Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rOr__amentoprim.exe

Overview

General Information

Sample name:rOr__amentoprim.exe
Analysis ID:1546127
MD5:612718c6253a9149b34e80f7bc47bef9
SHA1:259510c8d3c327a040f60630ac3935aa82fbb91f
SHA256:6e6db1ec92a7063e96f51aa8a22edd45be2e467fdf45f71be60e086382705684
Tags:exeuser-Porcupine
Infos:

Detection

FormBook
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • rOr__amentoprim.exe (PID: 1012 cmdline: "C:\Users\user\Desktop\rOr__amentoprim.exe" MD5: 612718C6253A9149B34E80F7BC47BEF9)
    • svchost.exe (PID: 3804 cmdline: "C:\Users\user\Desktop\rOr__amentoprim.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2189639612.00000000008E0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.2189442414.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        4.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\rOr__amentoprim.exe", CommandLine: "C:\Users\user\Desktop\rOr__amentoprim.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\rOr__amentoprim.exe", ParentImage: C:\Users\user\Desktop\rOr__amentoprim.exe, ParentProcessId: 1012, ParentProcessName: rOr__amentoprim.exe, ProcessCommandLine: "C:\Users\user\Desktop\rOr__amentoprim.exe", ProcessId: 3804, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\rOr__amentoprim.exe", CommandLine: "C:\Users\user\Desktop\rOr__amentoprim.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\rOr__amentoprim.exe", ParentImage: C:\Users\user\Desktop\rOr__amentoprim.exe, ParentProcessId: 1012, ParentProcessName: rOr__amentoprim.exe, ProcessCommandLine: "C:\Users\user\Desktop\rOr__amentoprim.exe", ProcessId: 3804, ProcessName: svchost.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-31T14:32:17.898204+010020229301A Network Trojan was detected4.245.163.56443192.168.2.449730TCP
          2024-10-31T14:32:57.851279+010020229301A Network Trojan was detected4.245.163.56443192.168.2.449737TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: rOr__amentoprim.exeAvira: detected
          Yara detected FormBook
          Source: Yara matchFile source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.2189639612.00000000008E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2189442414.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: rOr__amentoprim.exeJoe Sandbox ML: detected
          Source: rOr__amentoprim.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: svchost.exe, 00000004.00000002.2189946586.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2155394881.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2157290028.0000000003200000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000004.00000002.2189946586.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2155394881.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2157290028.0000000003200000.00000004.00000020.00020000.00000000.sdmp
          Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49737
          Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49730

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.2189639612.00000000008E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2189442414.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Binary is likely a compiled AutoIt script file
          Source: rOr__amentoprim.exe, 00000000.00000000.1708031558.0000000000ED2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7086d90a-a
          Source: rOr__amentoprim.exe, 00000000.00000000.1708031558.0000000000ED2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_9fd4a77a-6
          Source: rOr__amentoprim.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_aec7d9af-8
          Source: rOr__amentoprim.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_f1c8b165-6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0042C633 NtClose,4_2_0042C633
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034735C0 NtCreateMutant,LdrInitializeThunk,4_2_034735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472B60 NtClose,LdrInitializeThunk,4_2_03472B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_03472DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03474340 NtSetContextThread,4_2_03474340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03473010 NtOpenDirectoryObject,4_2_03473010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03473090 NtSetValueKey,4_2_03473090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03474650 NtSuspendThread,4_2_03474650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472BE0 NtQueryValueKey,4_2_03472BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472BF0 NtAllocateVirtualMemory,4_2_03472BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472B80 NtQueryInformationFile,4_2_03472B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472BA0 NtEnumerateValueKey,4_2_03472BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472AD0 NtReadFile,4_2_03472AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472AF0 NtWriteFile,4_2_03472AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472AB0 NtWaitForSingleObject,4_2_03472AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034739B0 NtGetContextThread,4_2_034739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472F60 NtCreateProcessEx,4_2_03472F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472F30 NtCreateSection,4_2_03472F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472FE0 NtCreateFile,4_2_03472FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472F90 NtProtectVirtualMemory,4_2_03472F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472FA0 NtQuerySection,4_2_03472FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472FB0 NtResumeThread,4_2_03472FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472E30 NtWriteVirtualMemory,4_2_03472E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472EE0 NtQueueApcThread,4_2_03472EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472E80 NtReadVirtualMemory,4_2_03472E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472EA0 NtAdjustPrivilegesToken,4_2_03472EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03473D70 NtOpenThread,4_2_03473D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472D00 NtSetInformationFile,4_2_03472D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472D10 NtMapViewOfSection,4_2_03472D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03473D10 NtOpenProcessToken,4_2_03473D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472D30 NtUnmapViewOfSection,4_2_03472D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472DD0 NtDelayExecution,4_2_03472DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472DB0 NtEnumerateKey,4_2_03472DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472C60 NtCreateKey,4_2_03472C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472C70 NtFreeVirtualMemory,4_2_03472C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472C00 NtQueryInformationProcess,4_2_03472C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472CC0 NtQueryVirtualMemory,4_2_03472CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472CF0 NtOpenProcess,4_2_03472CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472CA0 NtQueryInformationToken,4_2_03472CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0041684E4_2_0041684E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004168534_2_00416853
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0041680C4_2_0041680C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004101034_2_00410103
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004239114_2_00423911
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004029204_2_00402920
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004031F04_2_004031F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0040E1834_2_0040E183
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004011B04_2_004011B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004023404_2_00402340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004023364_2_00402336
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0042EC434_2_0042EC43
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004025304_2_00402530
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0040FEDC4_2_0040FEDC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0040FEE34_2_0040FEE3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342D34C4_2_0342D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034FA3524_2_034FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F132D4_2_034F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0344E3F04_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035003E64_2_035003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0348739A4_2_0348739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E02744_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0345B2C04_2_0345B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E12ED4_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034452A04_2_034452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0347516C4_2_0347516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F1724_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0350B16B4_2_0350B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034301004_2_03430100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034DA1184_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F81CC4_2_034F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0344B1B04_2_0344B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035001AA4_2_035001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034EF0CC4_2_034EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034470C04_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F70E94_2_034F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034FF0E04_2_034FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034647504_2_03464750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034407704_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0343C7C04_2_0343C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034FF7B04_2_034FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F16CC4_2_034F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0345C6E04_2_0345C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F75714_2_034F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034405354_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035005914_2_03500591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034DD5B04_2_034DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F24464_2_034F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034314604_2_03431460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034FF43F4_2_034FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034EE4F64_2_034EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034FAB404_2_034FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034FFB764_2_034FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F6BD74_2_034F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0347DBF94_2_0347DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0345FB804_2_0345FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034FFA494_2_034FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F7A464_2_034F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B3A6C4_2_034B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034EDAC64_2_034EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0343EA804_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034DDAAC4_2_034DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03485AA04_2_03485AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034499504_2_03449950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0345B9504_2_0345B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034569624_2_03456962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034429A04_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0350A9A64_2_0350A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034428404_2_03442840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0344A8404_2_0344A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034AD8004_2_034AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034438E04_2_034438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346E8F04_2_0346E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034268B84_2_034268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B4F404_2_034B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034FFF094_2_034FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03482F284_2_03482F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03460F304_2_03460F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03432FC84_2_03432FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03441F924_2_03441F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034FFFB14_2_034FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03440E594_2_03440E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034FEE264_2_034FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034FEEDB4_2_034FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03452E904_2_03452E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034FCE934_2_034FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03449EB04_2_03449EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03443D404_2_03443D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F1D5A4_2_034F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F7D734_2_034F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0344AD004_2_0344AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0345FDC04_2_0345FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0343ADE04_2_0343ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03458DBF4_2_03458DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03440C004_2_03440C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B9C324_2_034B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03430CF24_2_03430CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034FFCF24_2_034FFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E0CB54_2_034E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034BF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034AEA12 appears 84 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0342B970 appears 251 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03475130 appears 36 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03487E54 appears 86 times
          Source: rOr__amentoprim.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: classification engineClassification label: mal80.troj.evad.winEXE@3/1@0/0
          Source: C:\Users\user\Desktop\rOr__amentoprim.exeFile created: C:\Users\user\AppData\Local\Temp\konkedJump to behavior
          Source: rOr__amentoprim.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\rOr__amentoprim.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\rOr__amentoprim.exe "C:\Users\user\Desktop\rOr__amentoprim.exe"
          Source: C:\Users\user\Desktop\rOr__amentoprim.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rOr__amentoprim.exe"
          Source: C:\Users\user\Desktop\rOr__amentoprim.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rOr__amentoprim.exe"Jump to behavior
          Source: C:\Users\user\Desktop\rOr__amentoprim.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\rOr__amentoprim.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\rOr__amentoprim.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\rOr__amentoprim.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\rOr__amentoprim.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\rOr__amentoprim.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\rOr__amentoprim.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\rOr__amentoprim.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\rOr__amentoprim.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: rOr__amentoprim.exeStatic file information: File size 1583616 > 1048576
          Source: rOr__amentoprim.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: rOr__amentoprim.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: rOr__amentoprim.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: rOr__amentoprim.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: rOr__amentoprim.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: rOr__amentoprim.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: rOr__amentoprim.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: svchost.exe, 00000004.00000002.2189946586.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2155394881.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2157290028.0000000003200000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000004.00000002.2189946586.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2155394881.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2157290028.0000000003200000.00000004.00000020.00020000.00000000.sdmp
          Source: rOr__amentoprim.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: rOr__amentoprim.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: rOr__amentoprim.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: rOr__amentoprim.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: rOr__amentoprim.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004030C8 push 1B94128Fh; iretd 4_2_004030CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004242F8 push esi; retf 4_2_004242F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0040D290 push CD5A526Fh; retf 4_2_0040D29D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004053EA push esi; retf 4_2_004053EB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_00403470 push eax; ret 4_2_00403472
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_00401420 push dword ptr [eax+54E4DA92h]; retf 4_2_004014EA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004014F0 push dword ptr [eax+54E4DA92h]; retf 4_2_004014EA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_00401509 push esi; retf 4_2_0040151D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0041F5EC push 422D53B1h; iretd 4_2_0041F5F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0041A63E push ecx; retf 4_2_0041A63F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_00418EA3 push cs; iretd 4_2_00418EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0040B7A0 pushfd ; iretd 4_2_0040B7A1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034309AD push ecx; mov dword ptr [esp], ecx4_2_034309B6
          Source: C:\Users\user\Desktop\rOr__amentoprim.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\rOr__amentoprim.exeAPI/Special instruction interceptor: Address: 137B78C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034AD1C0 rdtsc 4_2_034AD1C0
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 4908Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034AD1C0 rdtsc 4_2_034AD1C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_004177A3 LdrLoadDll,4_2_004177A3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B2349 mov eax, dword ptr fs:[00000030h]4_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B2349 mov eax, dword ptr fs:[00000030h]4_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B2349 mov eax, dword ptr fs:[00000030h]4_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B2349 mov eax, dword ptr fs:[00000030h]4_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B2349 mov eax, dword ptr fs:[00000030h]4_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B2349 mov eax, dword ptr fs:[00000030h]4_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B2349 mov eax, dword ptr fs:[00000030h]4_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B2349 mov eax, dword ptr fs:[00000030h]4_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B2349 mov eax, dword ptr fs:[00000030h]4_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B2349 mov eax, dword ptr fs:[00000030h]4_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B2349 mov eax, dword ptr fs:[00000030h]4_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B2349 mov eax, dword ptr fs:[00000030h]4_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B2349 mov eax, dword ptr fs:[00000030h]4_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B2349 mov eax, dword ptr fs:[00000030h]4_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B2349 mov eax, dword ptr fs:[00000030h]4_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342D34C mov eax, dword ptr fs:[00000030h]4_2_0342D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342D34C mov eax, dword ptr fs:[00000030h]4_2_0342D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03505341 mov eax, dword ptr fs:[00000030h]4_2_03505341
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03429353 mov eax, dword ptr fs:[00000030h]4_2_03429353
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03429353 mov eax, dword ptr fs:[00000030h]4_2_03429353
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B035C mov eax, dword ptr fs:[00000030h]4_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B035C mov eax, dword ptr fs:[00000030h]4_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B035C mov eax, dword ptr fs:[00000030h]4_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B035C mov ecx, dword ptr fs:[00000030h]4_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B035C mov eax, dword ptr fs:[00000030h]4_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B035C mov eax, dword ptr fs:[00000030h]4_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034FA352 mov eax, dword ptr fs:[00000030h]4_2_034FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034EF367 mov eax, dword ptr fs:[00000030h]4_2_034EF367
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034D437C mov eax, dword ptr fs:[00000030h]4_2_034D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03437370 mov eax, dword ptr fs:[00000030h]4_2_03437370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03437370 mov eax, dword ptr fs:[00000030h]4_2_03437370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03437370 mov eax, dword ptr fs:[00000030h]4_2_03437370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B930B mov eax, dword ptr fs:[00000030h]4_2_034B930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B930B mov eax, dword ptr fs:[00000030h]4_2_034B930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B930B mov eax, dword ptr fs:[00000030h]4_2_034B930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346A30B mov eax, dword ptr fs:[00000030h]4_2_0346A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346A30B mov eax, dword ptr fs:[00000030h]4_2_0346A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346A30B mov eax, dword ptr fs:[00000030h]4_2_0346A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342C310 mov ecx, dword ptr fs:[00000030h]4_2_0342C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03450310 mov ecx, dword ptr fs:[00000030h]4_2_03450310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F132D mov eax, dword ptr fs:[00000030h]4_2_034F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F132D mov eax, dword ptr fs:[00000030h]4_2_034F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0345F32A mov eax, dword ptr fs:[00000030h]4_2_0345F32A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03427330 mov eax, dword ptr fs:[00000030h]4_2_03427330
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034EC3CD mov eax, dword ptr fs:[00000030h]4_2_034EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0343A3C0 mov eax, dword ptr fs:[00000030h]4_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0343A3C0 mov eax, dword ptr fs:[00000030h]4_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0343A3C0 mov eax, dword ptr fs:[00000030h]4_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0343A3C0 mov eax, dword ptr fs:[00000030h]4_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0343A3C0 mov eax, dword ptr fs:[00000030h]4_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0343A3C0 mov eax, dword ptr fs:[00000030h]4_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034EB3D0 mov ecx, dword ptr fs:[00000030h]4_2_034EB3D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034EF3E6 mov eax, dword ptr fs:[00000030h]4_2_034EF3E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035053FC mov eax, dword ptr fs:[00000030h]4_2_035053FC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034403E9 mov eax, dword ptr fs:[00000030h]4_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034403E9 mov eax, dword ptr fs:[00000030h]4_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034403E9 mov eax, dword ptr fs:[00000030h]4_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034403E9 mov eax, dword ptr fs:[00000030h]4_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034403E9 mov eax, dword ptr fs:[00000030h]4_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034403E9 mov eax, dword ptr fs:[00000030h]4_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034403E9 mov eax, dword ptr fs:[00000030h]4_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034403E9 mov eax, dword ptr fs:[00000030h]4_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0344E3F0 mov eax, dword ptr fs:[00000030h]4_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0344E3F0 mov eax, dword ptr fs:[00000030h]4_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0344E3F0 mov eax, dword ptr fs:[00000030h]4_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034663FF mov eax, dword ptr fs:[00000030h]4_2_034663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342E388 mov eax, dword ptr fs:[00000030h]4_2_0342E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342E388 mov eax, dword ptr fs:[00000030h]4_2_0342E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342E388 mov eax, dword ptr fs:[00000030h]4_2_0342E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0345438F mov eax, dword ptr fs:[00000030h]4_2_0345438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0345438F mov eax, dword ptr fs:[00000030h]4_2_0345438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0350539D mov eax, dword ptr fs:[00000030h]4_2_0350539D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0348739A mov eax, dword ptr fs:[00000030h]4_2_0348739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0348739A mov eax, dword ptr fs:[00000030h]4_2_0348739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03428397 mov eax, dword ptr fs:[00000030h]4_2_03428397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03428397 mov eax, dword ptr fs:[00000030h]4_2_03428397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03428397 mov eax, dword ptr fs:[00000030h]4_2_03428397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034533A5 mov eax, dword ptr fs:[00000030h]4_2_034533A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034633A0 mov eax, dword ptr fs:[00000030h]4_2_034633A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034633A0 mov eax, dword ptr fs:[00000030h]4_2_034633A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03429240 mov eax, dword ptr fs:[00000030h]4_2_03429240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03429240 mov eax, dword ptr fs:[00000030h]4_2_03429240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346724D mov eax, dword ptr fs:[00000030h]4_2_0346724D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342A250 mov eax, dword ptr fs:[00000030h]4_2_0342A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034EB256 mov eax, dword ptr fs:[00000030h]4_2_034EB256
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034EB256 mov eax, dword ptr fs:[00000030h]4_2_034EB256
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03436259 mov eax, dword ptr fs:[00000030h]4_2_03436259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03434260 mov eax, dword ptr fs:[00000030h]4_2_03434260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03434260 mov eax, dword ptr fs:[00000030h]4_2_03434260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03434260 mov eax, dword ptr fs:[00000030h]4_2_03434260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034FD26B mov eax, dword ptr fs:[00000030h]4_2_034FD26B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034FD26B mov eax, dword ptr fs:[00000030h]4_2_034FD26B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342826B mov eax, dword ptr fs:[00000030h]4_2_0342826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03459274 mov eax, dword ptr fs:[00000030h]4_2_03459274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03471270 mov eax, dword ptr fs:[00000030h]4_2_03471270
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03471270 mov eax, dword ptr fs:[00000030h]4_2_03471270
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E0274 mov eax, dword ptr fs:[00000030h]4_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E0274 mov eax, dword ptr fs:[00000030h]4_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E0274 mov eax, dword ptr fs:[00000030h]4_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E0274 mov eax, dword ptr fs:[00000030h]4_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E0274 mov eax, dword ptr fs:[00000030h]4_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E0274 mov eax, dword ptr fs:[00000030h]4_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E0274 mov eax, dword ptr fs:[00000030h]4_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E0274 mov eax, dword ptr fs:[00000030h]4_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E0274 mov eax, dword ptr fs:[00000030h]4_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E0274 mov eax, dword ptr fs:[00000030h]4_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E0274 mov eax, dword ptr fs:[00000030h]4_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E0274 mov eax, dword ptr fs:[00000030h]4_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03467208 mov eax, dword ptr fs:[00000030h]4_2_03467208
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03467208 mov eax, dword ptr fs:[00000030h]4_2_03467208
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03505227 mov eax, dword ptr fs:[00000030h]4_2_03505227
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342823B mov eax, dword ptr fs:[00000030h]4_2_0342823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0343A2C3 mov eax, dword ptr fs:[00000030h]4_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0343A2C3 mov eax, dword ptr fs:[00000030h]4_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0343A2C3 mov eax, dword ptr fs:[00000030h]4_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0343A2C3 mov eax, dword ptr fs:[00000030h]4_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0343A2C3 mov eax, dword ptr fs:[00000030h]4_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0345B2C0 mov eax, dword ptr fs:[00000030h]4_2_0345B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0345B2C0 mov eax, dword ptr fs:[00000030h]4_2_0345B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0345B2C0 mov eax, dword ptr fs:[00000030h]4_2_0345B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0345B2C0 mov eax, dword ptr fs:[00000030h]4_2_0345B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0345B2C0 mov eax, dword ptr fs:[00000030h]4_2_0345B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0345B2C0 mov eax, dword ptr fs:[00000030h]4_2_0345B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0345B2C0 mov eax, dword ptr fs:[00000030h]4_2_0345B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034392C5 mov eax, dword ptr fs:[00000030h]4_2_034392C5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034392C5 mov eax, dword ptr fs:[00000030h]4_2_034392C5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342B2D3 mov eax, dword ptr fs:[00000030h]4_2_0342B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342B2D3 mov eax, dword ptr fs:[00000030h]4_2_0342B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342B2D3 mov eax, dword ptr fs:[00000030h]4_2_0342B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0345F2D0 mov eax, dword ptr fs:[00000030h]4_2_0345F2D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0345F2D0 mov eax, dword ptr fs:[00000030h]4_2_0345F2D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E12ED mov eax, dword ptr fs:[00000030h]4_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E12ED mov eax, dword ptr fs:[00000030h]4_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E12ED mov eax, dword ptr fs:[00000030h]4_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E12ED mov eax, dword ptr fs:[00000030h]4_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E12ED mov eax, dword ptr fs:[00000030h]4_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E12ED mov eax, dword ptr fs:[00000030h]4_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E12ED mov eax, dword ptr fs:[00000030h]4_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E12ED mov eax, dword ptr fs:[00000030h]4_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E12ED mov eax, dword ptr fs:[00000030h]4_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E12ED mov eax, dword ptr fs:[00000030h]4_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E12ED mov eax, dword ptr fs:[00000030h]4_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E12ED mov eax, dword ptr fs:[00000030h]4_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E12ED mov eax, dword ptr fs:[00000030h]4_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E12ED mov eax, dword ptr fs:[00000030h]4_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034402E1 mov eax, dword ptr fs:[00000030h]4_2_034402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034402E1 mov eax, dword ptr fs:[00000030h]4_2_034402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034402E1 mov eax, dword ptr fs:[00000030h]4_2_034402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035052E2 mov eax, dword ptr fs:[00000030h]4_2_035052E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034EF2F8 mov eax, dword ptr fs:[00000030h]4_2_034EF2F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034292FF mov eax, dword ptr fs:[00000030h]4_2_034292FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346E284 mov eax, dword ptr fs:[00000030h]4_2_0346E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346E284 mov eax, dword ptr fs:[00000030h]4_2_0346E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B0283 mov eax, dword ptr fs:[00000030h]4_2_034B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B0283 mov eax, dword ptr fs:[00000030h]4_2_034B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B0283 mov eax, dword ptr fs:[00000030h]4_2_034B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03505283 mov eax, dword ptr fs:[00000030h]4_2_03505283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346329E mov eax, dword ptr fs:[00000030h]4_2_0346329E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346329E mov eax, dword ptr fs:[00000030h]4_2_0346329E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034402A0 mov eax, dword ptr fs:[00000030h]4_2_034402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034402A0 mov eax, dword ptr fs:[00000030h]4_2_034402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034452A0 mov eax, dword ptr fs:[00000030h]4_2_034452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034452A0 mov eax, dword ptr fs:[00000030h]4_2_034452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034452A0 mov eax, dword ptr fs:[00000030h]4_2_034452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034452A0 mov eax, dword ptr fs:[00000030h]4_2_034452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F92A6 mov eax, dword ptr fs:[00000030h]4_2_034F92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F92A6 mov eax, dword ptr fs:[00000030h]4_2_034F92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F92A6 mov eax, dword ptr fs:[00000030h]4_2_034F92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F92A6 mov eax, dword ptr fs:[00000030h]4_2_034F92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034C62A0 mov eax, dword ptr fs:[00000030h]4_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034C62A0 mov ecx, dword ptr fs:[00000030h]4_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034C62A0 mov eax, dword ptr fs:[00000030h]4_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034C62A0 mov eax, dword ptr fs:[00000030h]4_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034C62A0 mov eax, dword ptr fs:[00000030h]4_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034C62A0 mov eax, dword ptr fs:[00000030h]4_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034C72A0 mov eax, dword ptr fs:[00000030h]4_2_034C72A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034C72A0 mov eax, dword ptr fs:[00000030h]4_2_034C72A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B92BC mov eax, dword ptr fs:[00000030h]4_2_034B92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B92BC mov eax, dword ptr fs:[00000030h]4_2_034B92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B92BC mov ecx, dword ptr fs:[00000030h]4_2_034B92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B92BC mov ecx, dword ptr fs:[00000030h]4_2_034B92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03505152 mov eax, dword ptr fs:[00000030h]4_2_03505152
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034C4144 mov eax, dword ptr fs:[00000030h]4_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034C4144 mov eax, dword ptr fs:[00000030h]4_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034C4144 mov ecx, dword ptr fs:[00000030h]4_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034C4144 mov eax, dword ptr fs:[00000030h]4_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034C4144 mov eax, dword ptr fs:[00000030h]4_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03429148 mov eax, dword ptr fs:[00000030h]4_2_03429148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03429148 mov eax, dