEDliAwid7gbkPudWRo1X3:sRvBfe5wh+cWJQhdonkMaWiGg5
MD5:	AF65806D10BE0BA0407059FC0C380000
SHA1:	17FFAF5B4007832A4F664C956FF6A3F4BBBF849C
SHA-256:	13E8B6DA6FD6BD497015586D80BE861DF0B479C30B41621648FC897008C756C5
SHA-512:	555727600A8E732BCB4E6F18CD4C961CDD84954247D408DE88E4D87E9EC68B326E59098290E63767D42F83FB115932AB9565B13A1D5B6B1204E4DCFE520B867F
Malicious:	false
Reputation:	low
Preview:	~j...6BVJo.P.....F3...b4_...Q830JF06BVJ7WXYIQ830JF06BVJ7WX.IQ8=/.H0.K.k.V..h.PZCj6BY%$+Zw;8'?WG.(#.D78j^9x....^_.#.;O\n7WXYIQ8..B..$.1..7..0....$.7...7..0...$..^40..7.30JF06BVJ7WXYIQ8cuJF\|7CV..R.YIQ830JF.6@WA6]XY.S830JF06BV*.VXYYQ83.HF06.VJ'WXYKQ860KF06BVO7VXYIQ83.HF04BVJ7WX[I..30ZF0&BVJ7GXYYQ830JF 6BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVdC2 -IQ8..HF0&BVJ.UXYYQ830JF06BVJ7WXyIQX30JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BVJ7WXYIQ830JF06BV

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.389514186356158
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	New Order #60-958400861900.exe
File size:	1'095'969 bytes
MD5:	1f722c0fe2a947b86676925fe00d40bf
SHA1:	1b21430ab7ac416ffe9cc6a1d78c60e4b35d45a2
SHA256:	b16f599225a875a9f8dd55e32467522916d48337bfa30939d4e48ee50cf96a88
SHA512:	96c2dd52635e21cb56adecb411406f0f780f9b465937f2b28423f2019aec50774f1ade7ece8aa51d93c0a535f85243e81a2e737c367745d0dc171a85bdfde3ca
SSDEEP:	24576:5RmJkcoQricOIQxiZY1iaXcm8BxbLrryLGmiV01I+S8Qy:WJZoQrbTFZY1iaXT8BxbLvy0V01IG
TLSH:	DD35E122F5C69076C2F323B19E7EF36A963D69360336D29B27C82D315E604416B39763
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

File Icon


Icon Hash:	32642092d4f29244

Static PE Info

General

Entrypoint:	0x4165c1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	d3bf8a7746a8d1ee8f6e5960c3f69378

Entrypoint Preview

Instruction
call 00007F28F88793CBh
jmp 00007F28F887023Eh
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push esi
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [ebp+10h]
mov edi, dword ptr [ebp+08h]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F28F88703BAh
cmp edi, eax
jc 00007F28F8870556h
cmp ecx, 00000080h
jc 00007F28F88703CEh
cmp dword ptr [004A9724h], 00000000h
je 00007F28F88703C5h
push edi
push esi
and edi, 0Fh
and esi, 0Fh
cmp edi, esi
pop esi
pop edi
jne 00007F28F88703B7h
jmp 00007F28F8870792h
test edi, 00000003h
jne 00007F28F88703C6h
shr ecx, 02h
and edx, 03h
cmp ecx, 08h
jc 00007F28F88703DBh
rep movsd
jmp dword ptr [00416740h+edx*4]
mov eax, edi
mov edx, 00000003h
sub ecx, 04h
jc 00007F28F88703BEh
and eax, 03h
add ecx, eax
jmp dword ptr [00416654h+eax*4]
jmp dword ptr [00416750h+ecx*4]
nop
jmp dword ptr [004166D4h+ecx*4]
nop
inc cx
add byte ptr [eax-4BFFBE9Ah], dl
inc cx
add byte ptr [ebx], ah
ror dword ptr [edx-75F877FAh], 1
inc esi
add dword ptr [eax+468A0147h], ecx
add al, cl
jmp 00007F28FACE8BB7h
add esi, 03h
add edi, 03h
cmp ecx, 08h
jc 00007F28F887037Eh
rep movsd
jmp dword ptr [00000000h+edx*4]

Rich Headers

Programming Language:

[ C ] VS2010 SP1 build 40219
[C++] VS2010 SP1 build 40219
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8d41c	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xab000	0x3ff8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x82000	0x844	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8061c	0x80800	61ffce4768976fa0dd2a8f6a97b1417a	False	0.5583182605787937	data	6.684690148171278	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x82000	0xdfc0	0xe000	0354bc5f2376b5e9a4a3ba38b682dff1	False	0.36085728236607145	data	4.799741132252136	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x90000	0x1a758	0x6800	8033f5a38941b4685bc2299e78f31221	False	0.15324519230769232	data	2.1500715391677487	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xab000	0x3ff8	0x4000	421566841a92fc40a01ab335faa2d990	False	0.30645751953125	data	4.320344110169369	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xab448	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xab570	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xab698	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xab7c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	Great Britain	0.3726547842401501
RT_MENU	0xac868	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xac8b8	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xac9b8	0x530	data	English	Great Britain	0.33960843373493976
RT_STRING	0xacee8	0x690	data	English	Great Britain	0.26964285714285713
RT_STRING	0xad578	0x4d0	data	English	Great Britain	0.36363636363636365
RT_STRING	0xada48	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xae048	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xae6a8	0x388	data	English	Great Britain	0.377212389380531
RT_STRING	0xaea30	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.502906976744186
RT_GROUP_ICON	0xaeb88	0x14	data	English	Great Britain	1.2
RT_GROUP_ICON	0xaeba0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xaebb8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xaebd0	0x14	data	English	Great Britain	1.25
RT_VERSION	0xaebe8	0x19c	data	English	Great Britain	0.5339805825242718
RT_MANIFEST	0xaed88	0x26c	ASCII text, with CRLF line terminators	English	United States	0.5145161290322581

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
VERSION.dll	VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
MPR.dll	WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
PSAPI.DLL	EnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
USERENV.dll	CreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
KERNEL32.dll	HeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
USER32.dll	GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
GDI32.dll	DeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
SHELL32.dll	DragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
OLEAUT32.dll	VariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-30T10:01:56.079711+0200	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.8	63786	54.37.173.127	80	TCP
2024-09-30T10:01:56.079711+0200	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.8	63786	54.37.173.127	80	TCP
2024-09-30T10:01:56.079711+0200	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.8	63786	54.37.173.127	80	TCP

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 09:57:42.333338022 CEST	53	63768	1.1.1.1	192.168.2.8
Sep 30, 2024 09:58:08.511046886 CEST	53627	53	192.168.2.8	1.1.1.1
Sep 30, 2024 09:58:08.520010948 CEST	53	53627	1.1.1.1	192.168.2.8
Sep 30, 2024 09:58:08.923826933 CEST	53	51950	162.159.36.2	192.168.2.8
Sep 30, 2024 09:58:09.399738073 CEST	53	64815	1.1.1.1	192.168.2.8
Sep 30, 2024 09:58:28.527101040 CEST	62546	53	192.168.2.8	1.1.1.1
Sep 30, 2024 09:58:28.536022902 CEST	53	62546	1.1.1.1	192.168.2.8
Sep 30, 2024 09:58:48.791538954 CEST	52939	53	192.168.2.8	1.1.1.1
Sep 30, 2024 09:58:48.809613943 CEST	53	52939	1.1.1.1	192.168.2.8
Sep 30, 2024 09:59:09.954538107 CEST	51290	53	192.168.2.8	1.1.1.1
Sep 30, 2024 09:59:09.973002911 CEST	53	51290	1.1.1.1	192.168.2.8
Sep 30, 2024 09:59:51.520651102 CEST	58416	53	192.168.2.8	1.1.1.1
Sep 30, 2024 09:59:51.535985947 CEST	53	58416	1.1.1.1	192.168.2.8
Sep 30, 2024 10:00:12.153544903 CEST	53382	53	192.168.2.8	1.1.1.1
Sep 30, 2024 10:00:12.164505005 CEST	53	53382	1.1.1.1	192.168.2.8
Sep 30, 2024 10:00:32.620110989 CEST	59496	53	192.168.2.8	1.1.1.1
Sep 30, 2024 10:00:32.630043983 CEST	53	59496	1.1.1.1	192.168.2.8
Sep 30, 2024 10:00:53.057698011 CEST	59013	53	192.168.2.8	1.1.1.1
Sep 30, 2024 10:00:53.068849087 CEST	53	59013	1.1.1.1	192.168.2.8
Sep 30, 2024 10:01:13.901721954 CEST	63044	53	192.168.2.8	1.1.1.1
Sep 30, 2024 10:01:13.911299944 CEST	53	63044	1.1.1.1	192.168.2.8
Sep 30, 2024 10:01:35.354465961 CEST	52874	53	192.168.2.8	1.1.1.1
Sep 30, 2024 10:01:35.364872932 CEST	53	52874	1.1.1.1	192.168.2.8
Sep 30, 2024 10:01:55.511662006 CEST	63591	53	192.168.2.8	1.1.1.1
Sep 30, 2024 10:01:55.566476107 CEST	53	63591	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 30, 2024 09:58:08.511046886 CEST	192.168.2.8	1.1.1.1	0xcd12	Standard query (0)	www.nlinechat-mh.online	A (IP address)	IN (0x0001)	false
Sep 30, 2024 09:58:28.527101040 CEST	192.168.2.8	1.1.1.1	0xd9ff	Standard query (0)	www.atangtoto4.click	A (IP address)	IN (0x0001)	false
Sep 30, 2024 09:58:48.791538954 CEST	192.168.2.8	1.1.1.1	0xf1a5	Standard query (0)	www.pp-games-delearglu.xyz	A (IP address)	IN (0x0001)	false
Sep 30, 2024 09:59:09.954538107 CEST	192.168.2.8	1.1.1.1	0x2c72	Standard query (0)	www.amingacor.click	A (IP address)	IN (0x0001)	false
Sep 30, 2024 09:59:51.520651102 CEST	192.168.2.8	1.1.1.1	0x6358	Standard query (0)	www.dneshima.today	A (IP address)	IN (0x0001)	false
Sep 30, 2024 10:00:12.153544903 CEST	192.168.2.8	1.1.1.1	0x8a05	Standard query (0)	www.anatanwater.net	A (IP address)	IN (0x0001)	false
Sep 30, 2024 10:00:32.620110989 CEST	192.168.2.8	1.1.1.1	0xc093	Standard query (0)	www.orsaperevod.online	A (IP address)	IN (0x0001)	false
Sep 30, 2024 10:00:53.057698011 CEST	192.168.2.8	1.1.1.1	0x12ce	Standard query (0)	www.insgw.bond	A (IP address)	IN (0x0001)	false
Sep 30, 2024 10:01:13.901721954 CEST	192.168.2.8	1.1.1.1	0x67d0	Standard query (0)	www.yschoollist.kiwi	A (IP address)	IN (0x0001)	false
Sep 30, 2024 10:01:35.354465961 CEST	192.168.2.8	1.1.1.1	0xbef8	Standard query (0)	www.arriage-therapy-72241.bond	A (IP address)	IN (0x0001)	false
Sep 30, 2024 10:01:55.511662006 CEST	192.168.2.8	1.1.1.1	0xbedb	Standard query (0)	www.ubuz.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 30, 2024 09:58:08.520010948 CEST	1.1.1.1	192.168.2.8	0xcd12	Name error (3)	www.nlinechat-mh.online	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 09:58:28.536022902 CEST	1.1.1.1	192.168.2.8	0xd9ff	Name error (3)	www.atangtoto4.click	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 09:58:48.809613943 CEST	1.1.1.1	192.168.2.8	0xf1a5	Name error (3)	www.pp-games-delearglu.xyz	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 09:59:09.973002911 CEST	1.1.1.1	192.168.2.8	0x2c72	Name error (3)	www.amingacor.click	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 09:59:51.535985947 CEST	1.1.1.1	192.168.2.8	0x6358	Name error (3)	www.dneshima.today	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 10:00:12.164505005 CEST	1.1.1.1	192.168.2.8	0x8a05	Name error (3)	www.anatanwater.net	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 10:00:32.630043983 CEST	1.1.1.1	192.168.2.8	0xc093	Name error (3)	www.orsaperevod.online	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 10:00:53.068849087 CEST	1.1.1.1	192.168.2.8	0x12ce	Name error (3)	www.insgw.bond	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 10:01:13.911299944 CEST	1.1.1.1	192.168.2.8	0x67d0	Name error (3)	www.yschoollist.kiwi	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 10:01:35.364872932 CEST	1.1.1.1	192.168.2.8	0xbef8	Name error (3)	www.arriage-therapy-72241.bond	none	none	A (IP address)	IN (0x0001)	false
Sep 30, 2024 10:01:55.566476107 CEST	1.1.1.1	192.168.2.8	0xbedb	No error (0)	www.ubuz.net		54.37.173.127	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	03:57:24
Start date:	30/09/2024
Path:	C:\Users\user\Desktop\New Order #60-958400861900.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\New Order #60-958400861900.exe"
Imagebase:	0x400000
File size:	1'095'969 bytes
MD5 hash:	1F722C0FE2A947B86676925FE00D40BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:57:30
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\New Order #60-958400861900.exe"
Imagebase:	0x100000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1613319685.0000000003780000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1613319685.0000000003780000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1613319685.0000000003780000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1613319685.0000000003780000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1613319685.0000000003780000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1613274828.0000000003750000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1613274828.0000000003750000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1613274828.0000000003750000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1613274828.0000000003750000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1613274828.0000000003750000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:57:30
Start date:	30/09/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff62d7d0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000003.00000002.3970385739.0000000010ED1000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	03:57:33
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\raserver.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\raserver.exe"
Imagebase:	0xc20000
File size:	107'520 bytes
MD5 hash:	D1053D114847677185F248FF98C3F255
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.3954288181.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3954288181.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3954288181.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.3954288181.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.3954288181.0000000002F10000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.3954486006.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3954486006.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3954486006.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.3954486006.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.3954486006.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.3954455365.0000000003390000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3954455365.0000000003390000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3954455365.0000000003390000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.3954455365.0000000003390000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.3954455365.0000000003390000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	03:57:36
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Windows\SysWOW64\svchost.exe"
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:57:36
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	5.3%
Signature Coverage:	9.1%
Total number of Nodes:	561
Total number of Limit Nodes:	69

Executed Functions

Function 038FA036 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 481
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 038FA19F

Strings

0, xrefs: 038FA227

Memory Dump Source

Source File: 00000002.00000002.1613499057.00000000038F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_38f0000_svchost.jbxd

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
Instruction ID: 54444b303fa7553a6f7e131b029fa66de46df37a251a8beabd40aa9065d23ae6
Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
Instruction Fuzzy Hash: 22F16274518A4C8FDBA9EFA8C894AEEB7E0FF98300F40466AD54ECB210DF349645CB41

Function 0041A3E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425

Strings

rMA, xrefs: 0041A41D, 0041A424
1JA, xrefs: 0041A3FC, 0041A408
rMA, xrefs: 0041A402, 0041A410

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: c75c44bd16ed9a046d03b4490adc68ebadf214b0f3589fd2ba36fb57c0fad8bd
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 95F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Function 038FA042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 038FA19F

Strings

0, xrefs: 038FA0CD

Memory Dump Source

Source File: 00000002.00000002.1613499057.00000000038F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 038F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_38f0000_svchost.jbxd

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
Instruction ID: bc0fae44e763317cf0198af7c3041777600fbb135e7b49b0b173ddf5a57b8641
Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
Instruction Fuzzy Hash: 6E512B70918A8C8FDBA9EF68C8946EEBBF4FB98314F40462ED54AD7210DF349645CB41

Function 0041A50A Relevance: 1.6, APIs: 1, Instructions: 61
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 064ac802250dd168c771c934be1c777717bec99c171f8d87037b9a5dd00dfe46
Instruction ID: 9358d6daa1ff97c925a1331317f0151710bc5f3daa26d1eacd9d54fbf48be5df
Opcode Fuzzy Hash: 064ac802250dd168c771c934be1c777717bec99c171f8d87037b9a5dd00dfe46
Instruction Fuzzy Hash: 941103B6210218ABCB14DF89DC81EEB77ADAF8C754F118559FE1897241C634E861CBE0

Function 0041A2EA Relevance: 1.6, APIs: 1, Instructions: 57
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0c3546f6f5ba8f1124a9cbad1294cc35b42613a308221493e4830bbd4581e154
Instruction ID: 59c62e2d0d8e7d5a6aaf3d0252883a96809975ecce9ec0d45cc9af1b379e87e9
Opcode Fuzzy Hash: 0c3546f6f5ba8f1124a9cbad1294cc35b42613a308221493e4830bbd4581e154
Instruction Fuzzy Hash: 071105B2204208AFDB08CF98DC85DEB77ADEF8C724F048549BA5C9B241C630E811CBA5

Function 0041A58B Relevance: 1.6, APIs: 1, Instructions: 50
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 4e1db3414c0164043b1febb0bea3a7816c927774ba8fe30c406b65c49da7ce32
Instruction ID: 809d6d72740204bc2231e91da39e38fcd7de3b2d1b9c177ce5bdb5944dc2e7b0
Opcode Fuzzy Hash: 4e1db3414c0164043b1febb0bea3a7816c927774ba8fe30c406b65c49da7ce32
Instruction Fuzzy Hash: CC0116B5210208ABCB14DF89DC81DEB73ADEF88254F10850ABA0897201C634E961CBB1

Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction ID: 667dcf47c4413345b20473d406be44d3d8b7ebea9a3b2269cd40777f9644ce6e
Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction Fuzzy Hash: 79015EB5D0020DBBDB10EBA1DC42FDEB3799F54308F0045AAA908A7281F638EB54CB95

Function 0041A330 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 7ed6e6cb708c972561b0f9910f559a39af1ab3cc862b6eef20835abd22e26781
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: C4F0BDB2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E851CBA4

Function 0041A510 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 8b47746d7073478515a2f8fd1fb94e42dcc9ffa91ac9ff965dae3841ed3a313c
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 9CF015B2210208ABCB14DF89CC81EEB77ADAF88754F118149BE0897241C630F811CBA4

Function 0041A460 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e9450f8bec15428cdd91297f97b7848412804bda5c7d31b3f0e5b01193c95e83
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 3CD01776211214ABD710EB99CC85EE77BACEF48764F15449ABA189B242C530FA1186E0

Function 03472B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472B6A

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 95e15aa7820ea37cae0e72f35633bf8c4abfdef1cd67152372a387abca9edb48
Instruction ID: 7696a08e5a0c48e97cb664b4b09091bd128144885373470c9bf44bae4d9bad19
Opcode Fuzzy Hash: 95e15aa7820ea37cae0e72f35633bf8c4abfdef1cd67152372a387abca9edb48
Instruction Fuzzy Hash: 86900261202404034105B258445465A400BC7F0301B95C022E1014994DC72589916129

Function 03472BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472BFA

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ae6dae04a31183f797cd141bcc70c21eabe959961fb1413dbc5ba4a2e4001053
Instruction ID: bfb556593fc9188f6595328e0eef3940e6ea9b95108cc597480273b1cd83c652
Opcode Fuzzy Hash: ae6dae04a31183f797cd141bcc70c21eabe959961fb1413dbc5ba4a2e4001053
Instruction Fuzzy Hash: 0F90023120140C02D180B258444468E0006C7E1301FD5C016A0025A58DCB158B5977A5

Function 03472AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472ADA

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 22f7de448098a9f4c48f2a682c8f1ef755fbcfaa47434f822ea38d34894acd90
Instruction ID: 69daad7016237f5548ded85334c572891d3c2dbd83542f723c1ab4b59bccc68d
Opcode Fuzzy Hash: 22f7de448098a9f4c48f2a682c8f1ef755fbcfaa47434f822ea38d34894acd90
Instruction Fuzzy Hash: EA900435311404030105F75C074454F0047C7F53513D5C033F1015D54CD731CD715135

Function 03472F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472F3A

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a6c46bb0a739b6535eca5193581950f4bb4144fe7aed55b0fd806c8cb6a62006
Instruction ID: c14d874ccc1f0c1e00700b0332997a2ac578efca10b798a98b9ae6454404502b
Opcode Fuzzy Hash: a6c46bb0a739b6535eca5193581950f4bb4144fe7aed55b0fd806c8cb6a62006
Instruction Fuzzy Hash: F090026134140842D100B2584454B4A0006C7F1301F95C016E1064958D8719CD52612A

Function 03472FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472FEA

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 658390109daa7272b6d252a106a63f1ec800042c1589717b036c1192c10602ac
Instruction ID: 8578209f691f6f6d3f36360c5e96c9e92a940fe244bfb2d04a34e426fd988201
Opcode Fuzzy Hash: 658390109daa7272b6d252a106a63f1ec800042c1589717b036c1192c10602ac
Instruction Fuzzy Hash: 6B900221211C0442D200B6684C54B4B0006C7E0303F95C116A0154958CCB1589615525

Function 03472F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472F9A

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b20f8bbb71df9137e109f31caedc5a56ee0cf081caa111bccc693983ff269468
Instruction ID: a1b10872354a22db717931eaa8a5ccbf7e5a5c287dff298ea38925f5f3e67ddd
Opcode Fuzzy Hash: b20f8bbb71df9137e109f31caedc5a56ee0cf081caa111bccc693983ff269468
Instruction Fuzzy Hash: A790023120180802D100B258485474F0006C7E0302F95C012A1164959D872589516575

Function 03472FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472FBA

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c5893831817649cb1e1e44d0510f1dc0d2af392abf5f640d6a28f0f95e01da98
Instruction ID: 1b8e297135e053990b57d6a5726b469420328d6dd36b46e306be3dfe52296c16
Opcode Fuzzy Hash: c5893831817649cb1e1e44d0510f1dc0d2af392abf5f640d6a28f0f95e01da98
Instruction Fuzzy Hash: 97900221601404424140B268888494A4006EBF1311795C122A0998954D875989655669

Function 03472E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472E8A

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5ad20d37507022d2f2273f13ea7a713b5c9947c9313c6518467cc18144a7028d
Instruction ID: 5b2508f1a83d2d699049f6d0716aa297cdb4ef6126c4b29bee7b16b2be661737
Opcode Fuzzy Hash: 5ad20d37507022d2f2273f13ea7a713b5c9947c9313c6518467cc18144a7028d
Instruction Fuzzy Hash: C390022160140902D101B258444465A000BC7E0341FD5C023A1024959ECB258A92A135

Function 03472EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472EAA

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7100db012def2b0bbbf263ce108f076d09d5a54425d3900cab2ba46494054c56
Instruction ID: 4abfbba142434adec4460873ee202493d5e6294d3ba8062f7428d1cf29506f5e
Opcode Fuzzy Hash: 7100db012def2b0bbbf263ce108f076d09d5a54425d3900cab2ba46494054c56
Instruction Fuzzy Hash: 2590027120140802D140B258444478A0006C7E0301F95C012A5064958E87598ED56669

Function 03472D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472D1A

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a54b2899dfc8ca35ca12bdcca9794f85d5d64e0c25401c02d4e9d8d88d6ee4f3
Instruction ID: ffc033f7e1f6c6890b4aac20874f2776d581f4be96ba09313c4e47e33bd37ac5
Opcode Fuzzy Hash: a54b2899dfc8ca35ca12bdcca9794f85d5d64e0c25401c02d4e9d8d88d6ee4f3
Instruction Fuzzy Hash: D790022921340402D180B258544864E0006C7E1302FD5D416A001595CCCB1589695325

Function 03472D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472D3A

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f2c96e209ac0d30abacb3cdfe97c92a9a03af4fdca27059db6f32e8a6a1893c8
Instruction ID: 3e068da38f2575aa266daf77abc10c18cfa6c1e4e4eb60675e31b78fc05b6fb4
Opcode Fuzzy Hash: f2c96e209ac0d30abacb3cdfe97c92a9a03af4fdca27059db6f32e8a6a1893c8
Instruction Fuzzy Hash: E690022130140403D140B258545864A4006D7F1301F95D012E0414958CDB1589565226

Function 03472DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472DDA

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9c92a54f9a4b905a300c94c250f8182f472e4bfe2beb934851d46e0a235b45dd
Instruction ID: 59f5aeeb119ec5e2b9127aed687eddae7065d09bc08c4bfc827971450e953640
Opcode Fuzzy Hash: 9c92a54f9a4b905a300c94c250f8182f472e4bfe2beb934851d46e0a235b45dd
Instruction Fuzzy Hash: 60900221242445525545F258444454B4007D7F03417D5C013A1414D54C87269956D625

Function 03472DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472DFA

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 46977b51b773d13d9b7de835fdf2022ba2715e9f56745a477666e3357d74669c
Instruction ID: a81098e5722d36f428ef954467ae2455a47630f9ac59229d58944769b4d7c5f7
Opcode Fuzzy Hash: 46977b51b773d13d9b7de835fdf2022ba2715e9f56745a477666e3357d74669c
Instruction Fuzzy Hash: A890023120140813D111B258454474B000AC7E0341FD5C413A042495CD97568A52A125

Function 03472CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472CAA

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 37e6147fe09257f3122507df560be3285eef27172d5cc52c7f670308aa226da7
Instruction ID: 946a263a7d4d4efd4ba6c07d996a6645221cdf0dd07269b2c62c99fa2a5343fa
Opcode Fuzzy Hash: 37e6147fe09257f3122507df560be3285eef27172d5cc52c7f670308aa226da7
Instruction Fuzzy Hash: 4790023120140802D100B698544868A0006C7F0301F95D012A5024959EC76589916135

Function 00409AB0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0fd0da5d55d4731eff0cc0ebb7b9ef8604c4f97800419623fbc7c6c54832bc
Instruction ID: 0cf1d1cfbff413d406b9f50454d57ab941c4b3e8ec75440de5a7d7d7e128ebbb
Opcode Fuzzy Hash: 2c0fd0da5d55d4731eff0cc0ebb7b9ef8604c4f97800419623fbc7c6c54832bc
Instruction Fuzzy Hash: 24210AB2D4020857CB25D664AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5

Function 0041A600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A62D

Strings

6EA, xrefs: 0041A622, 0041A62C

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: 6EA
API String ID: 1279760036-1400015478
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 226561cf9c8a986873ffc081809f26ad69fcc4b20f94c9d7be20fabd3b8eb7db
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 24E012B1211208ABDB14EF99CC41EA777ACAF88664F118559BA085B242C630F911CAB0

Function 00408308 Relevance: 1.6, APIs: 1, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: f835dfc7be264ead7bcfc712345794832f517f55077c4f70dc30c3f92beae668
Instruction ID: 8ba9db0b351a249769cac9d849e4c5cb071404cae64484f45b770dc82d1ecd7c
Opcode Fuzzy Hash: f835dfc7be264ead7bcfc712345794832f517f55077c4f70dc30c3f92beae668
Instruction Fuzzy Hash: 4601F971A81318BBE721A6509C03FFF7B1C9B41F14F04011EFF44BA1C1D6A9290647E5

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
Instruction ID: 43d593e10ad008c4695c17d6314bf6f3e92d4c432431edd93db89b762a987e15
Opcode Fuzzy Hash: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
Instruction Fuzzy Hash: E2018471A8032877E720A6959D43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA

Function 0041A812 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: b92b3424ed67801ca82ba77569421946b35dff99f8cd50d6e8107618b23beb5d
Instruction ID: 3c373cb03b59789cb00b4510761848c8680c9f533103ff9386d2c7ecc24e1942
Opcode Fuzzy Hash: b92b3424ed67801ca82ba77569421946b35dff99f8cd50d6e8107618b23beb5d
Instruction Fuzzy Hash: 0401A7B5211214AFDB10DFA8CC49ED77768EF88724F05845AF91C5B341C535E911C7E1

Function 0041A791 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 283fabbc4d039aee57eec056626321f5b409fc24e4bdcf67055a507ef6476049
Instruction ID: 42f6a975cf4da9a2ca162bd59472b7dbdffcfa3627965484729015c79382af0b
Opcode Fuzzy Hash: 283fabbc4d039aee57eec056626321f5b409fc24e4bdcf67055a507ef6476049
Instruction Fuzzy Hash: ADE092B1305204ABEB20EF44CC85EEB73A8EF89354F00C559F94C57681C635A826CBB5

Function 00419C9B Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

RtlSetEnvironmentVariable.NTDLL(00000000,?,0040AEAD,0040AEAD,?,00000000,?,00000000,?,?,?,00000000,000002A4), ref: 00419CCD

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: 6863446d246314187811906fff6d096ce3715bc609d9919294c16d2da3af0316
Instruction ID: a56561e3c85d277b78e54deb3432bd9103e8f0e6c81c1bd7cb00826fbc9f16e8
Opcode Fuzzy Hash: 6863446d246314187811906fff6d096ce3715bc609d9919294c16d2da3af0316
Instruction Fuzzy Hash: 7AE04FB52012046FD714DF99CC44EE737A9EF88354F114659FD089B382C231E912CBB0

Function 0041A673 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6A8

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: de203191a5ac83adbfc24b26316e894f9c6f8748d6461ce59de3c8d9674acbd3
Instruction ID: 2b33a5aaf690a40a201145d58288987b945e6dc1b7dd50ef313739d19b8aff33
Opcode Fuzzy Hash: de203191a5ac83adbfc24b26316e894f9c6f8748d6461ce59de3c8d9674acbd3
Instruction Fuzzy Hash: D2E0DF71212310BBD720EF55CC86FD73BA8EF48354F008069BD485B242D631EA02CBE1

Function 00419CA0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

RtlSetEnvironmentVariable.NTDLL(00000000,?,0040AEAD,0040AEAD,?,00000000,?,00000000,?,?,?,00000000,000002A4), ref: 00419CCD

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: 15061818c7b19093b22a321fa4894f465473496602b0918ac25cb7161cb3db49
Instruction ID: 1b9df7c86b764ebdb19e08fc49181027903aa328b0957bf6a63fdb3bb6572a5d
Opcode Fuzzy Hash: 15061818c7b19093b22a321fa4894f465473496602b0918ac25cb7161cb3db49
Instruction Fuzzy Hash: C6E012B5211208ABDB14EF89CC41EA777ACAF88624F018499BA085B282C630E9118AF0

Function 0041A640 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 3f65de21c9b51a2b7742007d51c6b1fad19b07b0b1b2c98d2bb582ee848745b4
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 1EE046B1210208ABDB18EF99CC49EE777ACEF88764F018559FE085B242C630F911CAF0

Function 0041A63B Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7f4b10add5d2f06863c931fa4b9b8a0feb2dbf4d18a18d5f7cbc47efa3906ef7
Instruction ID: 400a29dfae68231bc05ccf1716eccf5f186e0122f56357e1c60e78a8e79026a8
Opcode Fuzzy Hash: 7f4b10add5d2f06863c931fa4b9b8a0feb2dbf4d18a18d5f7cbc47efa3906ef7
Instruction Fuzzy Hash: FDE01AB1210204AFDB18DF69DC85EE73768EF88354F114559F90897241C631E911CBA4

Function 0041A7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: a195d06a74d451d332e2306e76e7c3aa502b90bd3f16d73f11471c4c6d802808
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 2FE01AB12102086BDB10DF49CC85EE737ADAF88654F018155BA0857241C934E8118BF5

Function 0041A680 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6A8

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 026b6f0270740822b369349059f6971daea101c61a9fac8a7aff4918670f7806
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: C1D017726112187BD620EB99CC85FD777ACDF487A4F0180AABA1C6B242C531BA11CAE1

Function 03472C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03472C24

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 361699771760aa7245790f27e8a9b46a8e6ad34475901b572e98c609debcbedf
Instruction ID: 8f8620567cc94c6ef084f93af80d3e55f75ec2df566e58a965bfb607d0785538
Opcode Fuzzy Hash: 361699771760aa7245790f27e8a9b46a8e6ad34475901b572e98c609debcbedf
Instruction Fuzzy Hash: 91B09B719015C5C9DA11F760460875B7905A7E0701F59C463D3030A55E4779C1D1E179

Non-executed Functions

Function 034B2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

@, xrefs: 034B2942
RaiseExceptionOnPossibleDeadlock, xrefs: 034B2579
UseImpersonatedDeviceMap, xrefs: 034B251C
minkernel\ntdll\ldrinit.c, xrefs: 034B3187
@, xrefs: 034B2B74
UnloadEventTraceDepth, xrefs: 034B24C0
TracingFlags, xrefs: 034B2549
CFGOptions, xrefs: 034B2967
ExecuteOptions, xrefs: 034B25A0
GlobalFlag2, xrefs: 034B2FC0
Initializing the application verifier package failed with status 0x%08lx, xrefs: 034B3176
LdrpInitializeExecutionOptions, xrefs: 034B317D
ShutdownFlags, xrefs: 034B24A1
MaxLoaderThreads, xrefs: 034B24EC
DisableExceptionChainValidation, xrefs: 034B275F
FrontEndHeapDebugOptions, xrefs: 034B2489
GlobalFlag, xrefs: 034B2F3F, 034B3059
DisableHeapLookaside, xrefs: 034B246D
MaxDeadActivationContexts, xrefs: 034B2D82
MinimumStackCommitInBytes, xrefs: 034B2BB0

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 904abda1931b20ce6482e1bc31a2c16ac8de1755c60dd4c7170784955dc8acc8
Instruction ID: 6d49643731085dff88d55b34d2d257a5c262f96c3b3fcd0c09875bb952449cc8
Opcode Fuzzy Hash: 904abda1931b20ce6482e1bc31a2c16ac8de1755c60dd4c7170784955dc8acc8
Instruction Fuzzy Hash: 7C925C75604741AFD720DE25C880BABB7F8BB84750F144D2EFA949F250D7B0E845CB6A

Function 034268B8 Relevance: 19.0, Strings: 15, Instructions: 249COMMON

Download Yara Rule

Strings

Could not locate procedure "%s" in the shim engine DLL, xrefs: 03489BB3
SE_DllLoaded, xrefs: 03426978
SE_DllUnloaded, xrefs: 034269A5
minkernel\ntdll\ldrinit.c, xrefs: 03489BC3
LdrpGetShimEngineInterface, xrefs: 03489BB9
ApphelpCheckModule, xrefs: 03426A86
SE_ShimDllLoaded, xrefs: 034268F1
apphelp.dll, xrefs: 0342698A
SE_LdrEntryRemoved, xrefs: 034269D2
SE_LdrResolveDllName, xrefs: 03426A2C
SE_ProcessDying, xrefs: 034269FF
SE_InitializeEngine, xrefs: 034268C5
SE_InstallBeforeInit, xrefs: 0342691E
SE_GetProcAddressForCaller, xrefs: 03426A59
SE_InstallAfterInit, xrefs: 0342694B

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim engine DLL$LdrpGetShimEngineInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_InitializeEngine$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-3089669407
Opcode ID: 237ea7aa131b191abd8767d0a26495d6140b92e5057cc3815df30a9e7e40a582
Instruction ID: 499db2f6c81346b22c79182c2c51ec5e81168529dafa106bc467a71c2cdf98aa
Opcode Fuzzy Hash: 237ea7aa131b191abd8767d0a26495d6140b92e5057cc3815df30a9e7e40a582
Instruction Fuzzy Hash: 008122B2D016186F8B11FB99DDC0DEEB7BDAB15610B150867B910FF114E730EE099BA4

Function 03468620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Address of the debug info found in the active list., xrefs: 034A54AE, 034A54FA
corrupted critical section, xrefs: 034A54C2
undeleted critical section in freed memory, xrefs: 034A542B
Critical section address., xrefs: 034A5502
Invalid debug info address of this critical section, xrefs: 034A54B6
8, xrefs: 034A52E3
Thread identifier, xrefs: 034A553A
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 034A540A, 034A5496, 034A5519
double initialized or corrupted critical section, xrefs: 034A5508
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 034A54CE
Thread is in a state in which it cannot own a critical section, xrefs: 034A5543
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 034A54E2
Critical section address, xrefs: 034A5425, 034A54BC, 034A5534
Critical section debug info address, xrefs: 034A541F, 034A552E

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 98cb35ddcd8f15614c294b7f325e4fcf91588a0cdf18043cfb09e91b5e29a4a0
Instruction ID: 15de0230ce7a1537af1e4f9859bd316f6f7614358bf7158002275784461abdb9
Opcode Fuzzy Hash: 98cb35ddcd8f15614c294b7f325e4fcf91588a0cdf18043cfb09e91b5e29a4a0
Instruction Fuzzy Hash: 8281BEB1A00B58EFDB20CF99C940BAEBBB5FB19700F24415AF518BF241D371A945CB68

Function 03460F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON

Download Yara Rule

Strings

0, xrefs: 03460F92
h, xrefs: 03460FB0
, xrefs: 03460FEC
l, xrefs: 03460FC4
!, xrefs: 03460FA6
9, xrefs: 03460F9C
%, xrefs: 03460F7E
%%%u!%s!, xrefs: 034A14A1
%%%u, xrefs: 034A14CC
w, xrefs: 03460FBA

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
API String ID: 0-360209818
Opcode ID: 46236668b420dac65189a42156e4189c52d2a6c7954b66c9b7c67225822c5a31
Instruction ID: 8a79a273a0b4f2c4d87d3fbdac31dc6fcda57a2dda30525a5a3692b2d27f5379
Opcode Fuzzy Hash: 46236668b420dac65189a42156e4189c52d2a6c7954b66c9b7c67225822c5a31
Instruction Fuzzy Hash: 1D6290B5E006298FDB24CF18C8417AAB7B6AFA5310F5882DBD449AF340D7325AD1CF49

Function 034E12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON

Download Yara Rule

Strings

Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 034E18F8
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 034E186B
Free Heap block %p modified at %p after it was freed, xrefs: 034E171B
HEAP: , xrefs: 034E1706, 034E1756, 034E17A8, 034E1809, 034E184D, 034E1895, 034E18E6
Heap block at %p has incorrect segment offset (%x), xrefs: 034E181A
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 034E176D
HEAP[%wZ]: , xrefs: 034E16CD, 034E16F9, 034E1749, 034E179B, 034E17FC, 034E1840, 034E18D9
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 034E18A5
Heap block at %p is not last block in segment (%p), xrefs: 034E17B7

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 8121ae0256373ef86f5b100b1a11fab926531e6e68e9329e20434c30ed5edf93
Instruction ID: c67eb5b30f35a198ed420fedb4ff112d2d123dcb4eb52633acb8f3874eafcfac
Opcode Fuzzy Hash: 8121ae0256373ef86f5b100b1a11fab926531e6e68e9329e20434c30ed5edf93
Instruction Fuzzy Hash: 8912BA746406429FD725CF29C440BBABBE1FF09706F18849EE4A68F782D734E881CB58

Function 0344AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrutil.c, xrefs: 034980B7
LdrpInitializeDllPath, xrefs: 034980AD
minkernel\ntdll\ldrfind.c, xrefs: 034982E1
LdrGetDllHandleEx, xrefs: 0349807C, 034983B2
minkernel\ntdll\ldrapi.c, xrefs: 03498086, 034983BC
Status: 0x%08lx, xrefs: 034982D0, 034983AB
DLL search path passed in externally: %ws, xrefs: 034980A6
DLL name: %wZ, xrefs: 03498075
LdrpFindLoadedDllInternal, xrefs: 034982D7

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
API String ID: 0-3197712848
Opcode ID: c707e9ba33b336cdf8e7a6f6f2a61b34dccbf8b0b6925c2157399ff90f97cb18
Instruction ID: 6e6e1b48dddfc656793f8951ab57c82a5cef9b78f434b881e904194ed44c76d0
Opcode Fuzzy Hash: c707e9ba33b336cdf8e7a6f6f2a61b34dccbf8b0b6925c2157399ff90f97cb18
Instruction Fuzzy Hash: 5E12BA71A083418FE724DF28C840BABB7E4EF85704F08096FE9958F291E774D945CB9A

Function 0342D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON

Download Yara Rule

Strings

Control Panel\Desktop, xrefs: 0342D45D
@, xrefs: 0342D3E9
MachinePreferredUILanguages, xrefs: 0342D685
PreferredUILanguagesPending, xrefs: 0348A8DE
Control Panel\Desktop\MuiCached, xrefs: 0342D62B
@, xrefs: 0342D663
PreferredUILanguages, xrefs: 0342D4B8, 0342D4C5
@, xrefs: 0342D49D
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0342D3B6

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
API String ID: 0-3532704233
Opcode ID: f9af6e65f4f183343f42f62cd200e6778af01037fea24292d99c48602481cfe4
Instruction ID: 3c7b8c2b35a95d93dad58e4b4d5979ec1388248ad66ce7d218d946346b5d7666
Opcode Fuzzy Hash: f9af6e65f4f183343f42f62cd200e6778af01037fea24292d99c48602481cfe4
Instruction Fuzzy Hash: 59B19A719083619FC711EF24C440A6FBBE8AB89744F45092FF8A8EF350D7B0D9458B9A

Function 034C9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON

Download Yara Rule

Strings

\BaseNamedObjects, xrefs: 034C949E
BaseNamedObjects, xrefs: 034C9477, 034C947C
Global\Session\%ld%s, xrefs: 034C94C5
%s\%ld\%s, xrefs: 034C948D
AppContainerNamedObjects, xrefs: 034C946E, 034C94D6
%s\%u-%u-%u-%u, xrefs: 034C9422
\AppContainerNamedObjects, xrefs: 034C94AB, 034C94B9
\Sessions, xrefs: 034C9488

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 2994545307-3063724069
Opcode ID: fdb73c106b18d97fdda2f1c08effb367dc1cb2979bbc7440e480ef4c895d9b44
Instruction ID: d2eb3a99821972a2ef8aa10e861c988505022a02fcc594f5479361af8b082ec6
Opcode Fuzzy Hash: fdb73c106b18d97fdda2f1c08effb367dc1cb2979bbc7440e480ef4c895d9b44
Instruction Fuzzy Hash: 4ED1E376918391BFD761DB64C840BAFB7E8AF84714F04492FFA949F260D770C9048B9A

Function 034E0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 034E04D3
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 034E069F
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 034E06EA
Just reallocated block at %p to %Ix bytes, xrefs: 034E05F1
HEAP: , xrefs: 034E03A6, 034E04B5, 034E05DD, 034E0682, 034E06D9
About to reallocate block at %p to %Ix bytes, xrefs: 034E03BA
RtlReAllocateHeap, xrefs: 034E02BF, 034E0362
HEAP[%wZ]: , xrefs: 034E0399, 034E04A8, 034E05D0, 034E0675, 034E06CC

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: b5defac8c1aae467a4a0a5718dcc4342c8ea8f964e75e8edfb50389839bad91f
Instruction ID: d23c1727d13ccec169274de3667fa5720f4b8dd0c693dd007ec67bceaeccb9ef
Opcode Fuzzy Hash: b5defac8c1aae467a4a0a5718dcc4342c8ea8f964e75e8edfb50389839bad91f
Instruction Fuzzy Hash: 84D1CE75600685DFCB21DF6AC440AAEFBF1FF46611F08809AE465AF362C7749942CF18

Function 0342D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON

Download Yara Rule

Strings

@, xrefs: 0342D313
@, xrefs: 0342D0FD
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0342D262
@, xrefs: 0342D2AF
Control Panel\Desktop\LanguageConfiguration, xrefs: 0342D196
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0342D146
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0342D2C3
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0342D0CF

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: 6b5309b55c0c48a737d7d5153248c54eb170b29eca9a37d08d1ddc3a0dd5d247
Instruction ID: 4b69a293ccdad02b407d3b8ac09260a1d71beea77780606d2c1763d1a5efacc9
Opcode Fuzzy Hash: 6b5309b55c0c48a737d7d5153248c54eb170b29eca9a37d08d1ddc3a0dd5d247
Instruction Fuzzy Hash: 36A17A719083559FD320DF25C444BAFFBE8BB85715F40492FE5A8AE240D7B4D908CBAA

Function 03449EB0 Relevance: 9.2, Strings: 7, Instructions: 499COMMON

Download Yara Rule

Strings

minkernel\ntdll\sxsisol.cpp, xrefs: 03497713, 034978A4
!(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT), xrefs: 03497709
@, xrefs: 03449EE7
sxsisol_SearchActCtxForDllName, xrefs: 034976DD
Internal error check failed, xrefs: 03497718, 034978A9
Status != STATUS_NOT_FOUND, xrefs: 0349789A
[%x.%x] SXS: %s - Relative redirection plus env var expansion., xrefs: 034976EE

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)$@$Internal error check failed$Status != STATUS_NOT_FOUND$[%x.%x] SXS: %s - Relative redirection plus env var expansion.$minkernel\ntdll\sxsisol.cpp$sxsisol_SearchActCtxForDllName
API String ID: 0-761764676
Opcode ID: 20c16c80ecfef242242bfde07e1dc93ea24f28a8ae58f4ddd212b84fc1c8b0dc
Instruction ID: 7c1b73f21cecfb4b5d377466e7bdf7536b2549a10ce69f5443f3b435e2d73168
Opcode Fuzzy Hash: 20c16c80ecfef242242bfde07e1dc93ea24f28a8ae58f4ddd212b84fc1c8b0dc
Instruction Fuzzy Hash: 53127E749102159FEF14CFA8C881AAEBBB4FF48714F1880ABE855EF351E7349841CB69

Function 0343EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

LdrpResSearchResourceInsideDirectory Enter, xrefs: 0343EB58
T, xrefs: 0343EB4E
LdrpResSearchResourceInsideDirectory Exit, xrefs: 0343EB6C
, xrefs: 0343F299
R, xrefs: 0343EB62
{, xrefs: 03494643

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: ac5e19e74e4b0e43824b64a0a4e4574fc5fb55db9c53631f89e8e7f28d6d0912
Instruction ID: 0ed53c6dc7a038573379b357162e6d251e8b9c3c6fb859fe0e04d6c8f9791754
Opcode Fuzzy Hash: ac5e19e74e4b0e43824b64a0a4e4574fc5fb55db9c53631f89e8e7f28d6d0912
Instruction Fuzzy Hash: 85A22B75E056298FDF64CF19C8887AABBB5AF49304F1442DBD419AB350DB349E86CF08

Function 0342F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

(LONG)FreeEntry->Size > 1, xrefs: 0348E291
((LONG)FreeEntry->Size > 1), xrefs: 0348E0B3
HEAP: , xrefs: 0348DF64, 0348E0A8, 0348E286, 0348E39E
HEAP[%wZ]: , xrefs: 0348DF57, 0348E09B, 0348E279, 0348E391
(UCRBlock != NULL), xrefs: 0348DF6F
(!TrailingUCR), xrefs: 0348E3A9

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: accab0620e7ab1ac2480eb9270aaaa645e9030fc856f761a5610618cac9334fa
Instruction ID: def582e9bc45274ff4dfefbca0672cd4271fc8d69d0311b398d0dce635bd3517
Opcode Fuzzy Hash: accab0620e7ab1ac2480eb9270aaaa645e9030fc856f761a5610618cac9334fa
Instruction Fuzzy Hash: AD420F356083918FD714EF29C480A2BFBE5FF85204F88496EE8959F351D730D88ACB5A

Function 0343ADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON

Download Yara Rule

Strings

LdrpResSearchResourceMappedFile Enter, xrefs: 0343AEB8
#, xrefs: 0349363D
H, xrefs: 0343AEC2
J, xrefs: 0343AEAE
MUI, xrefs: 0343B410
LdrpResSearchResourceMappedFile Exit, xrefs: 0343AECC

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
API String ID: 0-4098886588
Opcode ID: e36e005fc489be51b133fcd584b56b57b272acc80958a8d27aa6295685e36c6a
Instruction ID: cf81ecdcec24e23c61d580d3c9ca1680cef6b8797d815ac871405f38867deefc
Opcode Fuzzy Hash: e36e005fc489be51b133fcd584b56b57b272acc80958a8d27aa6295685e36c6a
Instruction Fuzzy Hash: 01328E75A442698BEF21CF14C858BEEB7B9EB4A340F1441EBD859AF350D7319E818F48

Function 0344B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON

Download Yara Rule

Strings

LdrpPreprocessDllName, xrefs: 03498403, 034984D7
minkernel\ntdll\ldrutil.c, xrefs: 0349840D, 034984E1
API set, xrefs: 034983F4, 034983F9
SxS, xrefs: 034983ED
DLL %wZ was redirected to %wZ by %s, xrefs: 034983FC
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 034984D0

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: 6e1761a69dd6934e2a18616b58ee344397d05b8bb552fb7179d5c7613ac8786c
Instruction ID: 4bc488deb819c2603e0f3a8c2adcd9964c58be60202a2b82f4739082271a1503
Opcode Fuzzy Hash: 6e1761a69dd6934e2a18616b58ee344397d05b8bb552fb7179d5c7613ac8786c
Instruction Fuzzy Hash: 4DC11931A00215ABEF24DB69C881BBFBB65EF46300F18407BE8959F391E7B4D945C399

Function 034663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

_LdrpInitialize, xrefs: 034A40DF, 034A4141, 034A4205, 034A425F
minkernel\ntdll\ldrinit.c, xrefs: 034A40E9, 034A414B, 034A420F, 034A4269
Process initialization failed with status 0x%08lx, xrefs: 034A413A
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 034A40D8
Delaying execution failed with status 0x%08lx, xrefs: 034A4258
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 034A41FE

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: c04d91b265853cfa093eb008dee1ea166e47283803bf8b49d897c00c23240b7c
Instruction ID: c5690d66ffa543c7d8f8f687fa338890311a65d9e50e63af36b20ca4d1fde58a
Opcode Fuzzy Hash: c04d91b265853cfa093eb008dee1ea166e47283803bf8b49d897c00c23240b7c
Instruction Fuzzy Hash: B3913531A00B149FDB24EF1AE844BAEB7A4FB22714F19052BD4206F391D7B85802D79D

Function 03462674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 034A2178
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 034A21BF
SXS: %s() passed the empty activation context, xrefs: 034A2165
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 034A2180
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 034A219F
RtlGetAssemblyStorageRoot, xrefs: 034A2160, 034A219A, 034A21BA

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: d52e5ac201dca7cf45a1ea6733de6605e1cb20256bda686e124efa6778e6fc62
Instruction ID: 842ca6dcca6ebf11a655d0360970a0d77e22dad27831a203027802a92c5185bc
Opcode Fuzzy Hash: d52e5ac201dca7cf45a1ea6733de6605e1cb20256bda686e124efa6778e6fc62
Instruction Fuzzy Hash: B0313736F406147BE720CE998C41F5FBA78DBA4A41F09446BFA146F241D2F0DA01D7AA

Function 03449950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON

Download Yara Rule

Strings

, xrefs: 034499F1
minkernel\ntdll\sxsisol.cpp, xrefs: 034976AD
Status != STATUS_SXS_SECTION_NOT_FOUND, xrefs: 034976A3
Internal error check failed, xrefs: 034976B2
, xrefs: 034499F9

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
API String ID: 0-3393094623
Opcode ID: 5720584ce54dc5db203c3fc7543796203956c7cdadeedc593632fd1d9ca97629
Instruction ID: 530007342c2baac6c3516214c6ee05bdba10dc0920b5103f1dc3e7d94c4d396b
Opcode Fuzzy Hash: 5720584ce54dc5db203c3fc7543796203956c7cdadeedc593632fd1d9ca97629
Instruction Fuzzy Hash: 4D0257715083818FE760CF24C184B6BBBE4BF89714F58896FE9988F350D770D8459B9A

Function 034551EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

Kernel-MUI-Language-Disallowed, xrefs: 03455352
Kernel-MUI-Language-Allowed, xrefs: 0345527B
Kernel-MUI-Language-SKU, xrefs: 0345542B
Kernel-MUI-Number-Allowed, xrefs: 03455247
WindowsExcludedProcs, xrefs: 0345522A

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 9df93206d1654d07a2b0f010e65e159cff1c1f874ddff2f813dd33dec662ea08
Instruction ID: 7a3186dc777dd45395eaa7d3e5d22d66d162affe3d94614e8d9191aef5891166
Opcode Fuzzy Hash: 9df93206d1654d07a2b0f010e65e159cff1c1f874ddff2f813dd33dec662ea08
Instruction Fuzzy Hash: 7CF14C76D00218EFDF11DF95C980AEEBBB9EF49650F1540ABE902AF251D7709E01CB98

Function 034B4F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON

Download Yara Rule

Strings

\, xrefs: 034B4F66
.DLL, xrefs: 034B50C7, 034B519C
.Local, xrefs: 034B5170
\microsoft.system.package.metadata\Application, xrefs: 034B5158
/, xrefs: 034B4F6D

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
API String ID: 0-2518169356
Opcode ID: 80b111605aebd1a00ca663c787b8b1a0dd6cd8bc021b92c4f6d82b16f5fd328c
Instruction ID: d6f95d42cc8f6379100b4806bae1ebd9d6aa20abe6ffcf6b448143340997055c
Opcode Fuzzy Hash: 80b111605aebd1a00ca663c787b8b1a0dd6cd8bc021b92c4f6d82b16f5fd328c
Instruction Fuzzy Hash: 8B91AE76D006199BCB21CF69C881AEEF7B5EF4A310F5941AAE811EB350D735D901CBA8

Function 0345D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON

Download Yara Rule

Strings

LdrShutdownProcess, xrefs: 0349F2CE
$, xrefs: 0345D900
Process 0x%p (%wZ) exiting, xrefs: 0349F2C7
minkernel\ntdll\ldrinit.c, xrefs: 0349F2D8
$, xrefs: 0345D86D

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 0-1975516107
Opcode ID: 7fc4c2257810302a56cecbc8f791b167c847cd5e120fe41228b64054e2dce19c
Instruction ID: 33018de20ec85835bb5f58b57187232d49f2a4dfa74cb127bfb5380a7a687670
Opcode Fuzzy Hash: 7fc4c2257810302a56cecbc8f791b167c847cd5e120fe41228b64054e2dce19c
Instruction Fuzzy Hash: 6D51F375E003459FDB24EF65C484B9EBBB1BF4A314F18405AE8216F3A2D774994ACB88

Function 034470C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 03447C7C, 0344867F
HEAP[%wZ]: , xrefs: 03447C6D, 03448670
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 03447C96, 03448696

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: eab77feb37ff9d1c8a52140546d432c12f90e657e7952faeea301a786cd46deb
Instruction ID: 9610d9aebfb6682e4ae529f98add7fa4e26409c66e3bd508fb1b4ee60ab34f18
Opcode Fuzzy Hash: eab77feb37ff9d1c8a52140546d432c12f90e657e7952faeea301a786cd46deb
Instruction Fuzzy Hash: E2139F70A006558FEB25CF69C4807AAFBF1FF49304F1881AAD855AF381D735A946CF98

Function 03441070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON

Download Yara Rule

Strings

!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 0349588F
HEAP: , xrefs: 03495884
HEAP[%wZ]: , xrefs: 03495877
@, xrefs: 03495A53

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 2994545307-3570731704
Opcode ID: fb9830b6633a221f6cf0aa409cfc53737fc8eee35eff82cabda8ba3f6263b949
Instruction ID: 616b8a811ffca3edd168ed508eab9449378f1fffc92335e6a570c82d3e8ca6a1
Opcode Fuzzy Hash: fb9830b6633a221f6cf0aa409cfc53737fc8eee35eff82cabda8ba3f6263b949
Instruction Fuzzy Hash: DA926875A00228CFEB25CF19C840BAAB7B5BF45314F1981EBD959AB390D7309E81CF59

Function 0344A840 Relevance: 5.4, Strings: 4, Instructions: 358COMMON

Download Yara Rule

Strings

SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 03497D39
SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 03497D56
SsHd, xrefs: 0344A885
RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 03497D03

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
API String ID: 0-2905229100
Opcode ID: c86c005a8bee0f754deddd2103bb8cc4a7d74f4758a605c717a9abdee979b978
Instruction ID: f9c6838038c0426aec181e4a0b5a629735bf246c60adb367fc452583aadd834c
Opcode Fuzzy Hash: c86c005a8bee0f754deddd2103bb8cc4a7d74f4758a605c717a9abdee979b978
Instruction Fuzzy Hash: 21D15975A402199BEB24CF98C880AAEFBB5EF48310F19416BE845AF351D371D985CB98

Function 03443D40 Relevance: 5.4, Strings: 3, Instructions: 1603COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 0344437C, 034445B4, 03444853
HEAP[%wZ]: , xrefs: 0344436D, 034445A5, 03444844
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 03444393, 034445CB, 0344486D

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: cb725d2344c500853abab4569a37ee0b3e925ce4439e2660bc6a7ef31f47cd3d
Instruction ID: 4d91fb5e37437b46efc7ddccc7c7c726acb5c396f03a4a67095f819291459521
Opcode Fuzzy Hash: cb725d2344c500853abab4569a37ee0b3e925ce4439e2660bc6a7ef31f47cd3d
Instruction Fuzzy Hash: 62E2B374A006558FEB24CF5AC490BAAF7F1FF49304F1881AAD855AF385D734A846CF98

Function 0343A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Exit, xrefs: 0343A3FF
6, xrefs: 0343A3F7
LdrResFallbackLangList Enter, xrefs: 0343A3EF
8, xrefs: 0343A3E7

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 9ebd3715ebe00e7f5f3f600ce7d8fc64c39620c4a705654247d4d452c8ab3401
Instruction ID: 48ebc854dd1a985aa21fb57029a3a80c908956aeb1b017b8dfaef4da36521e4b
Opcode Fuzzy Hash: 9ebd3715ebe00e7f5f3f600ce7d8fc64c39620c4a705654247d4d452c8ab3401
Instruction Fuzzy Hash: FBC187742483869FDB10CF18C144B6AB7E4AF8A704F04496BF8E68F350E374C94ACB5A

Function 0346273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 034A22B6
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 034A21D9, 034A22B1
SXS: %s() passed the empty activation context, xrefs: 034A21DE
.Local, xrefs: 034628D8

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 9ff1d861334f100773043af3374a3e0ab98e8461d9c8c957d104b5b243a939fa
Instruction ID: 97ba20dcc9315d07106f2f7d4f60778b9ade40bc39c5c48113ec238da891fcad
Opcode Fuzzy Hash: 9ff1d861334f100773043af3374a3e0ab98e8461d9c8c957d104b5b243a939fa
Instruction Fuzzy Hash: C1A19235A002299FDB24CF54D884B9AB3B4BF58314F1849EBD818AF351D7709E85CF99

Function 0342F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 0348E54E
HEAP[%wZ]: , xrefs: 0348E3FE
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0348E563
`, xrefs: 0348E428

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: 352558d418c32e17ee1c3556085543eca9d0f0a630d6819e1372129316d62b8b
Instruction ID: 4b558c6bd27376beac093991cde108266def5ac8a76d27b465933bef3b3621ba
Opcode Fuzzy Hash: 352558d418c32e17ee1c3556085543eca9d0f0a630d6819e1372129316d62b8b
Instruction Fuzzy Hash: 806114762047409FE711EB69C844F6BBBE8EF80B10F08046AE9659F3A1C734D846CB69

Function 034E11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

This is located in the %s field of the heap header., xrefs: 034E12D6
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 034E1261
HEAP: , xrefs: 034E124A, 034E125D, 034E125F, 034E12C4
HEAP[%wZ]: , xrefs: 034E123D, 034E12B7

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: e2cd1ba51e4cab2111d17de5c9adda99122c8d3829194fcd5a57b918b0713d1c
Instruction ID: 2032562c5818e2528e2f81f2ecd2c00ed195a1f725a610a73f0aa24b01becdeb
Opcode Fuzzy Hash: e2cd1ba51e4cab2111d17de5c9adda99122c8d3829194fcd5a57b918b0713d1c
Instruction Fuzzy Hash: C731DE39254250EFC711DB99CC86F6AB7E8EF09625F28019BF811EF291D670EC40DA6D

Function 03429148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 0348BAAD, 0348BAEA
HEAP[%wZ]: , xrefs: 0348BAA0, 0348BADD
VirtualQuery Failed 0x%p %x, xrefs: 0348BAF7
VirtualProtect Failed 0x%p %x, xrefs: 0348BABA

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 2994545307-1391187441
Opcode ID: 345ec135c0dfb39fc736f4638bc9abca9af40c9db688d77592d87bd4c824f41b
Instruction ID: b8e4945c76a78335aed377dbffaa042d7fb827f660c29a776a9e60a0dd8bc4b7
Opcode Fuzzy Hash: 345ec135c0dfb39fc736f4638bc9abca9af40c9db688d77592d87bd4c824f41b
Instruction Fuzzy Hash: CE318436600214AFDB11DB56C885FEEBBB9EF45620F5440A7E824BF291D770DD40CE69

Function 034429A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 03443264
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0344327D
HEAP[%wZ]: , xrefs: 03443255

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 95ee7f056d9f0aaa58578925db3568d676411d51200f68bc0260eafd101142c7
Instruction ID: e332a1c399284c73c22b8a63708b54f940fd31f151f85735eda64107b1c92ea9
Opcode Fuzzy Hash: 95ee7f056d9f0aaa58578925db3568d676411d51200f68bc0260eafd101142c7
Instruction Fuzzy Hash: FA92BC74A042489FEB25CF69C4407AEBBF1FF08700F1884AAE859AF391D775A946CF54

Function 03441F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 0344212E, 03495E53, 03496001, 0349614B
HEAP[%wZ]: , xrefs: 03442155, 03495E46, 03495FF4, 0349613E
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 0344216B, 03495E68, 03496016, 03496160

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 406c33fa83626edea67583803a32ff31c298c03965eb219829ff0dc2e2b172c0
Instruction ID: d28e013a3e8ba83e3a8bc75c162431b48704edaea745b1dd081dfccbe2f07e51
Opcode Fuzzy Hash: 406c33fa83626edea67583803a32ff31c298c03965eb219829ff0dc2e2b172c0
Instruction Fuzzy Hash: 6322EC706006019FEB16DF29C494B7BFBA5EF06704F2884ABE9558F382D775D882CB58

Function 03440770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 034950CA
HEAP: , xrefs: 034950BD
HEAP[%wZ]: , xrefs: 034950AE

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: e0acf76d092a869a861dae0ed90478442981ea26ce4d15d127f897c7313f6159
Instruction ID: c5c2da4d684bb37822fd65ee4c75c6d083d31aac2994b3748c9f8a0b4da2b597
Opcode Fuzzy Hash: e0acf76d092a869a861dae0ed90478442981ea26ce4d15d127f897c7313f6159
Instruction Fuzzy Hash: 5EF1BB34A00605DFEB15CF69C980B6AFBB5FB45300F2841AAE5169F391D734E992CF98

Function 03431460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 03431596
HEAP[%wZ]: , xrefs: 03431712
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 03431728

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 4b6265ccde3305658767e81b17c375144f09da1c4c49ab19759a205574fc6ffa
Instruction ID: a3a82a7b6b4222e4681270a07134b1a6a00ac9333182da54274c722ecb7ca33b
Opcode Fuzzy Hash: 4b6265ccde3305658767e81b17c375144f09da1c4c49ab19759a205574fc6ffa
Instruction Fuzzy Hash: E4E1E070A046419FDB25EF68C491A7ABBF5EF4A300F18849FE4A68F345D734E845CB58

Function 0343B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Exit, xrefs: 0343B714
MUI, xrefs: 0343B6D8, 0343B7E7
LdrResGetRCConfig Enter, xrefs: 0343B702

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
API String ID: 0-1145731471
Opcode ID: 47447d6d4882c8badf7e12099db197f7a0815197ea92289a382ac82e30f81b63
Instruction ID: 4423df1ea3ef1bddfc55e122ca56f70948c42a05b2dedff07a3b3786b01c5b1c
Opcode Fuzzy Hash: 47447d6d4882c8badf7e12099db197f7a0815197ea92289a382ac82e30f81b63
Instruction Fuzzy Hash: A0B16C79A046049FEF25CF59C980BAEBBB6EF4A714F18456BE451EF380D730A841CB58

Function 034B368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON

Download Yara Rule

Strings

DelegatedNtdll, xrefs: 034B36CE
@, xrefs: 034B389F
\SystemRoot\system32\, xrefs: 034B3842

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: @$DelegatedNtdll$\SystemRoot\system32\
API String ID: 0-2391371766
Opcode ID: 761b1e73e6fc2a740bcae9d75dd97d58c373c3cf4f198ec3bce229d29e6a6eb7
Instruction ID: 82568bf10bde3806f4c42dd8f6171118401647f35430621d1df8c21e44bcc34b
Opcode Fuzzy Hash: 761b1e73e6fc2a740bcae9d75dd97d58c373c3cf4f198ec3bce229d29e6a6eb7
Instruction Fuzzy Hash: 97B17D79604341AFD321DF56C880FABB7F8EB49710F15492BF9509F250D7B4E8058BAA

Function 03456962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

, xrefs: 0349CA51
@, xrefs: 03456C24

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID: $@
API String ID: 2994545307-1077428164
Opcode ID: f44568396bb8fc9e87e936001b7445f4c5b4b075618c0bb59cfea1bc598c8f11
Instruction ID: 9525803f52f15d8898f9316426a154067d64b783113f4801fbea0010547e1597
Opcode Fuzzy Hash: f44568396bb8fc9e87e936001b7445f4c5b4b075618c0bb59cfea1bc598c8f11
Instruction Fuzzy Hash: 32C28371A083419FEB25CF25C480BABBBE5AF88714F08896EF999CB351D734D805CB56

Function 0342A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 0348C2E6
\??\, xrefs: 0348C1E4
UseFilter, xrefs: 0342A1C1

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: ac6dc4345de337be4c6d3cf0dcc81cc1233818f773fef15de07254481da7328d
Instruction ID: ac00196f2b61f0f09e181aabf7d197841891c7fd29f380c1462df5069cdce94d
Opcode Fuzzy Hash: ac6dc4345de337be4c6d3cf0dcc81cc1233818f773fef15de07254481da7328d
Instruction Fuzzy Hash: 75A15E759016299BDB21EF24CC88BEEF7B8EF44700F1405EAD909AB250D7359E85CF68

Function 034C36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON

Download Yara Rule

Strings

LdrpResMapFile Exit, xrefs: 034C3727
LdrpResMapFile Enter, xrefs: 034C3715
@, xrefs: 034C3867

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
API String ID: 0-318774311
Opcode ID: 9510a991229610e4ecfd9a2a7d9dc0928e05dfe0156ec286c71ae373773e0e63
Instruction ID: 80a795d569f03cb169b335f0661fa7a09d718d7d6eda1ce999d474851781af52
Opcode Fuzzy Hash: 9510a991229610e4ecfd9a2a7d9dc0928e05dfe0156ec286c71ae373773e0e63
Instruction Fuzzy Hash: 93819B7D619380AFE351DF15C844B6BB7E8FB84B50F04892EB9909F390D778D9048B6A

Function 0346909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 03469148
%, xrefs: 034A5D3F
&, xrefs: 034A5CF8

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: %$&$@
API String ID: 0-1537733988
Opcode ID: 7a8aa1e72c628007adf144046a73e596970759257c31c7ed146a89babcb3dea6
Instruction ID: cb5a829656ece80b15242ebfcafb7afacdd4d88ab304fd2270a7b384ce08a2c5
Opcode Fuzzy Hash: 7a8aa1e72c628007adf144046a73e596970759257c31c7ed146a89babcb3dea6
Instruction Fuzzy Hash: 3D71D0746087019FD710DF25C580A6BBBE9BF85618F14895FE4AA8F390C770D806CB9B

Function 0350B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON

Download Yara Rule

Strings

TargetNtPath, xrefs: 0350B82F
\Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 0350B82A
GlobalizationUserSettings, xrefs: 0350B834

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
API String ID: 0-505981995
Opcode ID: 40796cd893b05958f1b7809a373c46a6dc15f7e36ff09a0f5f159f1ac9e00226
Instruction ID: a5f5aa92077b25c56775fa47bc184a206145739be4d82a40cfa8ed46b7d50ea2
Opcode Fuzzy Hash: 40796cd893b05958f1b7809a373c46a6dc15f7e36ff09a0f5f159f1ac9e00226
Instruction Fuzzy Hash: 16618F72D41229AFDB21DF54DC88BDAB7B8BF14710F0105EAA508AB2A0C775DE84CF94

Function 0342F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON

Download Yara Rule

Strings

RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0348E6C6
HEAP: , xrefs: 0348E6B3
HEAP[%wZ]: , xrefs: 0348E6A6

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: e48211a9891826920f637a20e44182868110b57128f41cf37d578b2cf0c19fb6
Instruction ID: c9776b34cd80c2863c70cc0f07841285601d452c4c16ceb2084db20f58aeadc2
Opcode Fuzzy Hash: e48211a9891826920f637a20e44182868110b57128f41cf37d578b2cf0c19fb6
Instruction Fuzzy Hash: 92511435200754EFE712EBA9C844B6AFBF8EF05700F4800A6E951AF792D374E955CB18

Function 034DDAAC Relevance: 3.9, Strings: 3, Instructions: 163COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 034DDC1F
HEAP[%wZ]: , xrefs: 034DDC12
Heap block at %p modified at %p past requested size of %Ix, xrefs: 034DDC32

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: f7e37a4675b7cc50347d6fe67cc10b3596c73000e94ac36930ed02b293df5314
Instruction ID: 1dea257a184dfec5f158bbec3e769f6ea475850902e70435fe5e1927fff407f9
Opcode Fuzzy Hash: f7e37a4675b7cc50347d6fe67cc10b3596c73000e94ac36930ed02b293df5314
Instruction Fuzzy Hash: 3D513435A002508EE374DE2AC864773B7E1DF47648F18889BE4E28F285D275E807DB29

Function 0346C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 034A82E8
LdrpInitializePerUserWindowsDirectory, xrefs: 034A82DE
Failed to reallocate the system dirs string !, xrefs: 034A82D7

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 3789b1e03a8ec10cef3a687a3ca345e970ea6af871223c1efda1278cf147c8f9
Instruction ID: b882ff560d9ea942ca02b5e3db0f08e2be73e2c76baa17bba7e0112b359c0a08
Opcode Fuzzy Hash: 3789b1e03a8ec10cef3a687a3ca345e970ea6af871223c1efda1278cf147c8f9
Instruction Fuzzy Hash: 1B41F3B5540310AFC720EF65D880F5BB7E8EB59650F04482BF998DF2A0E770E8059B9A

Function 034616CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON

Download Yara Rule

Strings

TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 034A1B39
minkernel\ntdll\ldrtls.c, xrefs: 034A1B4A
LdrpAllocateTls, xrefs: 034A1B40

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
API String ID: 0-4274184382
Opcode ID: 1fd5a2ef08d5fba5367a55336bb623cf73dddeadd229d9eb274cfe010c7df577
Instruction ID: 2a7c60a6f8e353b38c70c1686618dc0470bcdf6b65be018490c7ca7946597bbe
Opcode Fuzzy Hash: 1fd5a2ef08d5fba5367a55336bb623cf73dddeadd229d9eb274cfe010c7df577
Instruction Fuzzy Hash: 1941ACB9A00604AFDB15DFA9D841BAEFBF5FF59710F14812AE405AF350E774A801CB98

Function 034EC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

@, xrefs: 034EC1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 034EC1C5
PreferredUILanguages, xrefs: 034EC212

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 4037529b6465c1a0dc2df770f94e3b93f281aef05a9972b744ace62e06298643
Instruction ID: 27af0c22aad7b4e287e3cf6dfbe78feb6767478a5f7b590720bef51100d44c5d
Opcode Fuzzy Hash: 4037529b6465c1a0dc2df770f94e3b93f281aef05a9972b744ace62e06298643
Instruction Fuzzy Hash: 61417C76E00219EFDB11DED5C881FEEB7B8AB04701F14406BE915BF2A0D7B49E448B98

Function 034C4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

@, xrefs: 034C4225
LdrpResValidateFilePath Exit, xrefs: 034C4172
LdrpResValidateFilePath Enter, xrefs: 034C4160

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 40265693b8bdbf3c929d9593e593e822b41058f0d91dab4d89d567858d4c3f2e
Instruction ID: 69ac438ce4cdd284fcc8129bd1e70e783346e05c867b39dbb4d0ecc5351e867f
Opcode Fuzzy Hash: 40265693b8bdbf3c929d9593e593e822b41058f0d91dab4d89d567858d4c3f2e
Instruction Fuzzy Hash: 3641E3799107888FEB22DBD6C954BADBBB8EF55340F18046FD851AF381DA348901CB18

Function 034B4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpCheckRedirection, xrefs: 034B488F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 034B4888
minkernel\ntdll\ldrredirect.c, xrefs: 034B4899

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 1f80e711c4bf6585e7a2d081bf2964b7cd4f9f9b4c72e96bde63d9312b481172
Instruction ID: fce7dd44f39a53cfcf89f9864465a8f22186ad1abf41b265308fc1d13be54445
Opcode Fuzzy Hash: 1f80e711c4bf6585e7a2d081bf2964b7cd4f9f9b4c72e96bde63d9312b481172
Instruction Fuzzy Hash: A541C436A007509FCB21CE6AD840AA7BBF8AF49650B09056FEC589F353D730D801CBA9

Function 034633A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

RtlCreateActivationContext, xrefs: 034A29F9
SXS: %s() passed the empty activation context data, xrefs: 034A29FE
Actx , xrefs: 034633AC

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
API String ID: 0-859632880
Opcode ID: c7b127f256a94dd57c8f04abfdea8e9807e0afe2419d3703eb1d0ab680c6169b
Instruction ID: 21c146bd9b4690c70b266ae23227e75db4e12f7cad0ff2ce9e499122651c6200
Opcode Fuzzy Hash: c7b127f256a94dd57c8f04abfdea8e9807e0afe2419d3703eb1d0ab680c6169b
Instruction Fuzzy Hash: F33142362007419FDB26DF58C880B9AB3A4FB44714F18886BEC049F3A1CB70E842CB98

Function 03461607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON

Download Yara Rule

Strings

LdrpInitializeTls, xrefs: 034A1A47
minkernel\ntdll\ldrtls.c, xrefs: 034A1A51
DLL "%wZ" has TLS information at %p, xrefs: 034A1A40

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
API String ID: 0-931879808
Opcode ID: 4fd145c8b6554437a18e3155a627d5ae42594733539b42ee14cf6409d3f2974d
Instruction ID: 54e725a8a7ad3db33fbfb1d3a5e5e82324e3cf9c2f78d2aa896928c5ef8c7937
Opcode Fuzzy Hash: 4fd145c8b6554437a18e3155a627d5ae42594733539b42ee14cf6409d3f2974d
Instruction Fuzzy Hash: E331F535A00200AFDB20DF59C885F7AB6A8FB56754F05045FE505BF2A0E770AE058799

Function 03471270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0347127B
BuildLabEx, xrefs: 0347130F
@, xrefs: 034712A5

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-3051831665
Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction ID: cd5ebd13e0268f28db32a7c14a3179fdf27735f4f56d904dcddd73a3fce64e06
Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction Fuzzy Hash: 3A318176900618AFEB11EF96CC44EEEBBBDEB84750F004467E914AF260D730DA058B98

Function 034B20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

LdrpInitializationFailure, xrefs: 034B20FA
Process initialization failed with status 0x%08lx, xrefs: 034B20F3
minkernel\ntdll\ldrinit.c, xrefs: 034B2104

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 4ef57c7defa9a026b6b1a52f1f327d692a0728426001ec683e055c953723a007
Instruction ID: 0205cd16cb0d847c0d255619adb0da82cc9855336d6bb14dd520166f7fad771d
Opcode Fuzzy Hash: 4ef57c7defa9a026b6b1a52f1f327d692a0728426001ec683e055c953723a007
Instruction Fuzzy Hash: 33F02835640708AFD720E60DDC42FDA7768EB41B44F14085BF6007F292D2F0A510CA58

Function 034403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 03494D8A

Strings

#%u, xrefs: 03494D82

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 13d9ae2e95d3b9c9111b0d018449da4b01527bafef0a27ef2f767b0bea82a04a
Instruction ID: f05360cd471c22fe53beb089d9d3695529d86e1889b4c573a2f40e774bf90607
Opcode Fuzzy Hash: 13d9ae2e95d3b9c9111b0d018449da4b01527bafef0a27ef2f767b0bea82a04a
Instruction Fuzzy Hash: DA714C75A002499FEB01DF99D990FAEB7F8BF08704F15406AE905AF351E734E911CB68

Function 034D705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 034D70C8

Strings

kLsE, xrefs: 034D70A4

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: DebugPrintTimes
String ID: kLsE
API String ID: 3446177414-3058123920
Opcode ID: b503fe5c8f6c881318cc2259ade033fdb54de7d8ba5379aeab3533aa7a1e7875
Instruction ID: 4081398e7f80bf8cdd8a4d8fbe5dc1454b7af597f6e2d8ac832ec5f704b8973e
Opcode Fuzzy Hash: b503fe5c8f6c881318cc2259ade033fdb54de7d8ba5379aeab3533aa7a1e7875
Instruction Fuzzy Hash: D64186715013504EE731FF66E894F6A7FA0AB12724F18021EED604F2E9CBB0548BD799

Function 034452A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 03445445
@, xrefs: 034455A3

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 4770132635d0e9c59a32eb0d3d843d17911669016f18eda0cc5067b81660ed86
Instruction ID: 39b28c3f51df25211247d18610c1ff8f018512eee8ae2979d0f241d13acf0e7b
Opcode Fuzzy Hash: 4770132635d0e9c59a32eb0d3d843d17911669016f18eda0cc5067b81660ed86
Instruction Fuzzy Hash: 273299745083118BEB24CF19C580B3BB7E1AF86650F1949AFF8999F3A0E734C845CB5A

Function 03432FC8 Relevance: 2.9, Strings: 2, Instructions: 410COMMON

Download Yara Rule

Strings

@4Qw@4Qw, xrefs: 034333AD, 034333B3, 034333E2
PATH, xrefs: 034330D6, 03433124

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: @4Qw@4Qw$PATH
API String ID: 0-1814558670
Opcode ID: eec731c5433a9ad15ed32ff7731119d42f5b49d3078f6c00a52865d5857ed05e
Instruction ID: 5da5ad2ac8ef17233e1791394ffe795b13ef6592d99565698e7103acfb26da9c
Opcode Fuzzy Hash: eec731c5433a9ad15ed32ff7731119d42f5b49d3078f6c00a52865d5857ed05e
Instruction Fuzzy Hash: 76F1B179E00218DFCB25DF99D881ABEB7B5FF4A700F58402AE441AF350D774A842CB99

Function 034FA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 034FA551
`, xrefs: 034FA44B

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: c4c36bf48715a4a4a0233e9f43f47fda546831d72160453ddc4a9f7a70b632f2
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 41C1AD312043469FE724CE29C845B6BFBE5AF84318F0C4A2EF6998E290D775D509CF5A

Function 034AE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 034AE75A
UEFI, xrefs: 034AE751

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: a95d5583542a5797d18b152cf55aeef08febe9fc7a038e9a0fe5cf5a64c0c319
Instruction ID: aac09f02e668721a0cf8760385e3d4670f7f879abaeb0cb1ba8d8f23f0ef9490
Opcode Fuzzy Hash: a95d5583542a5797d18b152cf55aeef08febe9fc7a038e9a0fe5cf5a64c0c319
Instruction Fuzzy Hash: E2615D75E007089FDB24DFA98880BAEBBB5FB54700F14406EE669EF251D731E940CB58

Function 0344F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

$, xrefs: 0344F7F6
$, xrefs: 0344F860

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: $$$
API String ID: 0-233714265
Opcode ID: b29923a865a09425d4ea51cf7702f539aed2e749f18ad1e4b8c4ae78982d5a9e
Instruction ID: df7012dfc2caaefe01f03b938d59d4e9527eaf6549270f5f24550a957aab1b8c
Opcode Fuzzy Hash: b29923a865a09425d4ea51cf7702f539aed2e749f18ad1e4b8c4ae78982d5a9e
Instruction Fuzzy Hash: BD61BA75A00749DFEB20DFA5C580BAEBBB1FF48304F08446ED515AF690DB74A949CB88

Function 0343A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 0343A2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 0343A309

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 31e071b01e8291a2ef99faba09729b45f606cbc0244b9fb343ef05986ed3a587
Instruction ID: 10a029776ac6376d95eedd7fa2db1d5fc0f66b478b17a2f5235ee68e83f9a6e4
Opcode Fuzzy Hash: 31e071b01e8291a2ef99faba09729b45f606cbc0244b9fb343ef05986ed3a587
Instruction Fuzzy Hash: B741BB34A44649DBEB11CF69C840B6ABBB4EF8A710F1844ABEC54DF3A1E275C901CB59

Function 0346329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 0346330D
.Local\, xrefs: 034632B5

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: 04061eaefe92383d2c20fd7887cc65ff589cd28c9990631af2d252d28c4ed54e
Instruction ID: d5837a7166401a75b28e2f8c792d42ee47105dcf9770b5379660dc701e18ab9a
Opcode Fuzzy Hash: 04061eaefe92383d2c20fd7887cc65ff589cd28c9990631af2d252d28c4ed54e
Instruction Fuzzy Hash: 1231B37A6083449FD320DF29C880A6BBBE8FBC5654F48092FF5958B260DA30DD45CB97

Function 0343C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 0343C8C3, 0343CA40

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 213d3a1cd13058be44e41003a53d4bebcf0d59bbd676b81e9eafcdbd521d8020
Instruction ID: 7995c7478648fc77ecfb0fd331cbbaf64bcd9f2fd3615bfb2c14d1b2cba84c22
Opcode Fuzzy Hash: 213d3a1cd13058be44e41003a53d4bebcf0d59bbd676b81e9eafcdbd521d8020
Instruction Fuzzy Hash: D7821975E002189FDB24CFA9C980BAEF7B5BF4A710F18816AD859AF394D7309D41CB58

Function 03482F28 Relevance: 2.0, Strings: 1, Instructions: 762COMMON

Download Yara Rule

Strings

P`?wRb?w, xrefs: 0348300D, 034833E4, 0348343B, 034834FE, 0348352E

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: P`?wRb?w
API String ID: 0-3112501033
Opcode ID: f4edbd57eab50fcab1a71e77eb78d3ac1ef03da8583b620aaab649fe3da23e1d
Instruction ID: fd6c001c3d82581992fd85405af82ffa20a48fa1da07a6166abd1d049342c676
Opcode Fuzzy Hash: f4edbd57eab50fcab1a71e77eb78d3ac1ef03da8583b620aaab649fe3da23e1d
Instruction Fuzzy Hash: AE42D17DD04259AEDF29EFA8D8446BEFBB0AF05B10F18805BE451AF390D7748981CB58

Function 03437370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 990cbf9fa050c07f397bb9108ebfb6e08971c2d0e25e9a42ea161d8c404be9a3
Instruction ID: 59cbeae94ff0f602ced543ddb812e27d5df893e0c58a5a6f6d100ea6bd09a366
Opcode Fuzzy Hash: 990cbf9fa050c07f397bb9108ebfb6e08971c2d0e25e9a42ea161d8c404be9a3
Instruction Fuzzy Hash: C0A167B5608342CFD724DF29C480A2BBBE9BF89314F14496EE5D58B350E730E945CB9A

Function 03452E90 Relevance: 1.7, Strings: 1, Instructions: 438COMMON

Download Yara Rule

Strings

0, xrefs: 03453240

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 3879ace94afe817b90bbe46a23332a49a4d72a4644c19d40f29a02a3c7cf18dc
Instruction ID: 09e8124e4509debcb4bb985f3ae7ae0c40ed4804bf1f4e23bc39913d7e1d3a07
Opcode Fuzzy Hash: 3879ace94afe817b90bbe46a23332a49a4d72a4644c19d40f29a02a3c7cf18dc
Instruction Fuzzy Hash: 65F18F79A087458FDB21CF25C480B6BBBE5AB88650F09486FFC999F342CB30D945CB59

Function 00409E5B Relevance: 1.7, Strings: 1, Instructions: 434COMMON

Download Yara Rule

Strings

(, xrefs: 0040A17C

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 4f6bf1eb987708ccb7b4922ea9faab8edc6f18a453cfd42a011f31636055fdb1
Instruction ID: b8f6a46ce5487171e4220cbe920cab63c8ab84670d0a34be0abd15521ce2cac1
Opcode Fuzzy Hash: 4f6bf1eb987708ccb7b4922ea9faab8edc6f18a453cfd42a011f31636055fdb1
Instruction Fuzzy Hash: 38121DB6E006199FDB14CF9AC48059DFBF2FF88314F1AC1AAD849A7355D6746A418F80

Function 00409E60 Relevance: 1.7, Strings: 1, Instructions: 423COMMON

Download Yara Rule

Strings

(, xrefs: 0040A17C

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction ID: 5e5443ef098d349f7e33f9aecf6f08398bbbeee53fd6575e54cb3400f46edf1b
Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction Fuzzy Hash: C7021CB6E006189FDB14CF9AC8805DDFBF2FF88314F1AC1AAD859A7355D6746A418F80

Function 0346F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46bc668a30a793771ffdd25fdb4a608aef87d4e18d8ef8eb884577559055f96b
Instruction ID: 8dfdacb1ce167c288fd004cea4aeaecef25992ac224c6b06862535b9d0b5fa85
Opcode Fuzzy Hash: 46bc668a30a793771ffdd25fdb4a608aef87d4e18d8ef8eb884577559055f96b
Instruction Fuzzy Hash: AC414B74D00688EFDB20DFA9D480AAEFBF4FB49300F54416ED899AB221D7309905DF64

Function 03430100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON

Download Yara Rule

Strings

, xrefs: 03430255

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c0047d08748991a07c08f296687c3a790a16eceb5d13efe9e2354dc3fa11306c
Instruction ID: b83091799d4a52a129cba6edd5d9ae7801c60578234c7d7cedb8f4061ca1a3bb
Opcode Fuzzy Hash: c0047d08748991a07c08f296687c3a790a16eceb5d13efe9e2354dc3fa11306c
Instruction Fuzzy Hash: 47A10A31A043686ADF24DB598840BFFA7A95F4A304F0842DBED976F381C674CD858B5D

Function 0041EE34 Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

0, xrefs: 0041EC0A

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 1df114d5379f01c420854ad042f3ec27fa52af3489586805299f9009a035677c
Instruction ID: 10c4cc2a22ac73de16ec8614ce64b1fbad4cd7244334fde43c6c1a012e40ecc2
Opcode Fuzzy Hash: 1df114d5379f01c420854ad042f3ec27fa52af3489586805299f9009a035677c
Instruction Fuzzy Hash: F2D13432A58380CFD712CF39C98A7823FB5F746320B48425FD99197492D778646ACF89

Function 0346A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 034A67C9

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: ea049d22bd80c3ff29964befb9df97090d1064b8291757abcb12e5abb2cf868b
Instruction ID: 62e1466adc810ac9a9e89d53412e2de295475434b79cf05dd81f0352b071f0f7
Opcode Fuzzy Hash: ea049d22bd80c3ff29964befb9df97090d1064b8291757abcb12e5abb2cf868b
Instruction Fuzzy Hash: 97715C79E0160A8FDB28DF9DD5906AEBBB5BF58700F19816FE805AF350D7348801CB58

Function 0343973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

@, xrefs: 034397F3

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction ID: a13ddf2fbd0cf5108a48de513ac79d649daffa1e88269cd2638d58035c301a9d
Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction Fuzzy Hash: 3C614C75D00219AFDF25DF95C840BEEFBB8EF89714F14456BE820AB290D7B49A01CB54

Function 0041EAD0 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

0, xrefs: 0041EC0A

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 6db272c97322b3b0fa29930fc3b55a8b502d7f7bae67c8059515f7cb8f74e152
Instruction ID: d036559d0d60bac86bc57d94b718673d43400ab9ec51b8b5612f1489485aa89d
Opcode Fuzzy Hash: 6db272c97322b3b0fa29930fc3b55a8b502d7f7bae67c8059515f7cb8f74e152
Instruction Fuzzy Hash: 44813333A48381CFD701CF79C98A6423FB5FB41360B49425FDA91974A2C778646ADF8A

Function 034BF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

@, xrefs: 034BF867

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction ID: 251f5064371e1cfbb4fb1102883778aef5d1ea49974000058aca57c75401a188
Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction Fuzzy Hash: ED516A72604705AFE721DF55CC40FABB7B8EB84750F04092EB5889E290D7B4E9188BA9

Function 0344E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 0344E6A4

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: c1c978d8c763fbcdbbb74c7bbc05b968b825c5fca01c17a9d974c51f240398bf
Instruction ID: 3d8eb3a0f9e22413f8f43462a7f06e93a64ae5999340aa7a7fb4ba3c000a2509
Opcode Fuzzy Hash: c1c978d8c763fbcdbbb74c7bbc05b968b825c5fca01c17a9d974c51f240398bf
Instruction Fuzzy Hash: BE417D766083119FE710DB658A80B6BB7E8BF88714F44093FF994DF280E674D944879A

Function 034EB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 034EB28F

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: PreferredUILanguages
API String ID: 0-1884656846
Opcode ID: bc03fdd48dca9a3ce8b8910da1b836c682b6b38da908a921154311538cc59c61
Instruction ID: 66be4d48e2731513f5c2920a2b2e3a2607757a79a860f3350f6823437173c08c
Opcode Fuzzy Hash: bc03fdd48dca9a3ce8b8910da1b836c682b6b38da908a921154311538cc59c61
Instruction Fuzzy Hash: E741D136D04219ABCB11DA95C841BEFF7B9EF44711F05016BE951AF354D6B0DE40C7A8

Function 034AC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 034AC77F

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 9533ad98e007e7c93302b8c1cd274ae9b752cc1314bb9f13117048b5a5f87fd9
Instruction ID: 85c039417e1dadd2035b6619d4fd26cb63fd424d4c352fa1412e328ceb2232db
Opcode Fuzzy Hash: 9533ad98e007e7c93302b8c1cd274ae9b752cc1314bb9f13117048b5a5f87fd9
Instruction Fuzzy Hash: 404144B5D0062CAEDB61DB55CC84FDEB77CAB45714F0045AAE608AF140DB709E498FA8

Function 034B97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

verifier.dll, xrefs: 034B9870

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: verifier.dll
API String ID: 0-3265496382
Opcode ID: bc8039e2400dfaaab3b2f985465e01f503a463098320dbeac67fdd6b7ce690b7
Instruction ID: 497605a79a930d1697404efafd8803687230d822fc49d34ab265b85928045ca7
Opcode Fuzzy Hash: bc8039e2400dfaaab3b2f985465e01f503a463098320dbeac67fdd6b7ce690b7
Instruction Fuzzy Hash: A9318F75B103019FDB25DF69A850AB6B7F5EB4A310F58847FE6089F390E731888197A8

Function 034636EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

Flst, xrefs: 03463731

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: Flst
API String ID: 0-2374792617
Opcode ID: 4a9ab4e6eeb85a6768cc21ca02421f3e98583a1c5084c814224b0b25b21ad96b
Instruction ID: 62b50447e87813899b09301d1f550a7e6aca7f5eb74d845ae9bcef08288b52e3
Opcode Fuzzy Hash: 4a9ab4e6eeb85a6768cc21ca02421f3e98583a1c5084c814224b0b25b21ad96b
Instruction Fuzzy Hash: 154198B56053019FC314CF19C080A26FBE4EB99711F1885AEE45A8F391DB71D942CB9A

Function 03429730 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

L4QwL4Qw, xrefs: 034297A7

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: L4QwL4Qw
API String ID: 0-1417497668
Opcode ID: c8829691fcc26e9e9ff3f6b5cdda20c3a7a177689c6101b75c412d76214551a0
Instruction ID: b71f6a2abe6bbb2b5b9b4fd4d186e0bc59fa95664e4299eb484183ae72829032
Opcode Fuzzy Hash: c8829691fcc26e9e9ff3f6b5cdda20c3a7a177689c6101b75c412d76214551a0
Instruction Fuzzy Hash: 3721D33AA00B20AFD322EF598400B1ABFB4FB84B50F15046FE965AF350D770E811CB98

Function 03435096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 034350BF

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 14f42f66a77c068273c898f04f76f489a1ef0c413305e351e5c554d9b9f8f794
Instruction ID: a6e0cdc34d7dc36e092ffb742f483b55def58011b3a19172f8178e7d04559454
Opcode Fuzzy Hash: 14f42f66a77c068273c898f04f76f489a1ef0c413305e351e5c554d9b9f8f794
Instruction Fuzzy Hash: 981154307055128BEB24C91D98506B7B6E5EB9F264F3885ABD4A1CF391D672D8428788

Function 034B106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

LdrCreateEnclave, xrefs: 034B10F7

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: LdrCreateEnclave
API String ID: 0-3262589265
Opcode ID: 2250e2056388c72d5a2c30490f50896f7b68797b1da50895c4f28f2a1ea86a7f
Instruction ID: 839d4c4f6b3430e237897cceefe3970fee92df7e77892d4706c3b19d9449d194
Opcode Fuzzy Hash: 2250e2056388c72d5a2c30490f50896f7b68797b1da50895c4f28f2a1ea86a7f
Instruction Fuzzy Hash: 2D21F3B15083449FD320DF1A9844A9BFBF8BBE6B40F104A1FB5A09B260D7B09505CBA6

Function 0346E8F0 Relevance: 1.0, Instructions: 985COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f94fc2c06aead4c42c46ce32e4ae53c57a21512011b41cc29ae779415a0b00ef
Instruction ID: 361a1b03acf8e4ca0796afd0ac15fc5fa7eb0abe6519a5f8b2f62e9a43108d42
Opcode Fuzzy Hash: f94fc2c06aead4c42c46ce32e4ae53c57a21512011b41cc29ae779415a0b00ef
Instruction Fuzzy Hash: 1E822472F102188BCB58CFADDC916DDB7F2EF88314B19812DE416EB345DA34AC568B45

Function 0347516C Relevance: .8, Instructions: 785COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bed42d9ea82a47ab628577b264d17e4e89b9289721389e66fbec754a20d1c3f
Instruction ID: 5b33029e9a0f2847953fd732bd61bd4134af70cbc59890f319a166e6f007bfb4
Opcode Fuzzy Hash: 8bed42d9ea82a47ab628577b264d17e4e89b9289721389e66fbec754a20d1c3f
Instruction Fuzzy Hash: 87628F3280464AABCF24CF48D4905EEFB62FA56314B49C5DEC89A6F704D331B955CBD8

Function 0348739A Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b96890ead0b73511fa2e457145390f2a7b69de6a4cbbf606bc828de036887b1d
Instruction ID: e858232ca6f6d79dc2d6b9de88600374b0a4612588a370bd47a2dccee2ca4cc5
Opcode Fuzzy Hash: b96890ead0b73511fa2e457145390f2a7b69de6a4cbbf606bc828de036887b1d
Instruction Fuzzy Hash: 9342E334A006168FDB14DF59C4A0ABEFBB6FF88314B28856ED452AF350D734E842CB94

Function 03485AA0 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
Instruction ID: eb35deafee5a148e98e8bfd7d17763f272ec6adeb0cd97324e3dbf259a8d3c2a
Opcode Fuzzy Hash: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
Instruction Fuzzy Hash: 89128273B716180BC344CD7DCC852C27293ABD452875FCA3CAD68CB706F66AED1A6684

Function 0345B2C0 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88c0d58ab0de0b7ce1584a1f10800c428b246ac672ab18b0f183f0f3fbde9bcf
Instruction ID: 8b03808e26b0dd9689ce572a206057886a6ece5143cf5d771a0a942ba2399576
Opcode Fuzzy Hash: 88c0d58ab0de0b7ce1584a1f10800c428b246ac672ab18b0f183f0f3fbde9bcf
Instruction Fuzzy Hash: 77329E75E012199FCF24DFA8C880BAEBBB1FF54714F18002AE815AF392E7759941CB95

Function 03442840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9d131d8206ffb3a32a1bd274ee01062349354384e91363ede38a5d3741f810c
Instruction ID: 31a05c9f367f777b5d521d83ed877661dcd9be2a8bc7428142046c01c759c49e
Opcode Fuzzy Hash: d9d131d8206ffb3a32a1bd274ee01062349354384e91363ede38a5d3741f810c
Instruction Fuzzy Hash: 8332CB74A007158FEF24CF69C844BAAFBB6AF84320F19456FD4569F384D739A842CB58

Function 034DA118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64a5025c7d5a9c8245863379606be1aa89387edcab828bd374a5efcf5701dd54
Instruction ID: db4b6d57c49e036a4556835fdfe7a69c0d01a9e15df876160917d9a23bb985f8
Opcode Fuzzy Hash: 64a5025c7d5a9c8245863379606be1aa89387edcab828bd374a5efcf5701dd54
Instruction Fuzzy Hash: 2922CC742046618BDB24CF29C0A4777B7F1AF45304F0C889BE8A68F796E735E452CB69

Function 034F16CC Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0301393f6fe521ba23267ee5dc93748acb36cf613fd51c473f78d2eaa72dff03
Instruction ID: b69902c5ed8379cb0ece42eea50828f1742e953226698ea9d5f73c70acac99f9
Opcode Fuzzy Hash: 0301393f6fe521ba23267ee5dc93748acb36cf613fd51c473f78d2eaa72dff03
Instruction Fuzzy Hash: F722A035A00216CFDB19CF59C490AAAF7B6FF88314B1C456EDA569F344DB30E942CB94

Function 0345FB80 Relevance: .6, Instructions: 559COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f8a859f2d58c54f92f578f05c878e5e2276277932e6fe9bfda5760a3b760b49
Instruction ID: a678b1a61ed55111aa18296e7b09635c201fc593fb4374a5fec4438194b8af3d
Opcode Fuzzy Hash: 0f8a859f2d58c54f92f578f05c878e5e2276277932e6fe9bfda5760a3b760b49
Instruction Fuzzy Hash: A6229E759006099FDB14DFA8C880BAFB7B5FF54310F1885AAE8149F385E770EA45CB98

Function 034F1D5A Relevance: .6, Instructions: 559COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1544b16c87ed4035b12daec871c7fa51435d1f148529cebca231b3e1c7735535
Instruction ID: 3eaa6ef258dceb8ee77aa6199473519725193f71a6bc255112ae445e8e9859d2
Opcode Fuzzy Hash: 1544b16c87ed4035b12daec871c7fa51435d1f148529cebca231b3e1c7735535
Instruction Fuzzy Hash: C3229E396047128FC718CF29C490A2AF3E5FF89314B184A6EEA96CF351D770E842CB95

Function 03458DBF Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab3fe7b6fa202fed1968ba22c2dc7f164023212dd22c310eabdfab992a58e75d
Instruction ID: 73747ee5d2cb2a7a11f42b60271ed094c70cd6cb3c453ee5bb30a5aa56d2a3df
Opcode Fuzzy Hash: ab3fe7b6fa202fed1968ba22c2dc7f164023212dd22c310eabdfab992a58e75d
Instruction Fuzzy Hash: 9A221A71E0021ADBDF14CF95C5809BEFBB6AF49704B58809BE855AF342E734D942CB68

Function 034F2446 Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51d4eecbee6b1c72a141b5c374b1aa79b28837d717883cc4b048e696a669cafb
Instruction ID: 982e85ba1b33f3e9bb6b01d256f21f6b1fb6fe6048d4d58f94499d396742889e
Opcode Fuzzy Hash: 51d4eecbee6b1c72a141b5c374b1aa79b28837d717883cc4b048e696a669cafb
Instruction Fuzzy Hash: 7602F1386006518FDB64CF2AC450276F7F1AF45300B1C899BDAA6DF391D7B4D842DB68

Function 0350B16B Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7180d1ce6e10c3095fb6e27ac9c0df3cf853fa20175eef49a8f36fcbf5c0acb9
Instruction ID: 7e958c79e8aa6a8a762c746ee6c69108dfea0db480f9188ea4a594654adb3dc3
Opcode Fuzzy Hash: 7180d1ce6e10c3095fb6e27ac9c0df3cf853fa20175eef49a8f36fcbf5c0acb9
Instruction Fuzzy Hash: 41F1E572E006118BCB18CFA9D9E067EFBF6BF8821071941ADD456DB3D0E635EA41CB90

Function 00402FB0 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction ID: 3a980b568be2ae1ecdc62ef5b70c599cea3cbb84bd4cfa04f309e58bee3fdca8
Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction Fuzzy Hash: 37026E73E547164FE720CE4ACDC4725B3A3EFC8301F5B81B8CA142B613CA39BA525A90

Function 0350A9A6 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572a458045cf36bdc235742308327d79e948f65bc516bae58cdd0fc53f7d83ef
Instruction ID: b7425a27ff4634d1233ff6d7c686547a250a9b1c078ee47e66a104c920e1d335
Opcode Fuzzy Hash: 572a458045cf36bdc235742308327d79e948f65bc516bae58cdd0fc53f7d83ef
Instruction Fuzzy Hash: 57F1E573E006269BCB18CE69D5A05BDFBF5BF44200B1A426AD856EB3D0E735DE40CB90

Function 0041E0EA Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5536d6ddc44d4289dc5b9911f8a30ba67a91d283cb9dfa3fb512cd2e3dfc4f9e
Instruction ID: a5394ce4c80714468a0c07c897848dce95e00c13d2b973db170db05461ba419d
Opcode Fuzzy Hash: 5536d6ddc44d4289dc5b9911f8a30ba67a91d283cb9dfa3fb512cd2e3dfc4f9e
Instruction Fuzzy Hash: 921298B2D18381DFD71ACF38D9867513FB1F742324B08428ED8A193592DB38256ADF88

Function 0345FDC0 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 257ab352cceeb22eddedd78860f0d20d704a2e41929ae39536ddadf8c571d382
Instruction ID: c4623bf1e39b7f0b0f5d25064fc792f78307fb8b2416a42af43c713db0c07ba6
Opcode Fuzzy Hash: 257ab352cceeb22eddedd78860f0d20d704a2e41929ae39536ddadf8c571d382
Instruction Fuzzy Hash: EEF1AE74A00609DFDB14DFA8C880BAEB7B5FF58304F1885AAE815AF345E734DA45CB94

Function 03428397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c871782be4bf2196e5950812303b9d2c703d6a5148413bcfa80baac0fadf2d4
Instruction ID: b2a65e7bf794a319d1721202e5291771cbf5e4bd273aa4fec5ba25519fad1fe9
Opcode Fuzzy Hash: 9c871782be4bf2196e5950812303b9d2c703d6a5148413bcfa80baac0fadf2d4
Instruction Fuzzy Hash: C8D1C175A006269FCB14DF65C890ABFBBA5FF44204F48466FE816EF290E734D941CB68

Function 0345C6E0 Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0abf65c6615c877719e7efde18b5957e4ff59fef27732925e58152334fb7cd5a
Instruction ID: 2b7b3a083df6fd18b734ec22a309d8ac0aa8974c94b2c884f3a1349742e97c8e
Opcode Fuzzy Hash: 0abf65c6615c877719e7efde18b5957e4ff59fef27732925e58152334fb7cd5a
Instruction Fuzzy Hash: 9BD14F71E043198BDF28CA98C5C47BEBBB5EB44305F18805BE852AF796D7748D82CB48

Function 034438E0 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c406320c255fe81fab5d08921be6b2787124d515868073131f274c3c80d3b5e
Instruction ID: 8e600d0beaf7d165cee5d9cd764d25c10d1b7d06313cb9802a5b760459c96beb
Opcode Fuzzy Hash: 4c406320c255fe81fab5d08921be6b2787124d515868073131f274c3c80d3b5e
Instruction Fuzzy Hash: 26E1AD75A00245CFDB18CF59C880AAAFBF1FF58710F1981AAE855AF391D734EA41CB94

Function 0344CFE0 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c88952807a35594c71908740d068c2961b03044e942f69409f1500d5f717d2
Instruction ID: a3f83893b3cb5b1464e452be99e9d3ebd8bd88358133d3a6c17a44fbd1734baf
Opcode Fuzzy Hash: 34c88952807a35594c71908740d068c2961b03044e942f69409f1500d5f717d2
Instruction Fuzzy Hash: BAD19231E003298FFB24DB15C894BAAF7A5BB46304F0840FAD9099F356DB74AE85CB55

Function 0041DB72 Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac4be3575ee97074a2761ca45740cf3d344041cef5e9452e50ec4e6e5bcda081
Instruction ID: 9cc858d38c618c9cbde345da2051aa2e25a72f4000c53f687cfa6c75c2844504
Opcode Fuzzy Hash: ac4be3575ee97074a2761ca45740cf3d344041cef5e9452e50ec4e6e5bcda081
Instruction Fuzzy Hash: 0E0278B2C18781CFE716DF39D986A513FB5F742324B08428EC8A1935E1D738266ADF49

Function 0343D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e3b53098db3cc21546b7707b3563925e57589c505ac416229dbc0b8ff0165f4
Instruction ID: 58bcbc561d5e9bb9563dc6f7d969cbcf3925afef97caf9804d71d9bfb02ac6cc
Opcode Fuzzy Hash: 1e3b53098db3cc21546b7707b3563925e57589c505ac416229dbc0b8ff0165f4
Instruction Fuzzy Hash: 7BC18871E002159FEF18CF5AC945BAEFBB5EB56310F18825BD825AF390D770A942CB84

Function 03440535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: fcf05a7f56e8286c3ceccec38c9f9188496f8df0c257b810bfcad16a6be7ea47
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: DEB1F275600645AFEF21DB69C850BBFFBB6AF44200F1801ABD6529F391DB30E942CB58

Function 0041DA81 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e672693f1689a5cc90c26117af48f77c362a8f2a2f0f32cb5493afaa51a1b77
Instruction ID: 29477f00522e5569da46544f743a183acc346f3bb283e22fe988896b3d53108a
Opcode Fuzzy Hash: 7e672693f1689a5cc90c26117af48f77c362a8f2a2f0f32cb5493afaa51a1b77
Instruction Fuzzy Hash: 51E19772C19781DFD71ADF39D9466913FB2F346320B08428FC8A193592D738255ADF88

Function 034590DB Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fb8c30abf6299318b7ee1ee2430773f6d8e0b471b958cd1522c9820f6629e81c
Instruction ID: 80241015efe3fed7678d3df84c297e07c9c827fbb48068e5c112d7e1ae45b143
Opcode Fuzzy Hash: fb8c30abf6299318b7ee1ee2430773f6d8e0b471b958cd1522c9820f6629e81c
Instruction Fuzzy Hash: A2A13A75900215AFEB22EF65CC41BAE7BB9AF46750F05046AF900AF2A0D7759D10CBA8

Function 034383C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4feded4ad647b8e02efbeabc59f82e3825893f9913ddab919bd373edcea7b66
Instruction ID: f61a87c94f0ca1be8e75b3c1b3dae14ff866f2fea6652007ccd100d020dfae57
Opcode Fuzzy Hash: a4feded4ad647b8e02efbeabc59f82e3825893f9913ddab919bd373edcea7b66
Instruction Fuzzy Hash: 98C126742083418FEB64CF15C484BABF7E5BF88304F48496EE9998B390D774E909CB96

Function 03470185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 528e3913c505bf6b1910bf51b16d37aa201818c8230faf2997592376d6f76433
Instruction ID: 223e00a623a60b468aa20027a773bd72a444b953b917222ba2e56a48378c7fe6
Opcode Fuzzy Hash: 528e3913c505bf6b1910bf51b16d37aa201818c8230faf2997592376d6f76433
Instruction Fuzzy Hash: 78A1D075A0171A9FDB24DF69C590BEAB3B5FF54304F04402AEA159F391DB34E812CB98

Function 0041E43E Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecf813f97a88b5728cddbeb780f7274d2d81527003f3df8eb15c1d3ccaba7bb
Instruction ID: b71591fe3cf9f71280ce197978c41971dc536ebbc7b89bfd83154fd0491f4df7
Opcode Fuzzy Hash: 5ecf813f97a88b5728cddbeb780f7274d2d81527003f3df8eb15c1d3ccaba7bb
Instruction Fuzzy Hash: 0CD187B2D18381CFD716DF39D9566913FB2F702324B48428FC8A193692D738256ACF89

Function 0344E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77db694137ad1f918aeb8de47c57b4460288a4a64cecd0043189f72c45e9ed7b
Instruction ID: b258235172fb41feb25b777500bcf5a57f71ffd12d8cfab052f90d907abd8dd4
Opcode Fuzzy Hash: 77db694137ad1f918aeb8de47c57b4460288a4a64cecd0043189f72c45e9ed7b
Instruction Fuzzy Hash: 45910235A006218FFB24DB69D440B7ABBA5FB84710F0940BBE8159F391E7349982CB99

Function 03431131 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 909b914a6c8e2f6685999a56abe2a7d35ae54eaaa5f6ee25d1e2c3a2bac43848
Instruction ID: 4012dca122d98c92be6c18aed3c668bffaa9dae7be19d26532d9803e5ad31490
Opcode Fuzzy Hash: 909b914a6c8e2f6685999a56abe2a7d35ae54eaaa5f6ee25d1e2c3a2bac43848
Instruction Fuzzy Hash: 8DB11175A093408FD364DF28C580A5AFBE1BB89704F184A6EF899DB352D370E945CB46

Function 03464750 Relevance: .3, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
Instruction ID: 0461f3787e31e46c8ac757bdc60c831eb3fefa5ff034e46647c35c58176478d5
Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
Instruction Fuzzy Hash: 8F813B3AE047958FEF21CEADC8C026EBB55EF62200B1C467BD4529F341D264D986C79A

Function 0041D569 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94a6ffe801dba30c202caa0171e4f45638f216cda252ad8a007b359fa952ed04
Instruction ID: ff0b3b74b5b5a8b2d0adf2c298c6a971dbed3396cdcc3d3c02be49ff19640e44
Opcode Fuzzy Hash: 94a6ffe801dba30c202caa0171e4f45638f216cda252ad8a007b359fa952ed04
Instruction Fuzzy Hash: 6EC18572D09381CFE716DF39D9566513FB1F742320B48428FC8A1935A2D738256ADF89

Function 0347DBF9 Relevance: .2, Instructions: 244COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
Instruction ID: 7749d39a30f80fff50f1afdc9c70abe42c54816f16da92776d4abfa63bea46bd
Opcode Fuzzy Hash: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
Instruction Fuzzy Hash: 6E915371930A06CFD725CF2DC8856A2BBE0FF56324B188A1AD4E6DF6A0C375E511CB04

Function 0041D576 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b91ed06c7a5037144b35a1f9ec33502fb88b392af0ee8e485ae396d502aa1ff
Instruction ID: ef91b1c79cec3dc41172c3ee61aff7c43c26cdc6aa9717844a1ccadab72bda3d
Opcode Fuzzy Hash: 2b91ed06c7a5037144b35a1f9ec33502fb88b392af0ee8e485ae396d502aa1ff
Instruction Fuzzy Hash: 3FC18672C08381CFE71ADF39D9466513FB2F742320B48428FC8A1935A2D738256ADF88

Function 034FF7B0 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cf5c8f8eab2e1764832a6ee8971314c4943b1632329f8d41118ec009824ff05
Instruction ID: d02031021431914013839ce884f6040e59daf38740d6bc43a8794835650c16dd
Opcode Fuzzy Hash: 3cf5c8f8eab2e1764832a6ee8971314c4943b1632329f8d41118ec009824ff05
Instruction Fuzzy Hash: 2C91BE72A00606AFDB14CF29C880BABB7E5EF44310F0C856AEA55DF391D774E919CB94

Function 034FF43F Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2421a0244f7f5475e6e3a454940a19ccefaa1566172e05aad9328a5aa6b7e09
Instruction ID: f13c8d049861bfb23793a43516522ff43065f213dec2954f9000c2eb59598609
Opcode Fuzzy Hash: d2421a0244f7f5475e6e3a454940a19ccefaa1566172e05aad9328a5aa6b7e09
Instruction Fuzzy Hash: E3910172A001059FDB18CF69C891ABEBBF1FF88310F1982AAE915DF395D634D906CB54

Function 034F81CC Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccd15d4c07b69ebd7a4ef49a4908f322803ac4f1161758ec31ed80a1ce1463f9
Instruction ID: 22307f75ced3a7b47510ac88cdf3916827953acb269ea3cb78d695fa1c05e37c
Opcode Fuzzy Hash: ccd15d4c07b69ebd7a4ef49a4908f322803ac4f1161758ec31ed80a1ce1463f9
Instruction Fuzzy Hash: F681A272E005299FCB14CF69C8805AEB7F5FB88210B1D426BD925EF390E774E952CB94

Function 03440E59 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f809f20eb2e02356c1df5c8b5bfdc25167683a32dc43c8a8d2fab99a1283517
Instruction ID: 44ae731e3e902229c420171606ae9806a2d86154806e76b23e40278b2792f317
Opcode Fuzzy Hash: 0f809f20eb2e02356c1df5c8b5bfdc25167683a32dc43c8a8d2fab99a1283517
Instruction Fuzzy Hash: 8081A531A00619DFEB14CE69C8809AFFBB2FF85210B2882B7E9149F345D770E951CB94

Function 034EE4F6 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4157c57506cc1cb6767105a01b2648c9077f70f74f4a6a37280cc1421b54fa64
Instruction ID: dc3151647fa4b429aee8ee896e9aa937e9a4e487d4332be4cc8d4936321e85bb
Opcode Fuzzy Hash: 4157c57506cc1cb6767105a01b2648c9077f70f74f4a6a37280cc1421b54fa64
Instruction Fuzzy Hash: 6381A176E002159BCB18CFA9C580AAEFBF1EF88311F5981AAD815EF385D7309941CB94

Function 034FAB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 11976456609d5b7b13db2b374449556999bd04b9febdcd9addaad9909a00c456
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: 75815075A102459FCF18DF59C490AAEBBF6AF84314F1C816ADA1A9F344D734D902CF58

Function 0345D090 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction ID: 576d90d0b25a74f1e4ee2da6191383f27a3c17761031ec19c09fab2db8a8081a
Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction Fuzzy Hash: 77818D76E001168FEF14CF59C9807AEFBB2FF85304F19816BD815AF341D6319A818B99

Function 0346E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ec7eb1ee376f795ea4d08f60756f18b7f233e80a94c1fe787ab3d2b2d5547f
Instruction ID: 6b2112227ac30a753fb7a40d20b40e1fa4af22983fb5f45d4dcebe546c4a99b6
Opcode Fuzzy Hash: 43ec7eb1ee376f795ea4d08f60756f18b7f233e80a94c1fe787ab3d2b2d5547f
Instruction Fuzzy Hash: 72816E75A00709AFDB25CFA9C980AEEF7FAFB88340F14442AE555AB250D730AC85CB54

Function 0345B950 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f365072322dad5a5c5602b3ada4deda133d8d67149f758c04133764a0c4ad8
Instruction ID: 47f290ccae03efd289da4722d4cd76ace1bde46494ba5f5fdc531c31c8c8eae9
Opcode Fuzzy Hash: e6f365072322dad5a5c5602b3ada4deda133d8d67149f758c04133764a0c4ad8
Instruction Fuzzy Hash: B671B234A046508EEB24CE2AC940737BBE1EB85704F58855FFC968F2D6D735AC46CB68

Function 0344C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b62761dfff48faf358aa2ff39df10e80c23005380e3eb578d4b8f7da6c1166d
Instruction ID: 70115595f2e0419deeac028074e2832eeeb2ee87de8c4a665bd56baeede3255b
Opcode Fuzzy Hash: 4b62761dfff48faf358aa2ff39df10e80c23005380e3eb578d4b8f7da6c1166d
Instruction Fuzzy Hash: B071CDB5C01225ABEB25CF59C590BBEBBB4FF5A700F18416BE851AB350D7309801CBA8

Function 034EDAC6 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf1d9999ce9c730ce7cb13bcf33a5ce0f3d052af90e1ca31d466c43806855e5
Instruction ID: 442c3c8481b2fc3f15bf940dbc2e90945246f6aca34a35b451c7149bbc85def0
Opcode Fuzzy Hash: abf1d9999ce9c730ce7cb13bcf33a5ce0f3d052af90e1ca31d466c43806855e5
Instruction Fuzzy Hash: 53818B70D002959EDB24CF6AC444ABBBBF1EF4A741F04849AE4A5AF385D374D841DF58

Function 034F70E9 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 510b564c1c33f38f9c6b9b67a0dc65e5b9009a0e25b3cabed7aa05606dda79eb
Instruction ID: 61536865ec3e2bbf5a6b50a976d9a4e13ccaf8ba9b2c1304f0c3827915fc3321
Opcode Fuzzy Hash: 510b564c1c33f38f9c6b9b67a0dc65e5b9009a0e25b3cabed7aa05606dda79eb
Instruction Fuzzy Hash: 3861B575E003169FDB10EEA6C8809BFBB69AF44250F1D447FEA11AF340DB78D9458B98

Function 0344260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70044345ca6d4f29ed8234fa33532d8889d79d8d0c4bc38800f2d9abe2b3d45e
Instruction ID: 95d4514f0d3d197d1266c8d90830eb1fe8398aa11386f0f39d4246c49c482ab0
Opcode Fuzzy Hash: 70044345ca6d4f29ed8234fa33532d8889d79d8d0c4bc38800f2d9abe2b3d45e
Instruction Fuzzy Hash: 9471BF756046419FE711DF29C480B2AB7E5FF88210F0989BBF8948F361DB78D846CB99

Function 034EF0CC Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb038c32a865fc6f5418d918f83b648f4bffc747d31af4c8147fbeeb5fbb2fcf
Instruction ID: f97fefe64f8a68b36b53b4f1f8e647112eb0d60e406f475a8237373767c4ba92
Opcode Fuzzy Hash: cb038c32a865fc6f5418d918f83b648f4bffc747d31af4c8147fbeeb5fbb2fcf
Instruction Fuzzy Hash: F371BD39A01626DBCB24CF5AC08053AF3F1BF45306B6A486FD8929B740D375ED49DB58

Function 034B035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: b926e80f51aa0c025c77bdefb32d6d52e77c8b71e9d0d59271516b4ae3c98764
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 2F716E75E00619AFDB10DFA9C984EDEBBB8FF48700F14456AE505AF250DB34EA01CBA4

Function 034C62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96b3568bcb20c4a335bf96fca3e9cc4e1b3686b82a529248d67e990c19254528
Instruction ID: 69323f243f7a604f4872f72a801972b43f252d4d7a584e7f2054f12e8d5afca4
Opcode Fuzzy Hash: 96b3568bcb20c4a335bf96fca3e9cc4e1b3686b82a529248d67e990c19254528
Instruction Fuzzy Hash: AF71023A210B40AFE731DF15C844FA6B7A5EF44720F1A892EE2558F2A0D778E944CB5C

Function 034F7A46 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 860b3993f5d338a2cae24e48343b3a02eddc631360bf87b2e5a39cdd03609629
Instruction ID: 404113ecebc9af41ec69abd902181d1014c74e31d98b737e7834d6c70d1c9a21
Opcode Fuzzy Hash: 860b3993f5d338a2cae24e48343b3a02eddc631360bf87b2e5a39cdd03609629
Instruction Fuzzy Hash: 29513A75A002255FCB14DF69C8809BBBFE6EF88354B1D416EEA54DF384DA38C902C7A4

Function 034F132D Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 911ad33cf2e92ea1f8baef3cec648c96f4ee228d44fda85e563cee96299e5e45
Instruction ID: 4976033a855dbb3c8a704afd12cdc288e904fd9cc1b23a20e6c768136cffc3e2
Opcode Fuzzy Hash: 911ad33cf2e92ea1f8baef3cec648c96f4ee228d44fda85e563cee96299e5e45
Instruction Fuzzy Hash: 3F817E75A00245DFCB09CF99C490AAEB7F1FF88300F1981AAD859EB355D734EA41CB94

Function 034F903E Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dde9d8bdddd6b6206392971ff473d2d581cee1bbc7adb0aa1f08c588b996c0a
Instruction ID: 7580d88a02bd688f11148244f0a99623c63bb383b5d9234e7f008178bdc8f2c4
Opcode Fuzzy Hash: 0dde9d8bdddd6b6206392971ff473d2d581cee1bbc7adb0aa1f08c588b996c0a
Instruction Fuzzy Hash: E161D075600715AFD315DF65C884BABBBA8FF84710F08461EFA688F240DB30E915CB99

Function 03437703 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9850ba2704a8246bee4bc9524c672f17256216c372012c3a4fc82fa244e62244
Instruction ID: d9844eaf72e47a3566ac47bb3ac78a059ef7e030eb08cceac880926eeebf304e
Opcode Fuzzy Hash: 9850ba2704a8246bee4bc9524c672f17256216c372012c3a4fc82fa244e62244
Instruction Fuzzy Hash: DB6174B5A00606EFDB18DF69C480AAEFBB5FF49200F18856FD459AB350DB30A945CBD4

Function 034F92A6 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b26bc6adb6323a361641ad953e89380fb6cabc90cc2cdd82bfd68c79d3ff1fb2
Instruction ID: 22d847a39185b43030bfb3d51c3f163aab6ebee199b8253eb0d72d9c852ce5f7
Opcode Fuzzy Hash: b26bc6adb6323a361641ad953e89380fb6cabc90cc2cdd82bfd68c79d3ff1fb2
Instruction Fuzzy Hash: 9B61AE356087828FD315CF65C494B6AB7E0BF94704F1C486EEA958F391D735E806CB89

Function 034FCE93 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
Instruction ID: fd5e0b69d9f9a72ce218e65d4bb9387658b6d5a8176f993de13117627459c741
Opcode Fuzzy Hash: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
Instruction Fuzzy Hash: 61510932A047069FC714DE29889076BF7D6AFC1250F1D846FEA55CF389DA30DC0687A9

Function 0041E743 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ccb92c0ffcfcbe2b84818477e0a4b1a0cce97956e5c63b1cdfc9f8ace8624a5
Instruction ID: 7c9bd757cbcde6b85952990dda5fc2865bf016a05f7732201d8d4545d51b5501
Opcode Fuzzy Hash: 6ccb92c0ffcfcbe2b84818477e0a4b1a0cce97956e5c63b1cdfc9f8ace8624a5
Instruction Fuzzy Hash: C48122329493C1CFEB1ADF78E99A6853FB1F746320B08478DD8A24A2D6C7781066CB45

Function 00402D90 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction ID: 72940b2de139f4e90958e9e8763c4e4336f87cc22ae5d142da70f60c8c24c1bc
Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction Fuzzy Hash: AB5173B3E14A214BD3188E09CD40631B792FFD8312B5F81BEDD199B397CE74E9529A90

Function 0342B2D3 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063e9161c3c2bac278b24fc22cd04b535163e434c51032a8589414cf0265f4a2
Instruction ID: 1415bf1e300cd2f6ac39aba251518ef6904be72a3d3231c043feb927837740db
Opcode Fuzzy Hash: 063e9161c3c2bac278b24fc22cd04b535163e434c51032a8589414cf0265f4a2
Instruction Fuzzy Hash: 844134356007109FD726EF2AD880F2ABBA8EF45750F55846FE519AF3A0D770DC018B98

Function 034F7D73 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 281e9808931b5bd203160d0e1406da2652e979f549f6336e5604ec5387c25e3c
Instruction ID: eb63c37275be9798bfa90c08e12d9f7ef5716e234b189e666756cbd5c0d729b2
Opcode Fuzzy Hash: 281e9808931b5bd203160d0e1406da2652e979f549f6336e5604ec5387c25e3c
Instruction Fuzzy Hash: A551D236A1014A8FCB08CF78C480AAEBBF1EF98314F19827AD915DB355E734DA15CB94

Function 03443740 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f8dc1a99c685ed198038357e69c88b669c99e67cd8547bde8bc5920ee0faf95
Instruction ID: 40f5c57da9df6911497ac2a7c5a5b5cba08e38cc431c7b375fdb38b22e2fe2e9
Opcode Fuzzy Hash: 0f8dc1a99c685ed198038357e69c88b669c99e67cd8547bde8bc5920ee0faf95
Instruction Fuzzy Hash: C751E379A00615AFE711CF58C48066AF7B0FF44B10B0981BAE855DF740D734E9A6CBC8

Function 03437152 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d11f6052f8dafe12c2bb68293a639b39df1adc31c8b0287b57644551394ddd6b
Instruction ID: 48d3c933157333340bad443370ad164583dff4cce747d8bb5161ebfcb2c877fa
Opcode Fuzzy Hash: d11f6052f8dafe12c2bb68293a639b39df1adc31c8b0287b57644551394ddd6b
Instruction Fuzzy Hash: CC51E1B5A00606EFEF15DF64C944BAEBFB4BF49311F1440ABE4529B390DB709912CB88

Function 034B3A6C Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5b11fa60b55935b2af0c65471e96c1508680af3e0b717d6dff9f4cf326db0cd
Instruction ID: 8f2fef4c402590367377a3999bc076bbca33c74e600f46d139dbd72c8e32010f
Opcode Fuzzy Hash: a5b11fa60b55935b2af0c65471e96c1508680af3e0b717d6dff9f4cf326db0cd
Instruction Fuzzy Hash: DB519936E4412D4BEF24CE58E461BEFF3F2AB85310F48081AE845BF3C5C2B66956D664

Function 034AD800 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c47168ffeae7916593fdf3acb649367c62a4fa1a69c3e3b5da1ac0b704f12bfa
Instruction ID: 15d27faf6ceb67c9b23f9e04fed292a13752b73a145838b880627102e7fc5b76
Opcode Fuzzy Hash: c47168ffeae7916593fdf3acb649367c62a4fa1a69c3e3b5da1ac0b704f12bfa
Instruction Fuzzy Hash: 5151AC74A00A15ABCB14DF69C4A0ABAB7B8FF66700F08416EE851DFB90E734D850CB95

Function 034FD26B Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction ID: 5948e36b7f5a18469186b64de86f30d9441b669796f1b369b3bba25dcfb359b9
Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction Fuzzy Hash: C8517D72A087429FD301CF28C880B5BB7E5FBC9244F08892EFA948B385D734E905CB56

Function 034F7571 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ba4b11747b80f4d83a02bbb5a6be7339928c5bbbab2edeca3fe04ea3394d641
Instruction ID: 4af23e0ebeb18be60777518509b2f568a6fdff7d123eb0b185f73448b05d444e
Opcode Fuzzy Hash: 4ba4b11747b80f4d83a02bbb5a6be7339928c5bbbab2edeca3fe04ea3394d641
Instruction Fuzzy Hash: 6951E331A00115AFDB14DB69C844A7EBBF9FF48390F0C416ADA11DB260DB74AD16CB84

Function 034351ED Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dceb2a5b859c7b3b52b9ba9a575f909cb411dfeb65d3f20581b870d8d2707976
Instruction ID: a193828204f0e6878ce44e99e08ac1888090bba5e9bcc9ca0c1e70dc0e6d64b4
Opcode Fuzzy Hash: dceb2a5b859c7b3b52b9ba9a575f909cb411dfeb65d3f20581b870d8d2707976
Instruction Fuzzy Hash: FF517C75A05215DFEF21DBAAC840BAEB7B8BB0F714F18009BD811EF250D7B499418B5A

Function 0346F71F Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aafde7dcda45950ed623106e3c1ad972807572f3b5ded4a5574ad0a07bbd43dd
Instruction ID: 877841b7a405ad34bcd1461fb7796eff382c00c8df6dcf9af636f0000c8aa24a
Opcode Fuzzy Hash: aafde7dcda45950ed623106e3c1ad972807572f3b5ded4a5574ad0a07bbd43dd
Instruction Fuzzy Hash: B5417476D04229AFDF11DFA99884AAFF6BCAF05650F05016BE911EF300D634DE0587E9

Function 034601F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c583e59ed59b3b171f5ecdb0aacba307aebf2107573aed195ff202b7178495b
Instruction ID: 201d24fd48f748ebdc082c75655aad1d7d1676db9b685e2220588c4c12ed08f2
Opcode Fuzzy Hash: 8c583e59ed59b3b171f5ecdb0aacba307aebf2107573aed195ff202b7178495b
Instruction Fuzzy Hash: 8941AC36A042189BCB14DF98C440AEEF7B4BF88610F18816BE816EF350D7359C41CBAA

Function 03472750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: f1a9340b4efcd860625917fb8365d614c3ef99e070ffe6244093137a13888f58
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 82515B75A00615DFDB14CF9CC580AAEF7B6FF94710F2881AAD815AB350D730AE42CB94

Function 03436154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 089fa968b89bb64e0b9c0b60d43bcfaf2d1e41005662a97a15408d08b838efd1
Instruction ID: 389ec6582958182a61f51d2badab8c8265fe15ea1d7e1779718e1b955a90a3fc
Opcode Fuzzy Hash: 089fa968b89bb64e0b9c0b60d43bcfaf2d1e41005662a97a15408d08b838efd1
Instruction Fuzzy Hash: 1951D670904216EFEB25DB64CC44BA9BBB5EB06314F1942ABD425AF3D0D7785981CF88

Function 0342B136 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b29fcddecef804ca2bdcd7f9eb05d2f36a0baa846cd5067631d772750e229216
Instruction ID: cf6b0f706a59060c8a87e5f2980fb2a44919e421859016eed9689b20d7f9c103
Opcode Fuzzy Hash: b29fcddecef804ca2bdcd7f9eb05d2f36a0baa846cd5067631d772750e229216
Instruction Fuzzy Hash: DB418A75640711AFDB21EF66C884B2ABBA8EF10794F44846BE511AF260D770DC01CBA8

Function 034FF0E0 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c4294f1ca823b650130390ef81a9301ddb6791e6a742e15c72352a47e9f17e7
Instruction ID: 7a448994d7749a2abc82915f4f4715af0f81990884ad9909ea41a56aefb22702
Opcode Fuzzy Hash: 2c4294f1ca823b650130390ef81a9301ddb6791e6a742e15c72352a47e9f17e7
Instruction Fuzzy Hash: 8541DF712083419FD704CF25D8A587BBBE1FB84225F088A5EF9958F382C730D81ACBA5

Function 034F866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 9418d76a23b5a52fa893c4acfa190f4ca784b8952e4ea16ace50458937600734
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 4C418675B00219AFEB15DF99CC95AAFBBBAAF84600F1C406AE6049F351D770DD01C764

Function 034DD5B0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dfaf528aea09cd753a23989f7735b77306bb62de4a44e5aacd7b378766883de
Instruction ID: 7b0b279abc71fcac419cfefdbb962356b222c6f9e6e7c4171a91387299dbb07e
Opcode Fuzzy Hash: 9dfaf528aea09cd753a23989f7735b77306bb62de4a44e5aacd7b378766883de
Instruction Fuzzy Hash: 2A41F230E082959FCB14DF29C4A5ABAFBF1EF4A300F09849AE4C58F355C735A456DBA4

Function 0345D6E0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8ed7b5208ee7c06feffeb47c55b35b2a910418b695d798db1018068c60f79e
Instruction ID: a0ceaec4bb1a20e3d1bd0d35f9afdf176b8c71b0a891cdb439b8f5e2a441c466
Opcode Fuzzy Hash: 4e8ed7b5208ee7c06feffeb47c55b35b2a910418b695d798db1018068c60f79e
Instruction Fuzzy Hash: 2D41D5759047409FD724EF26C950F6BBBA8EF56320F04052FF8158F2A1DB30A84ADB99

Function 0342A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 27763913da1eb13aa6489ac2fd52173c17fd73df8a86257c0a864bcc0074d336
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 1E41F631A00221DFDB21EF9584507BFBB62EB50754F99806BEE45EF340DA359D41CB98

Function 03460710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 61810ad3a62037bca9b738cb176ebb8f25de7985b5940e4bb6df3ecb96c84c90
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 4F413775A04705EFDB24CF99C980AAAB7F8FF08700B10496EE556DB290D330EA44CF99

Function 0343262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f83bffb8f518da605ed4c95588a49d11216cd120c90d6315c4a7e44b6800f9d5
Instruction ID: f14b675e746a3aa82f1abe90f5654fc1b64f5863bbe2e6b727c86b1e2cec88ff
Opcode Fuzzy Hash: f83bffb8f518da605ed4c95588a49d11216cd120c90d6315c4a7e44b6800f9d5
Instruction Fuzzy Hash: 3B41AB75501714CFCB21EF29D940A6AB7F5FF4A310F148AAFC8169F2A0DBB09942CB49

Function 034FFFB1 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: becd24f9b575b86fafca8a56225493150a0a935f7eee82a46ec9204e6592ceaa
Instruction ID: 6cfdd2c66a8b45142abf0bd959238e11ad39d252143c199a101840d088e8b3fb
Opcode Fuzzy Hash: becd24f9b575b86fafca8a56225493150a0a935f7eee82a46ec9204e6592ceaa
Instruction Fuzzy Hash: 36415675A002599BC700CB2694B0ABABFF1FF85205F4CC1AAD8819B2C2D63AC55BC770

Function 034B07C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dd62093d7ba6fd1a5d5fa75d76d2a76aff99d2958ecd2c014924eca5738d6dc
Instruction ID: 8c17d10f74f5170509eecc363f7ccd5124b0af66ed6c7463ed6e1e32e2181d14
Opcode Fuzzy Hash: 1dd62093d7ba6fd1a5d5fa75d76d2a76aff99d2958ecd2c014924eca5738d6dc
Instruction Fuzzy Hash: D1418C726083409FD720DF29C844F9BBBE8FF88654F004A2EF598DB251D7709905CBA6

Function 034FFA49 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c21dc29b12113a9d9761714a252444ccc7e5f55412a3d6daf049973e0767e5
Instruction ID: f22338a4dab3fdce1497f763cbb3d81a06aaf18c68e6a60c53cc985f403c4f91
Opcode Fuzzy Hash: 13c21dc29b12113a9d9761714a252444ccc7e5f55412a3d6daf049973e0767e5
Instruction Fuzzy Hash: B8311636B101069FC718CF29CC44AA7BB99EF85750F0C867AEA18CF384E674D949C798

Function 034FEEDB Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced00b3b67be9c741da93fedadf7fc215f64ca99eef8df2027f91e9df010430e
Instruction ID: 553d6a44b1d4031d9b134ec1de5d9befc05b0992445e8d6e0200a36f45246f44
Opcode Fuzzy Hash: ced00b3b67be9c741da93fedadf7fc215f64ca99eef8df2027f91e9df010430e
Instruction Fuzzy Hash: C441B433E0002A9FCB18CF68D49197AF3F1FB4830579A41BED905AB294DB34AD45CB94

Function 00401026 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 212c67cddb357ee034409966756fb29ce37f76ba36a1a5b19561db3bb26b7ad5
Instruction ID: 7396214d035048c7ae8aafe5c713134f0e5c743957e0d3fd16dd9b7055f3509d
Opcode Fuzzy Hash: 212c67cddb357ee034409966756fb29ce37f76ba36a1a5b19561db3bb26b7ad5
Instruction Fuzzy Hash: 743193116597F14ED30E436D08B9675AEC18EA720174EC2FEDADA6F3F3C0888408D3A5

Function 034FFB76 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 193b804cc91f41af1f174b2aa6e29c3aad5d3af5dec48ff9b8191839d49e7e5a
Instruction ID: 98b71bcf97cfeb146fcfb365b99abf67c3a9c1fac9a4b674a51e2f2df444680d
Opcode Fuzzy Hash: 193b804cc91f41af1f174b2aa6e29c3aad5d3af5dec48ff9b8191839d49e7e5a
Instruction Fuzzy Hash: 05313676600215AFD710DF29CC44EABBBE5FF88350F49842AFA08CF240D674E90AC798

Function 00401030 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction ID: 9ce4faf4bd6c29c48d5e9242fd1ccb7de96948774e055271f7c113e60250bd75
Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction Fuzzy Hash: 203180116596F10ED30E836D08BDA75AEC18E9720174EC2FEDADA6F2F3C0888408D3A5

Function 034402E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: e19f7196e1f1c850f5b3fedb23c85565ad37bf80fbd65ed772a3b4c8e329f433
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 9C31E632A04244AFEB21DB69CC40B9AFFA9FF05350F0845BBE455DF351D6749885CB98

Function 03459274 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a0f5ab957db3093bafe96161c89258c986f53903972de7be78b25881997fa322
Instruction ID: 5746e5cbd6d016e6db78bf3e6d9f9cfece300adc5d6f7328cd9761cc94c50d57
Opcode Fuzzy Hash: a0f5ab957db3093bafe96161c89258c986f53903972de7be78b25881997fa322
Instruction Fuzzy Hash: 3B316475E00328EFDB21DB25CC40B9AB7B5AF8A710F1501EAB94CAF281D7309E45CB55

Function 03435702 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d905bd790d4058cef6462fa6b736e620f5a001f027e3164b2d32661345e66ac
Instruction ID: 5dc63004f5bbd7635baa5919d1c03457380e94834b1269412eae17900d174d79
Opcode Fuzzy Hash: 2d905bd790d4058cef6462fa6b736e620f5a001f027e3164b2d32661345e66ac
Instruction Fuzzy Hash: F231C039601A02EFDB51DF21C980A9AFBA9BF4A754F0410ABE9518FB50D770E821CBD4

Function 03434260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f4320ca21c3db3bd8c056b4de771b02c8205c6a6282f5042491b3de1c6e3e7a
Instruction ID: 788dec62cfda3a2e0f4fed2101d24e5001f911b14de4a9a43bf106ae49176c92
Opcode Fuzzy Hash: 5f4320ca21c3db3bd8c056b4de771b02c8205c6a6282f5042491b3de1c6e3e7a
Instruction Fuzzy Hash: 03419E35200B459FDB22CF25C981BD6BBE9AB4A314F14842FE5A98F350C774E804CB98

Function 034550E4 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction ID: 11b68e1602b70722a08700362f52c89965ba3849ca20d50f37ca1e67d8ac0f57
Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction Fuzzy Hash: 8331E531E083419FEB21DA29C800777BA94AB86754F0C85AFFC968F786D274CC41C79A

Function 034F61C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b596abad9374cace4a324606c8b5a68a6b7af962f34013c8cd1b9c870b8da671
Instruction ID: 79c74ede91e9004ca4a034654464919aa87d44a869bf0b2d45f1303745a96cbf
Opcode Fuzzy Hash: b596abad9374cace4a324606c8b5a68a6b7af962f34013c8cd1b9c870b8da671
Instruction Fuzzy Hash: F031A376A00255EFDB15EF99C840BAEB7B9EB44740F4A416AE500AF344D774ED01CB98

Function 034F6BD7 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebac86d7bb2ee5a1140b3fc3aa3e748d3fd62eb58568be1a1f0fe5014bb0c73c
Instruction ID: 7587c4b863d2d5a274cbf7475552f36e08d608792589dd2239c781664bb2d8d5
Opcode Fuzzy Hash: ebac86d7bb2ee5a1140b3fc3aa3e748d3fd62eb58568be1a1f0fe5014bb0c73c
Instruction Fuzzy Hash: 97318E716002449FCB24DF2AD885A5B7BF4FF59300B86846AE908DF249D270E949CBA8

Function 034F60B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4176dfb37ee20186969f0474fdec51d05c7be620f8c7178bdb5eb4a5e1c6144
Instruction ID: 2ebe9876c229f8c2bdbdc174224be938306caa2ddf9fbdc5106ab59cf8b49acf
Opcode Fuzzy Hash: d4176dfb37ee20186969f0474fdec51d05c7be620f8c7178bdb5eb4a5e1c6144
Instruction Fuzzy Hash: 4B310275700215AFDB12EFAAC940B6FBBB9AB44300F0900AEE641DF351DA34DC018B98

Function 034307AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a4600052c9713ea2ae2f3807cf900385c19f1d6e5c920c06d51e2ba5a9cb5fe
Instruction ID: a94149f0b8b1381d16e328fa320f6e973af973ada306b6ea9409885e9348992f
Opcode Fuzzy Hash: 4a4600052c9713ea2ae2f3807cf900385c19f1d6e5c920c06d51e2ba5a9cb5fe
Instruction Fuzzy Hash: 8331B636A04711DFC715EE258880A6BBBA5EF9A650F05462FFC66AF310DA30DC118BD9

Function 034357C0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 568f557d14343925fd0579b1166fc4799a771e8b4c0d2621e2541247a0569807
Instruction ID: a9dce266c4766655809225325cb00dc83d5b3d04f66fd314b95a8f38db6a43eb
Opcode Fuzzy Hash: 568f557d14343925fd0579b1166fc4799a771e8b4c0d2621e2541247a0569807
Instruction Fuzzy Hash: B231B039705A06FFEB15DB25DA40A5ABBA5FF49200F0450AAE9118FB50D731E831CB84

Function 0346A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: f1bcc627e831d582264bd1e6a1743dd05e4bceb70e024fe0be0fb978aba97483
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: D43130B2B00B00AFD760CF69DD41B57B7F8BB18750F18052EA55ADB750E630E900CB69

Function 0345438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5789972c2c25b2f2c2c9eaa2c1f0850b6907bdf29e921d93497d63a54f7707b7
Instruction ID: 3144367f973f4011a375238f07eff904b2d2eb59245f69c5c20612ee2c5ab55b
Opcode Fuzzy Hash: 5789972c2c25b2f2c2c9eaa2c1f0850b6907bdf29e921d93497d63a54f7707b7
Instruction Fuzzy Hash: 3F319031F002059FDB20EFAAC980A6BB7F9AB85705F00852BE845DF265D770E985CB55

Function 034392C5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction ID: 2a7864ff71e01eda7474d36490f23bb5f51eeae41e8d3f6221e0d442591afacd
Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction Fuzzy Hash: DC3189B56083099FDB01DF19D840A9ABBE9EF89710F04096BF8519F3A0D770DC15CBAA

Function 03487190 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction ID: cf5849b392c0d306b05a11fb1f2478a100800f8ae9af9b515e1b0a1658a883e0
Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction Fuzzy Hash: 1A318875604206CFC710CF28C49095AFBF5FF89350B2986AAE9589F325EB30ED06CB95

Function 034EC3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: beacb524d416f179c4bcf0bc8d9b4e1e530ec8a68bfb83c80e86fe0efd7ce135
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: CE21F93F600655AECB24EBA68C80ABBF7B4EF40611F40801FF9668E651E634DD50C764

Function 0342C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfdfcd5449c098c6871904edb42667e9cda7c94828050d3dd6c3d1afd5ec2dbf
Instruction ID: 90aeffa4c596e22e188ca22fb20db53439f55d497edbde3718cf435200561473
Opcode Fuzzy Hash: cfdfcd5449c098c6871904edb42667e9cda7c94828050d3dd6c3d1afd5ec2dbf
Instruction Fuzzy Hash: E131E8759013108BD734FF14CC41BADB7B4AF46314F5881AED8469F3D1DA749986CB98

Function 035003E6 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbd2315a78bc2a3449d7e5ca5a26df4356dcd0de370782e109b8a81b963445b1
Instruction ID: 359ce885a30bd62797440896cfe266292880a0ee5501fe18e54859676869198b
Opcode Fuzzy Hash: fbd2315a78bc2a3449d7e5ca5a26df4356dcd0de370782e109b8a81b963445b1
Instruction Fuzzy Hash: 89316171A00119AFCF14DBA5D894F9FBBB9FB88214F414169E905E7290DB306D05CBA4

Function 0342E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 648245121e17cd72b2d6ee5744904a7bf8186fb05f61a43ea2ba5c18cec037fe
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 7E31B831600614EFEB20CF69C884F6ABBB8EF85314F1444AAE5129F390E730EE42CB54

Function 034AE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddc5c7c51b915b2913c53d999c7ea8fe24109a0c328346fb9effaa2f2b01115d
Instruction ID: f8d2dde5250ae79e7fc96f54194f34058cc8b63cfe1ff81dc3c3abfdac1be1e7
Opcode Fuzzy Hash: ddc5c7c51b915b2913c53d999c7ea8fe24109a0c328346fb9effaa2f2b01115d
Instruction Fuzzy Hash: 9231D475A00605DFCB14CF1CC480DAEB7B5FF94300B55495AE8159F3A0E770EA81CB98

Function 03433616 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b4407b38a4f556a32a8719b469abcbda729be59416b55ad777e2475570d251
Instruction ID: 4cc48eb07a4ebdbfe933f1b44b79511cd5001379a33f8c4acdecddd10281d9b9
Opcode Fuzzy Hash: b4b4407b38a4f556a32a8719b469abcbda729be59416b55ad777e2475570d251
Instruction Fuzzy Hash: CE21E1392457609FDB71EF05D944B2BBBA4FB8AA10F09486EE8410F761C7B0E844CB85

Function 03500591 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52995cc512526ba7b896df2f295ffff7bcd30ac4e16f79a8927e5def960abd7c
Instruction ID: aa236191f5101b95f4f4a1a7fb1ca84ac962d98d9387f8323f9ed0cb52c2a164
Opcode Fuzzy Hash: 52995cc512526ba7b896df2f295ffff7bcd30ac4e16f79a8927e5def960abd7c
Instruction Fuzzy Hash: 0A21F6326002058FD728CE29E880BBAB3A6FFD5310F594878D905CB1E5D732F846C790

Function 0345F32A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction ID: 0c45178ad5deb50a1dacbdd494e55e26ade496940c5b0ee068e9a803503f9e43
Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction Fuzzy Hash: 6321BE72600300DFD719DF16C441B6ABBE9EF95361F15816EE90A8F3A1EB70E805CA99

Function 034B06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e47804471cd4e71bfc16f9d6499dfda3ad228738fad19b4aa2451898355a2a5
Instruction ID: 9e1e042875a2c536fd30faed8cdfda49c1b41efcc70b9c5aaf70141d36c4c79e
Opcode Fuzzy Hash: 7e47804471cd4e71bfc16f9d6499dfda3ad228738fad19b4aa2451898355a2a5
Instruction Fuzzy Hash: 64217C75A00629AFCF20DF59C881ABFF7F8FF48740B55006AE541AB250D778AD52CBA4

Function 034B019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d90aece192291bca46f193d8e89961d8d5849cd729682df1632da03f8988eb
Instruction ID: 7fc0e49fba35de5c7b20de84b70b2e976a4228d6785e5a312fbc12dd3726619c
Opcode Fuzzy Hash: e5d90aece192291bca46f193d8e89961d8d5849cd729682df1632da03f8988eb
Instruction Fuzzy Hash: 8D217775600644AFDB15DFA9C840AAAB7B8FF48740F18006AF944DB7A0E734ED50CBA8

Function 03469660 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0deeceb250aec3f0dbb1b93aad1ea3d12b899d50ecc8d043233bcc85de2cd384
Instruction ID: bf6ae02ad4c30a54abb1910c7e7d49cf67b266366a306f72d145de8d02609404
Opcode Fuzzy Hash: 0deeceb250aec3f0dbb1b93aad1ea3d12b899d50ecc8d043233bcc85de2cd384
Instruction Fuzzy Hash: 5321E431204B01DFDB31EE25D900B2777E5BB51224F18465FE8928E6F0D7B1A8529A5E

Function 034B0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9092aec3c1f64e3cfe8689f3cbf5d24081c2d56e0ece5ae4cfa9fad8bff73895
Instruction ID: 21c57187818ed48d3180e7a322d8a2b41fa9b0076b03d0acf31146fce2d0eb91
Opcode Fuzzy Hash: 9092aec3c1f64e3cfe8689f3cbf5d24081c2d56e0ece5ae4cfa9fad8bff73895
Instruction Fuzzy Hash: 77218C729043459FD711EFAAC848B9BF7ECAF81640F08446BB8908F251D734D949C6BA

Function 034AD0C0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction ID: ac55e74794e594ea5ebfee2b18a95b0ed0c2432f9cf2ecbd0658bd7e95a62bbe
Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction Fuzzy Hash: D121B072A44B00ABD311DF1D8C51B5BBBA4EB9A720F14052EF9559F7A0D730D90187AD

Function 035001AA Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c3253d35fbce06d2b622da13b83f2d8cc54825d9085ab6c5770fd5da1cdab40
Instruction ID: f9890f5d67de1cb6403c7c96297b1c945bf279904c7a293f9bff305f2599106a
Opcode Fuzzy Hash: 8c3253d35fbce06d2b622da13b83f2d8cc54825d9085ab6c5770fd5da1cdab40
Instruction Fuzzy Hash: 5B21E4613042505FD745CB1A98B54B6BFE5EFC6125B0982E6D884CF382C134D917C7A4

Function 0346A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248f9474a2389e79c462f400aa154835ae3424ed402e2d9c7bc7231b20321bd9
Instruction ID: 1f72e2ba5e83e64f66b83b7beab7126303765bf985c95ea2b15f252b8588c8d6
Opcode Fuzzy Hash: 248f9474a2389e79c462f400aa154835ae3424ed402e2d9c7bc7231b20321bd9
Instruction Fuzzy Hash: CD21AC79200B10DFC724DF29C800B46B7F5AF58B04F2884ADA919CF761E331E842CB98

Function 0342B765 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 50f868d4b4db34128a33a58977f460eb08145b9310d0d2c8ca687f26c83cd6e2
Instruction ID: d172a8cd635638de92016e82ab756115eb1de436065fa8b496666dddd6d5f3d0
Opcode Fuzzy Hash: 50f868d4b4db34128a33a58977f460eb08145b9310d0d2c8ca687f26c83cd6e2
Instruction Fuzzy Hash: B8215A36100710DFC721EF59C940F5ABBB5FF18704F14496EE00A9FAA1C774A815DB48

Function 034FEE26 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb44f78c29a4ea8fe663b9463635dfc9255a9768fee091931c20caec9d3820a
Instruction ID: 6a237dba31ad227c908853693bf78292ef6065e57561fb77d485169a11d2eb1b
Opcode Fuzzy Hash: 5fb44f78c29a4ea8fe663b9463635dfc9255a9768fee091931c20caec9d3820a
Instruction Fuzzy Hash: 4021E433A104119FDB18CF3DD800866F7E6EFDD31436A427AD512DB268D770BD558A84

Function 03460124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 9cfaa1505f469a1c7f83dd83f9c88cf3507025d2e370fa251561bb0948b6ffa1
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: B711DDB6604704AFE722DF85C840FAABBB8EB80754F14002AE6009F280D676ED44CB69

Function 03438770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d182b7dabff19ebb81c53b7b77f3f58baf8029470d7917e1bc875abba01d77ee
Instruction ID: e25c77d0b792de93f72dfba4403fdab39b9bb1cec0ec05d660943842f4ee77e5
Opcode Fuzzy Hash: d182b7dabff19ebb81c53b7b77f3f58baf8029470d7917e1bc875abba01d77ee
Instruction Fuzzy Hash: 64116D356016219FCB15CF59C980A6BF7EAAF4F750B1880AAFD08DF305D7B2E9068794

Function 03433720 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb30a396c61dbbe76568207d28c6932a20906a95d5520885d0b0f62b99762d80
Instruction ID: 988b84935ede345730890fe8f7addd00dafebfe7c43aa65d40f7131104685425
Opcode Fuzzy Hash: fb30a396c61dbbe76568207d28c6932a20906a95d5520885d0b0f62b99762d80
Instruction Fuzzy Hash: 0121B378A002098AE725DF5ED0487EEB7A4AB8E318F29C019D8115B3D0CBB89945CB59

Function 034380E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cfc5c4fd8a7392a26389508a6439bb3e1279042ee0f5c7fa02168dd0f63a176
Instruction ID: 06a8e6ff62a42ca52b6481f253d611c32c4fd5ca139ab1c9b0a6f1a683d88e82
Opcode Fuzzy Hash: 6cfc5c4fd8a7392a26389508a6439bb3e1279042ee0f5c7fa02168dd0f63a176
Instruction Fuzzy Hash: 5B215E75A00205DFCB14CF98C581A6EFBB5FB89314F24416EE105AB314C771AD0ACBD4

Function 0346674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba53b8d1d51879fed2cdb487809c3da2233984859a8286b3f9859c5102b2ffd
Instruction ID: fbf840a14b61576878f963b8cff689f2080dacd65c0adfc0cddbef3f6f37df72
Opcode Fuzzy Hash: 2ba53b8d1d51879fed2cdb487809c3da2233984859a8286b3f9859c5102b2ffd
Instruction Fuzzy Hash: 53218E75601B00EFD720DF69C841F66B3E8FF44250F45882EE4AACB250DA74BC51CBA9

Function 03429240 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75a1db94fd288c2a3ac7a0ba1be070038364b2b3cbbce0e673e181940b59abf
Instruction ID: a307281bfb2c031a6c4d1b52bb16a657f45a55a2a7e7f740eeb94e206a804fc4
Opcode Fuzzy Hash: e75a1db94fd288c2a3ac7a0ba1be070038364b2b3cbbce0e673e181940b59abf
Instruction Fuzzy Hash: C911E97E110240DED731EF56D841E6277A8EB76680F14402AE8009B764E338DD07DF68

Function 034FFF09 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a4bca1f21c6860ee9fd87bdec8d319403468f46c951973528c9735c6165b5b
Instruction ID: f8f6f91cc1acb3b5d8290d07d0af9e3ddad8054aa4b1b19d5f8d62d1c0adf61c
Opcode Fuzzy Hash: a0a4bca1f21c6860ee9fd87bdec8d319403468f46c951973528c9735c6165b5b
Instruction Fuzzy Hash: EA2186B16102059FD754DF2AE880B42BBE4FB5D210B8585BAE90CCF25AE370D888DF94

Function 034527ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97747a3ea8cef0f65307d041595a076969cd097ae8a2bdc614a4f80da437f9a9
Instruction ID: e406a18e6c9c0452b7cc68758ba8daddd5a49b674a4315b1d49640557db01a56
Opcode Fuzzy Hash: 97747a3ea8cef0f65307d041595a076969cd097ae8a2bdc614a4f80da437f9a9
Instruction Fuzzy Hash: B2010475A05644AFF316E6AA9884F2BAA9DEF41754F09057BF8008F251DA54DC01C2A9

Function 0345B052 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e9d94aea4421c449a2f29cb9ecb89b11a98ec8dff41ada1f74c7879e08cb96d
Instruction ID: 7486d56b53ada5a0205dd74de525fe7c1daee13c7319330c683058e616e38979
Opcode Fuzzy Hash: 2e9d94aea4421c449a2f29cb9ecb89b11a98ec8dff41ada1f74c7879e08cb96d
Instruction Fuzzy Hash: 6C019B76F047406FD711DB6A9C41F6BB6E8DF84614F04042AFA15DF242D670E9018655

Function 034ED6F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction ID: e8fbf3f9fc5b64447a68fb4bb7d9542af197f616779d7b1047690d564c4bc4de
Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction Fuzzy Hash: 78015275B00209AF9B04EBA6CD44DAFBBBDEF85A44F05045AA9159B200E770EE01D765

Function 03466620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 251fba92f207af7cbb291c950803e55fe4aadb64b0d166de4e915bfd7dca15e7
Instruction ID: 78670d7964f08bd1f6021ed9abcbad5e9e1bc9815593562f4df79de684b05835
Opcode Fuzzy Hash: 251fba92f207af7cbb291c950803e55fe4aadb64b0d166de4e915bfd7dca15e7
Instruction Fuzzy Hash: 16112536A00715AFCB21EF5AE980B5FF7B8EF48740F55005AD900AF310D734AD018B99

Function 03427330 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37c01d2de1639c95d8d4707273c7c20156f9b3c958008f1e41a8dbe2516e0f2
Instruction ID: 1a98e3e9c33212a7c70b7a373a21693f7586e69ddc51d7437ea0aa52ff95af03
Opcode Fuzzy Hash: f37c01d2de1639c95d8d4707273c7c20156f9b3c958008f1e41a8dbe2516e0f2
Instruction Fuzzy Hash: 86118C716006249FD721CF65C841FAB7FE8EF44304F05442AE9859B211D735E811CBA9

Function 0345F2D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f03fdbe44cf218b80f0c498a22748edf3b9c52bfe10c9b47289d16dde6d9a34e
Instruction ID: e7c828e88e7cbe35e047aa7b79dc4119e0d69c9f811559756884e244e9bb18bb
Opcode Fuzzy Hash: f03fdbe44cf218b80f0c498a22748edf3b9c52bfe10c9b47289d16dde6d9a34e
Instruction Fuzzy Hash: 7711E075A00648DFD720DF69D844BAAB7A8AB54700F08007BE901AF341D638D905C758

Function 034C72A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction ID: a9ddf47c6dff552dea7a100bb180aef4a61f2f173f53b98bc4afa7fac8f70102
Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction Fuzzy Hash: F801D27A240605BFE711EF16CC80EA3FB6DFF44790B04492AF2004E560C721ACA0CAA8

Function 0342A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 70e8d53d71172cd4b6d0217bb4fe98b13a89b5d6a3005b7df24f937ff97e9747
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: D60104754047219BCB30CF159840A23BFA9EF45760744896EFC95AF380CB31D421CB78

Function 03436259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c15fecd20dffaa9336a983b9c70e08d6c59505f8de8a1199bb84ff70446818a
Instruction ID: c9fa08bbc403df043db3c4b2463fd08c71e27f7d4003370bc7834a7dc864c953
Opcode Fuzzy Hash: 5c15fecd20dffaa9336a983b9c70e08d6c59505f8de8a1199bb84ff70446818a
Instruction Fuzzy Hash: AF115E75541218AFEB25EF65CC41FE9B278EB08710F5045DAA314AE1E0DB749E91CF88

Function 034AE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a64b0b64d1ac25f4760452d007a37d4fb039a7c1f49bd88e3f78f16d495c916
Instruction ID: 1c959dca69e9c67d07946cdb4511926000e59821062a5fcefaecde9de86a7edc
Opcode Fuzzy Hash: 3a64b0b64d1ac25f4760452d007a37d4fb039a7c1f49bd88e3f78f16d495c916
Instruction Fuzzy Hash: 1F118B3A641740EFCB15EF19C980F56BBB8FF58B44F24006AE9059F6A2C235ED01CA94

Function 0343208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 9e9e6639c1d9fc9fcbda5648712390454cb6a3a621407ba9c01975ecc49b1f28
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: D20128326002109BDF11EE19D880B97B77ABFC9710F1948ABEE118F345DAB1C885C794

Function 0342C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: f2e6bef4f4bd09461277527b591c61eba7329fe4d8385aea0a12287b700d5888
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 33012D325017449FDB22EB66D440E6BB7EDFFC6650F44441FA9568F640DE70E802C754

Function 034720F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fbc88acfc586515e252da2336411c44dec48f58ecf76b1a3ae718e23ff1f5fe
Instruction ID: 829822cc1972bb0e82cfa9bb2513a20c38c536ba9c2a193cf950de0bb8338112
Opcode Fuzzy Hash: 3fbc88acfc586515e252da2336411c44dec48f58ecf76b1a3ae718e23ff1f5fe
Instruction Fuzzy Hash: 88115775A00208AFDB15EFA5C850EAEBBB9EB44640F00409AE9119F390DA35EE12CB94

Function 03429353 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction ID: 1eeaa6389852ea26b35730b4aff09738a4bc5f2f6a679e3b7d185f18524b9a97
Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction Fuzzy Hash: A5118B32900B219FD721DF16C880F22BBE4FF48762F19886ED4995E6A5C374E891CB18

Function 034533A5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction ID: d3e7d536dd202f4c57e0d194ebe16d5b0f08825a18939fa191cb12330062a396
Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction Fuzzy Hash: 2301863AB00205ABCB12DF9BDD00F5FBA6C9F85681B15442BFD15DF262EA30D902C768

Function 0346D1D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction ID: 9aa680fabed36272fa009701237d971e91bd282ba1670b4edd38ef9d78d5bc74
Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction Fuzzy Hash: 540147BAF006049BD710DE55E800F66B3A9EFC6A20F14855BFE228F380DB34D801C78A

Function 0342826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc52ff1210a0c80b09557b678b29473bb300da3de9e047b0e21e0c1f32ba62f0
Instruction ID: 66e297013aae5d33aa4a5509f828163e20fcddfe74980ca8d13089e7a1f26c94
Opcode Fuzzy Hash: cc52ff1210a0c80b09557b678b29473bb300da3de9e047b0e21e0c1f32ba62f0
Instruction Fuzzy Hash: 8E01AC35700614DFD714EB66D810EAFBBB9EF91610B59406F9901BF650EE30DD02C6B9

Function 0344E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: f3e01d610a50e2decf4e75a78365f23e2c1c5646beb81c46c9caddb85fbfce9a
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 12014872200A809FE322D719C948F2BB7E8EB49750F0D04B6A815CFA92D728D881C629

Function 034EF367 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92e563f708110629ede039a5f208e00e2b94901978c1ac1bcc6ab9957a15ca79
Instruction ID: 3e9027bc8e7a8166031494adaca12826527f74fbc1d920960a92c5f15f55342a
Opcode Fuzzy Hash: 92e563f708110629ede039a5f208e00e2b94901978c1ac1bcc6ab9957a15ca79
Instruction Fuzzy Hash: 02017175A10358AFDB14EFA6D805FAEB7B8EF44700F04406AA500EF380D674D905C798

Function 034F972B Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94

Function 03505636 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 176acd7322ed24a91e565d7811d53a8df544c30ad9be782dad5f4669ed03bfd1
Instruction ID: b704730af4a4f66cedd55867b770ef60dd311972c2e54dbcb7043b0f5453dcce
Opcode Fuzzy Hash: 176acd7322ed24a91e565d7811d53a8df544c30ad9be782dad5f4669ed03bfd1
Instruction Fuzzy Hash: 83116D78D10249EFDB04DFA9D440AAEB7B8FF18704F14845AA814EB390E634DA02CB95

Function 0342C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: ebb5804caa65620d2579101dae463ad429c58985ce6c0d432b477253d3b1b4fa
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: A3F0FC372447329FD732DB9A48C0F6FAD958FC5AE4F5A043BE119BF244CA648C0256D8

Function 03505152 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a6aee7cb95ae104297d03f0a8d7554e092bc7ab58112a19b15c0f073158e95
Instruction ID: 3a764805e534c52d9744304cc61a663fa9eeca1a738556deed183abec2e38e7b
Opcode Fuzzy Hash: d9a6aee7cb95ae104297d03f0a8d7554e092bc7ab58112a19b15c0f073158e95
Instruction Fuzzy Hash: CA012175A10349AFDB00DF69D9419EEB7B8FF49700F14445AE500EB390D6749A018BA5

Function 03505060 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4dcedf7e51cde0b56707a0f3400f42cbaf811c3504165fbf78253a40a0cde4a
Instruction ID: f3f0085365c474e9e6d4ec51e288e857a9da61c70e51d8bf577c1cd7d06fe761
Opcode Fuzzy Hash: e4dcedf7e51cde0b56707a0f3400f42cbaf811c3504165fbf78253a40a0cde4a
Instruction Fuzzy Hash: 7C017CB5A00309AFDB00DFA9D9419EEB7B8FF49300F10405AF900EB391D634AA018BA5

Function 0345C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 7d3eb9db4c8088be369b8750762f5eb9149187b1dab0bfb7ea6aa4668a58ce08
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 65F0C2B3A00610AFD324CF8EDC40E57F7EADBC0A80F088129A905CB320EA31DD04CB94

Function 035050D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e69b683131b467cb48abf6d6aebf13fda27e2ffcdb375c6b3c6f176ede88f0
Instruction ID: d8669a7dee8484ce3c72383778a4167113b11f457ed4239ee4b953c7bf644f80
Opcode Fuzzy Hash: 99e69b683131b467cb48abf6d6aebf13fda27e2ffcdb375c6b3c6f176ede88f0
Instruction Fuzzy Hash: C3012CB5A00349AFDB00DFA9E9419EEB7B8FF49700F50445AE500FB390E674A9018BA5

Function 03465734 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction ID: 884bcdc1545cd5841677b322bc44875bd5b72604944f81cc5837c9ec7bafa4e4
Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction Fuzzy Hash: 6AF0FF72A01214AFE719CF5CC840F6AF7EDEB46651F0940BAD500DF230E671DE04CA98

Function 034EF78A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b8f6c126788fbe3bf4fc599febe9e5e6ba79d6935708d2f294de37c4e161da4
Instruction ID: 14fdc8d524188781b8e93e32c9b8fda5e9447d73776c4b26b7431b9f4b50121d
Opcode Fuzzy Hash: 5b8f6c126788fbe3bf4fc599febe9e5e6ba79d6935708d2f294de37c4e161da4
Instruction Fuzzy Hash: 48014CB8E00349AFDB04DFA9D441AAEBBF4EF08300F00806AA855EB340E674DA00DB95

Function 034EF2F8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb7884ad8d1f1dd4a4999b11c5eabedd71ec0d6e3c114a76ccfe2f6652549293
Instruction ID: 809e522a3c3fdfd38914612592212fd097b1b9631be4d1abf700bb7f4337490e
Opcode Fuzzy Hash: eb7884ad8d1f1dd4a4999b11c5eabedd71ec0d6e3c114a76ccfe2f6652549293
Instruction Fuzzy Hash: 40F0A476A10348AFDB14DFBAC805AEEB7B8EF44710F00806BE511EF290DA74D9058795

Function 035061E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f3afa62c0b5bc7bb3a7fee10f801080e0385da95f78b9f2d2e4c14db8ae86fd
Instruction ID: b586647bcaaf895bc9a8fc1f645a16cceeb47e4c9fc93e8fbcca1e43962348fc
Opcode Fuzzy Hash: 5f3afa62c0b5bc7bb3a7fee10f801080e0385da95f78b9f2d2e4c14db8ae86fd
Instruction Fuzzy Hash: 16018F71A00259DFDB10DFAAE841AEEB7F8FF48310F14005AE500AB390D774EA01CB99

Function 0346724D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction ID: de0a9ea7aa9bf6476b053f30410a22e76d95489571144c6a135b8de9c3185b3c
Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction Fuzzy Hash: 23F0F675A013556FEB10DFAA8940FEBBFA8AF84614F088597B9029F241DA30E940CB59

Function 035053FC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 977162f0d6587274677c7a78f345b5f0562110148065175e277afc7d517e68bd
Instruction ID: 69d585d19d21c31adaba8e1e3dc36064f65f894ced15fed5d3de64607b9d9f72
Opcode Fuzzy Hash: 977162f0d6587274677c7a78f345b5f0562110148065175e277afc7d517e68bd
Instruction Fuzzy Hash: E1015AB4A00209DFDB04DFAAD441B9EF7F4FF08300F04826AA519EB391EA749A008B95

Function 0342C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2999233bc4788db6cb7069878cfef68dcb24e375bb8e10e562a21eb2d762772
Instruction ID: ed5e3e0875abe6b0eb044d1acd0f4d541b6084456f3947cdf9fd9a7abf7c7f64
Opcode Fuzzy Hash: f2999233bc4788db6cb7069878cfef68dcb24e375bb8e10e562a21eb2d762772
Instruction Fuzzy Hash: 69F0F6713042245FE250D6559C42B777A99DBC0650FA9806BE6059F7C1EA70DC01869D

Function 03503749 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction ID: ca92635d8bf5e6da057f0013c55dcfb10e7785471cb195d1311b24c59f89513a
Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction Fuzzy Hash: 2BF04FBA940304BFE711EBA4CD41FDA77BCEB04710F10056AA916DA1D0EA70EB44CB94

Function 034D437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 77f92c57d54b33af73efbbbea678ffa63f261870a6b1d18572ffb6503010770a
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: AFF0BE3A341A124BDB35EA2F8430B2BE296AF80A00B49052F9811CFB80DF30D8218788

Function 034EF3E6 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea6e8bff5e54ebfee5eba7daea3d9a309abd8658c1e04c6a935146b389071a3f
Instruction ID: 9bfc103fb0c68eca0d466b5dc0838d27667cea486f0f678ae8169631093491d4
Opcode Fuzzy Hash: ea6e8bff5e54ebfee5eba7daea3d9a309abd8658c1e04c6a935146b389071a3f
Instruction Fuzzy Hash: 28F08C75A00248EFDB04EFA9D505AAEB7F4EF18300F40406AB945EF381D674DA01CB58

Function 034292FF Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730903b4992622277009d2d8618add7ab0f9df1a0122bc153780796fb7e6df07
Instruction ID: 1e29d44d2d0744f57245270c68da18d76f90cbbbc25f82b3698cbf223d93641e
Opcode Fuzzy Hash: 730903b4992622277009d2d8618add7ab0f9df1a0122bc153780796fb7e6df07
Instruction Fuzzy Hash: B0F0F032200340AFD731EB4ACC04F9BBBEDEF88B00F08012EA54297190C7A0A909C654

Function 034347FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3628b14a8fe7c638453de3437cfcdc6327ccce1ea2f6e233e03d7b2c626f490c
Instruction ID: 2b88f73f4015990c90a8ebd303a4d3965335e444b1dac761c761d1747795fbad
Opcode Fuzzy Hash: 3628b14a8fe7c638453de3437cfcdc6327ccce1ea2f6e233e03d7b2c626f490c
Instruction Fuzzy Hash: 11F0F03D9023D08ED725CB1BC404BA6B7D8DB0A720F0C98ABC4998F741C320D881CA08

Function 034EF6C7 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0feb34ec122888713823ea5b93c9378ccdaedebd805b3d3a20f4539ff478f2d
Instruction ID: 578a662eb16ae826595d33037fd695ceef5dd7a0d9fb82e169fca8ea0524778a
Opcode Fuzzy Hash: f0feb34ec122888713823ea5b93c9378ccdaedebd805b3d3a20f4539ff478f2d
Instruction Fuzzy Hash: 67F06D79A10348EFDB14EFAAD805EAEB7F4AF08304F00406AE901EF391E674D901DB58

Function 034F0115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c9e389ccf7715fedb59e3bcfb868314cfe936987c36a5704f009666651c0a94
Instruction ID: 64ea0020f703750876ed26b91102ddb02dee912d68fefcb62e22f90d4863065b
Opcode Fuzzy Hash: 2c9e389ccf7715fedb59e3bcfb868314cfe936987c36a5704f009666651c0a94
Instruction Fuzzy Hash: A0F0273A4167C04ECF31FB297690692AF68A793010F1E108BC5A15F316C9B98887D62C

Function 0350539D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 729157448129532a0c06a92a4e20042bd668682bc71501ddb207ef40fde7acf1
Instruction ID: 495942dcc94e196df7e2cc3d41986e02bfbaeb8c16d0d4a4036788f123ffe975
Opcode Fuzzy Hash: 729157448129532a0c06a92a4e20042bd668682bc71501ddb207ef40fde7acf1
Instruction Fuzzy Hash: 7BF0B474A1074C9FDB04EF79E441EADB7B4EF04300F108459E501EF290EA74D901CB24

Function 035052E2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24d074997e188c8d88a5d60030afc4a39707b7b5f6609d545dc874397b1b3f96
Instruction ID: be5c2df4cdb4a9dc206209319dfd2ae3254958c2a135984e26ca1f2868f6f84f
Opcode Fuzzy Hash: 24d074997e188c8d88a5d60030afc4a39707b7b5f6609d545dc874397b1b3f96
Instruction Fuzzy Hash: CBF0BE74A10348AFDB04EFBAE901EAEB3B8BF14300F444469A401EF2D0EA74D900CB58

Function 03505283 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd6d298ae3d45b786a4236d90b8c0e456aed326072d224fcc801b7ff01562862
Instruction ID: 94959df3601ab5af5733ae1eb9e0dbe9c74e60b6f05b85f7b1b90ca3bdc0b624
Opcode Fuzzy Hash: fd6d298ae3d45b786a4236d90b8c0e456aed326072d224fcc801b7ff01562862
Instruction Fuzzy Hash: 52F0B474A10349DFDB04EFA5E501EAEB7B4BF04300F004859A441EF3D1EA34D9008B54

Function 03472619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 6f7a9c943c37f98e3f0e0873bc036f3957cbb25a9d0a354364fb562de068d9e6
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 0BE092723006402BE721DE5ACC80F87776EAF92B10F04047FB5045E251CAE29D0982A8

Function 03505341 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b1d65a00bc45bb56f2001d05c11f987ff30541ceb3d97b536bd80dd74699df9
Instruction ID: 8e3762c0eaeff1699cffa7dba4681751da7f55f2fafdcd3067e940342229de02
Opcode Fuzzy Hash: 3b1d65a00bc45bb56f2001d05c11f987ff30541ceb3d97b536bd80dd74699df9
Instruction Fuzzy Hash: C9F08274A04248AFDB14EFBAE945E9EB7B8AF0A304F540459A501EF2E0EA74D9008719

Function 03467208 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b406b89f365b94b599e2cd04a704da6d834045c4d933fceae25050edb9ce0c
Instruction ID: 1eaa88b368ebfe2f86499bc504f04404c32dc530e411ae01dde0a6828313d502
Opcode Fuzzy Hash: d1b406b89f365b94b599e2cd04a704da6d834045c4d933fceae25050edb9ce0c
Instruction Fuzzy Hash: 83F02771911BA49FD7A1D71EC084B1BB7D99F10770F0C80A3D5058F701CBB8C880C259

Function 03505227 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59cc8b7241de3fbeea1c669e4f20509af4bd73bb452a1adb50ec4a2542573929
Instruction ID: fcaadf93357ef1dfcf58462df79681eca5621c7e08a50d0638912278f5518a0c
Opcode Fuzzy Hash: 59cc8b7241de3fbeea1c669e4f20509af4bd73bb452a1adb50ec4a2542573929
Instruction Fuzzy Hash: 89F08274A14349AFDB14EFA9E905EAEB3B8BF04704F040459A901EF2D5EA74D9018759

Function 035051CB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27614c0b321722cd015389a4f72218c943e4e3f4d7bd84dbc556bd9437fc9de7
Instruction ID: 38d543d8e079a75c91aa53d6bdcd891f4cfed83fd2100d4e3bb7cfdd33a0077a
Opcode Fuzzy Hash: 27614c0b321722cd015389a4f72218c943e4e3f4d7bd84dbc556bd9437fc9de7
Instruction Fuzzy Hash: 94F08974614249DFDB14EBA5D505E6EB3B4FF04704F040459A501DF2D1E674D901C759

Function 034AD070 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction ID: 9ffeef169d6e50c0aef01988037c3aff95fb27d24efe7667c3892856a433a01b
Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction Fuzzy Hash: E2F0EC3350461467C230A90D8C05F57F79CDBD5B70F10431ABA149F1D0DA709911D7D9

Function 034EF72E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe9a5fe1952e2a9ad80cd24ae950a72b7331560a68edb950f7b65dff4361818
Instruction ID: 35ed4d1bd63d22a2262f0b3e104f95f45ae09c71ccf743989a31d218bc6a4eb7
Opcode Fuzzy Hash: 4fe9a5fe1952e2a9ad80cd24ae950a72b7331560a68edb950f7b65dff4361818
Instruction Fuzzy Hash: 80F0E274A00348AFDB04EFAAC545E9EB7B8EF08700F01006AE101EF380D974D9059718

Function 03430710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 1fd0710a63319da2ed11644edca554b72fba0162c5c75ed33d38838e812b6e8c
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: C9F0657D2047449FEB16DF16D050A997BA8EB46350F0405EAEC568F351D731E982CB98

Function 035037B6 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction ID: c4aa3e67223fd07197469eea4735bb9931b4250a0d77a3865fe05afd84d458f4
Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction Fuzzy Hash: C6E06D76210600AFE764DB59DD05FE673ACFB00720F140259B1159B0E0DAB0AE40CB64

Function 034B4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 2b40f8bab896f42e6cd80b3d6a611a89936d75de41fc8a4d164c0bb6f156b7b8
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 4DE0C2343003058FD715CF1AC040BA3B7B6BFD5A10F28C069A8488F306EB32E842CB54

Function 034EB3D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction ID: 5f596663d67330c6833901c815b17496e20e8ef41a98c2c39fea7e269281ceee
Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction Fuzzy Hash: 84E0CD36244714BBDB22AE40CC00F697B15DB407D1F104037FA086E690C5719C51D6DC

Function 0342823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: e69526862965b4d9414350328357fc873aaf71c7657905c100fdafe78f0a0eb6
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 9EE08C36501A20EEDB31EF12DC04B9A7AA5FB44B10F14486FE0812E4A487B0A892DA6C

Function 034B92BC Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b91f33541d64c2ab7218c3688c7990c6652dcafc89b10d842e63d12dc1c4641
Instruction ID: bf6aadc6c5cf7c94f79bcfe7abc214436cc4d27ced658a5eb2fb7785bf62cc42
Opcode Fuzzy Hash: 0b91f33541d64c2ab7218c3688c7990c6652dcafc89b10d842e63d12dc1c4641
Instruction Fuzzy Hash: 55F0ED34651B84CFE72ADF04C1E1F5173B9F756B40F500459D4464FBA1C73A9942DA54

Function 03432050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbcd54b3d98ea7d063969fdf53cc1b0f519435bcc10e41ddfe668f0d1b7113a6
Instruction ID: ac1cf4014db6c236416173e125b753d49fb9d75f2d912ed5dcdf7151ac83f387
Opcode Fuzzy Hash: cbcd54b3d98ea7d063969fdf53cc1b0f519435bcc10e41ddfe668f0d1b7113a6
Instruction Fuzzy Hash: 02E08C322006506FC221FA6EDD00F8A739AEFAA660F00412AB1518F6A0CA60AC01C798

Function 004172F1 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612390091.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30d0c81b38aae8fca740e93c04b2a23338cdde90d995c001ba0cef52608088b3
Instruction ID: e69ef839118bc2e90a2fa88557779c816e6a24b978899c96037c8d60b9c34fcc
Opcode Fuzzy Hash: 30d0c81b38aae8fca740e93c04b2a23338cdde90d995c001ba0cef52608088b3
Instruction Fuzzy Hash: 37C08C07B480140181108CAE380007AF764C0AB131AA033B7C96CF3290C40282150298

Function 0342A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: eca863c40c247bf8976d57c8f2fcdcfd702b1be4a4e008988d111462f8fc5efe
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: E9D0223331203097CB28EA516800F63AD059B80AA0F0A002E3C0AEB900C8048C43C2E4

Function 034402A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 1af8e11dd02a69df77d2ff0a5028ff2a213971c9ba26eefb425c2146bf22ed1f
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 94D0C935212E80CFE61ACF0DC5A4B16B3B8BB44B44F8504E2E501CFB61D66CDD50CE04

Function 034B930B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction ID: 8918a1498d00e542248342c66a48e58a5d2b5b77496fc0ff8bedb9bc0fc27af2
Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction Fuzzy Hash: 38D05E35945AC4CFE72BCB08C165B917BF8F709B40F891099E0424BBA2C37C9984CB20

Function 0346C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 2a890b930bd7248cbb28adac052e22f6e59eb69fe66143d4371bc2c99c1214f9
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 69C0123B290648AFD712EE99CD01F027BA9EB98B40F004022F2048B670C631E820EA88

Function 03450310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: ae899504ba08d532988dd7c668f4a4dc3db266a2a41fade5b46fd64f0a98a0d5
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 9BD0123A100248EFCB01DF41C890D9A772AFBD8710F148019FD190B6118A31ED62DA50

Function 03430750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 9d00354ccffe02c1898cbcf578241d35f91f9cb65e197e717ed12aa70b4c33da
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: F6C04C797016418FDF15DF1AD294F4977E4F744740F1508D1E805CF721E624E851CA14

Function 03474340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 999881ee96d21e81fef1215127109708f4520cbe74ac6073b0c152aa10bc69b4
Instruction ID: 72c92bbcb24c92b6a2295692ef5c4e4972709a11658c111f7618beda93aab60a
Opcode Fuzzy Hash: 999881ee96d21e81fef1215127109708f4520cbe74ac6073b0c152aa10bc69b4
Instruction Fuzzy Hash: 4D900231605804129140B25848C458A4006D7F0301B95C012E0424958C8B148A565365

Function 03473010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4636aa21bb0cb6e4996e42b8d858158955d8d26882de98b84783c179bc3fe6ef
Instruction ID: ef1b1ced0675ba27183f9a7242c5c4417bef8cf81a9cd3bb6e097ee7ba9d86a8
Opcode Fuzzy Hash: 4636aa21bb0cb6e4996e42b8d858158955d8d26882de98b84783c179bc3fe6ef
Instruction Fuzzy Hash: BD90022120184842D140B3584844B4F4106C7F1302FD5C01AA4156958CCB1589555725

Function 03473090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5150c22baf50930bce8b332d14c8cae3ea1e6299f99c2500ee074dda019a5744
Instruction ID: 2c1624e538560c4c9fdae012cbbade4d66aef5da52686e89108512db981852b5
Opcode Fuzzy Hash: 5150c22baf50930bce8b332d14c8cae3ea1e6299f99c2500ee074dda019a5744
Instruction Fuzzy Hash: D790022124140C02D140B258845474B0007C7E0701F95C012A0024958D87168A6566B5

Function 03474650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc00c96bad191c4697036bd28f6d791f7d8457f265c58a44dc25d1c8497a6615
Instruction ID: 09a6dc104a7221763c81892134439d020f2e9f20716e62529d814148475769c9
Opcode Fuzzy Hash: dc00c96bad191c4697036bd28f6d791f7d8457f265c58a44dc25d1c8497a6615
Instruction Fuzzy Hash: 84900261601504424140B258484444A6006D7F13013D5C116A0554964C87188955926D

Function 034735C0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9825105942e779f8b352d68d82bda0f9eae152e97186c4aee66648c490b0f21
Instruction ID: 4bca997d960333c53abf703bb35b18ff92955c10a8950eac8f555f58a6710de8
Opcode Fuzzy Hash: b9825105942e779f8b352d68d82bda0f9eae152e97186c4aee66648c490b0f21
Instruction Fuzzy Hash: 2690023160550802D100B258455474A1006C7E0301FA5C412A042496CD87958A5165A6

Function 03472BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c43f02746c319b28b8f694ab1669c35885a25df32d35be58ac5247bd37f954
Instruction ID: 5cb4092ec6905c91303e444233e23db69c8a7823047fe6b16d9bf8a262b4ba3a
Opcode Fuzzy Hash: 56c43f02746c319b28b8f694ab1669c35885a25df32d35be58ac5247bd37f954
Instruction Fuzzy Hash: 7F90023120544C42D140B2584444A8A0016C7E0305F95C012A0064A98D97258E55B665

Function 03472B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a197ac23318200b7564a2045a912062a00f3ead51b91d54e88246d2539b4633
Instruction ID: bb98d3205496ada1ec8f6399f6c67ec8e504d4bcf0408c1b0014609fb924b4fb
Opcode Fuzzy Hash: 2a197ac23318200b7564a2045a912062a00f3ead51b91d54e88246d2539b4633
Instruction Fuzzy Hash: BE90023120140C02D104B25848446CA0006C7E0301F95C012A6024A59E976589917135

Function 03472BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 205dda8ca7947066e8c048ef7efef9781cf025ac443f82423534e85e4cf55a9c
Instruction ID: 11c38fe69be812629be4a4c4d52382f0f1785cab8268b41d6f3e95fd67f10d3c
Opcode Fuzzy Hash: 205dda8ca7947066e8c048ef7efef9781cf025ac443f82423534e85e4cf55a9c
Instruction Fuzzy Hash: 9290023160540C02D150B258445478A0006C7E0301F95C012A0024A58D87558B5576A5

Function 03472AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eafd9c12e4bcd058fc169bb57aef2e9dbbebacc96cadbc8138ce139f17d9f337
Instruction ID: 3439920f6f3c2e2ce0ef6eb975adae44e9dbe64eb16bc2de4f4d596b8514799e
Opcode Fuzzy Hash: eafd9c12e4bcd058fc169bb57aef2e9dbbebacc96cadbc8138ce139f17d9f337
Instruction Fuzzy Hash: 37900225221404020145F658064454F0446D7E63513D5C016F1416994CC72189655325

Function 03472AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78032f4d8103c9520c3c3c73ecfd3e06f80d7e42db609ebc5109c627320c0db2
Instruction ID: 6334777e1deaf2ce256e5635b7a99c7f439acc816010344976ae90d6232f257b
Opcode Fuzzy Hash: 78032f4d8103c9520c3c3c73ecfd3e06f80d7e42db609ebc5109c627320c0db2
Instruction Fuzzy Hash: C79002A1201544924500F3588444B4E4506C7F0301B95C017E1054964CC72589519139

Function 034739B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 185f9c956e42f43e7be4556c48d3a137fda8d4e4f601cb687d0473a206269c4a
Instruction ID: 47cdf6eec6ed39feeeb7053ae7b290b7846c0bf0ef8dc50b8db8d3e1c38d803e
Opcode Fuzzy Hash: 185f9c956e42f43e7be4556c48d3a137fda8d4e4f601cb687d0473a206269c4a
Instruction Fuzzy Hash: B490022124545502D150B25C444465A4006E7F0301F95C022A0814998D875589556225

Function 03472F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a42c96833ee465c85642f07621caf4f2a2629328ed28bab2b8d9e17492b657
Instruction ID: 21f84e446a88bb02145d3cab3107e2298acfa9339c0fccfcd1799706e9943cdf
Opcode Fuzzy Hash: b5a42c96833ee465c85642f07621caf4f2a2629328ed28bab2b8d9e17492b657
Instruction Fuzzy Hash: 8090026121140442D104B258444474A0046C7F1301F95C013A2154958CC7298D615129

Function 03472FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22fc12a2685a6be4b47bb12905d02a8dafba19e707ff7bc83c7eecb7135eaed1
Instruction ID: 4fd4ea6257cc6a5956cbeecab6a11a3e19f00c96f8c23b2e1c7cfa08ddc84d21
Opcode Fuzzy Hash: 22fc12a2685a6be4b47bb12905d02a8dafba19e707ff7bc83c7eecb7135eaed1
Instruction Fuzzy Hash: 8990023120180802D100B258484878B0006C7E0302F95C012A5164959E8765C9916535

Function 03472E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d955ba4e1be1f9f8bab713e987f41977471cc657b0e840e50f85bdb33f29dde
Instruction ID: 65132f1205f39add78fdf2a53685adc8f3bf2982a33afbee968ce22d1220638a
Opcode Fuzzy Hash: 4d955ba4e1be1f9f8bab713e987f41977471cc657b0e840e50f85bdb33f29dde
Instruction Fuzzy Hash: 2B90022130140802D102B258445464A000AC7E1345FD5C013E1424959D87258A53A136

Function 03472EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e93a703c7f5f54fc9e144388878dbb1c25cbcaf6e3f42b7074de15c1c7a85be
Instruction ID: dfe9b4d20b83632294945e48237db2af787c42e5f342c93c6f8b94d8409d2823
Opcode Fuzzy Hash: 5e93a703c7f5f54fc9e144388878dbb1c25cbcaf6e3f42b7074de15c1c7a85be
Instruction Fuzzy Hash: DF90026120180803D140B658484464B0006C7E0302F95C012A2064959E8B298D516139

Function 03473D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0bccb976f22f9d697445e27023030ec3e9cd18eebedda095c33fed21bddf57
Instruction ID: 84404a08f22c07be66698be284cda465f0b9658ed4b11bbed20e1ba2347588e0
Opcode Fuzzy Hash: 3f0bccb976f22f9d697445e27023030ec3e9cd18eebedda095c33fed21bddf57
Instruction Fuzzy Hash: 8590023520140802D510B258584468A0047C7E0301F95D412A042495CD875489A1A125

Function 03472D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc61d4a4a54ec31839cd2255202ee416375b6327c78a2bf2874e43ae9d82867
Instruction ID: f86384e5648168a8c7efcf50e52089e3f94c5881b9d4f7b8a1cd6f055e41013e
Opcode Fuzzy Hash: 0bc61d4a4a54ec31839cd2255202ee416375b6327c78a2bf2874e43ae9d82867
Instruction Fuzzy Hash: AF90022120544842D100B6585448A4A0006C7E0305F95D012A1064999DC7358951A135

Function 03473D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b587f3663bec5e6e50a9c594d1d95212efc12a3f6a443b08e008b24b60665b98
Instruction ID: efa34ec265412a91014986160917549e17317042c3f681a959d16d9426b4e8b4
Opcode Fuzzy Hash: b587f3663bec5e6e50a9c594d1d95212efc12a3f6a443b08e008b24b60665b98
Instruction Fuzzy Hash: 59900231202405429540B3585844A8E4106C7F1302BD5D416A0015958CCB1489615225

Function 03472DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be9ab9a34ed053ebe7e115e71e602d868011da3c5897177c1771e566fa96301c
Instruction ID: 5e7e0bcc90fcd5acff92a06363dc1b40c7b5f7a0316bfad2fc678054a9fd36a2
Opcode Fuzzy Hash: be9ab9a34ed053ebe7e115e71e602d868011da3c5897177c1771e566fa96301c
Instruction Fuzzy Hash: 0590023124140802D141B258444464A000AD7E0341FD5C013A0424958E87558B56AA65

Function 03472890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0347293C
___swprintf_l.LIBCMT ref: 0347295E
___swprintf_l.LIBCMT ref: 034729A3
___swprintf_l.LIBCMT ref: 034AA52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 034AA54E
:%u.%u.%u.%u, xrefs: 034AA5B8
ffff:, xrefs: 034AA504
::%hs%u.%u.%u.%u, xrefs: 034AA527

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: dfb2ab201aba613860b8ddaddb2c2ce2a578490b72da1ce0d487f64dedbc36d7
Instruction ID: 3849aca05d3806e097de92d7cbcdbed50a850603cac0f28d50e16cbdd20129d1
Opcode Fuzzy Hash: dfb2ab201aba613860b8ddaddb2c2ce2a578490b72da1ce0d487f64dedbc36d7
Instruction Fuzzy Hash: 9451D5B5B00516BFCB10DB9888909BFF7B8BB49200758866BE4A5DF641D274DE40CBA8

Function 03467630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 034A4655
CLIENT(ntdll): Processing section info %ws..., xrefs: 034A4787
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 034A46FC
ExecuteOptions, xrefs: 034A46A0
Execute=1, xrefs: 034A4713
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 034A4725
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 034A4742

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 6155378a286dc3fc4561b155d6678c8ba13fa7811350f1e1be1f24cac9b4c065
Instruction ID: 6633c514fc4ea3ec2782d37d2437d68f5bea1f8772490947faf64e61b3f56107
Opcode Fuzzy Hash: 6155378a286dc3fc4561b155d6678c8ba13fa7811350f1e1be1f24cac9b4c065
Instruction Fuzzy Hash: F5513B756003096EDB20EFA9DC85FEE7BB8AF14314F1400ABD505AF390E771AA458B59

Function 0347B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0347B6BF

Strings

0, xrefs: 0347B695
-, xrefs: 0347B650
0, xrefs: 0347B66F
+, xrefs: 0347B65A

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 190be8e3f855835c29307f5b229531a12148b597511bb2a7c84519a7f6e38254
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 6E81BF74E052499EDF24CE68C8917FEBBB6EF45320F1C425BD861AF390C73498418B69

Function 0345F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 034A02BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 034A02E7
RTL: Re-Waiting, xrefs: 034A031E

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 38d9de2bd5d68b9d22f3905dcbaf2d0b2a99242a0acd0263f59817186a547686
Instruction ID: 500a430ecd6e8a603e56fcd3d3d0ca1709eda35d9053f14df8333e05cd389bdd
Opcode Fuzzy Hash: 38d9de2bd5d68b9d22f3905dcbaf2d0b2a99242a0acd0263f59817186a547686
Instruction Fuzzy Hash: D8E18C31A04B41DFD724CF28C884B6AB7E4BB44314F180A5EF9A58F3A1D775D949CB4A

Function 0346BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 034A7B7F
RTL: Re-Waiting, xrefs: 034A7BAC
RTL: Resource at %p, xrefs: 034A7B8E

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: c813fac53e79939e7bb44130736654a8397e5e0490ac7cfa967e43b15b27aa1f
Instruction ID: 744f114dd1256efbd74b17aaf5c9c18e0a9d0bafc8693eca25f5ba6320665f04
Opcode Fuzzy Hash: c813fac53e79939e7bb44130736654a8397e5e0490ac7cfa967e43b15b27aa1f
Instruction Fuzzy Hash: 7D41E5353007029FC728DE2ACC40B6BB7E9EB98710F14091EE956DF790D731E4058B9A

Function 0346B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 034A728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 034A7294
RTL: Re-Waiting, xrefs: 034A72C1
RTL: Resource at %p, xrefs: 034A72A3

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 97fbdf91e9992b2d152f3593f8fa0b2421b6c8445247565f1ec57a1f7e57c24c
Instruction ID: 86e0366dad6b11ba8a6465968d3d7410d6f35a5f7bbe669803305ce7843c7ec0
Opcode Fuzzy Hash: 97fbdf91e9992b2d152f3593f8fa0b2421b6c8445247565f1ec57a1f7e57c24c
Instruction Fuzzy Hash: 3D41E136700A06AFC720DE6ACC41B6ABBA5FB94714F14462BF855DF380DB21F81687D9

Function 03477D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 03477E8B

Strings

-, xrefs: 03477DDD
+, xrefs: 03477DE8

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 3797f2461f9603d70e8fd521aef8a8712ad08115261ae9cbbc3048cfe937b5e3
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 9B918170E002169EDB24DF69C981AFFBBA5AF44720F98451BE865EF3D0D73099428B58

Function 03439126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 03439175
$, xrefs: 03439191

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 3d3a6df4a55a9d22efad0b02051240eda7e941a3c43e449110ee5704ea889b29
Instruction ID: ab6d1f0bf04d725aa5249a3fc28d94c7fe4129c2b41d4a5fb15b4e3b71714d27
Opcode Fuzzy Hash: 3d3a6df4a55a9d22efad0b02051240eda7e941a3c43e449110ee5704ea889b29
Instruction Fuzzy Hash: D5814B76D002699BEB31CF54CC44BEEB6B4AB09710F0445EBE919BB290D7709E85CFA4

Function 034BCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 034BCFBD

Strings

@, xrefs: 034BCF0A
@4Qw@4Qw, xrefs: 034BCFD5, 034BCFDA, 034BCFF1

Memory Dump Source

Source File: 00000002.00000002.1612833681.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true

Associated: 00000002.00000002.1612833681.0000000003529000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000352D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1612833681.000000000359E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3400000_svchost.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Qw@4Qw
API String ID: 4062629308-2383119779
Opcode ID: 2a30a1edc8bfe871ecaba4ab18783712042292f0be744d4f4a67eccdf261066a
Instruction ID: d8673e1b50d7549f4fd3a54e175278ac9f8885952cd28c1a89e94d069ad56271
Opcode Fuzzy Hash: 2a30a1edc8bfe871ecaba4ab18783712042292f0be744d4f4a67eccdf261066a
Instruction Fuzzy Hash: 93418E79A00224DFDB21DF99D880AAEBBB8FF46B04F04446BE914DF264D774D801CB69

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report New Order #60-958400861900.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\colliquefaction

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
New Order #60-958400861900.exe

Function 038FA036 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 481
nativeCOMMON

Function 0041A3E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Function 038FA042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163
nativeCOMMON

Function 0041A50A Relevance: 1.6, APIs: 1, Instructions: 61
memorynativeCOMMON

Function 0041A2EA Relevance: 1.6, APIs: 1, Instructions: 57
filenativeCOMMON

Function 0041A58B Relevance: 1.6, APIs: 1, Instructions: 50
memorynativeCOMMON

Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 0041A330 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Function 0041A600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON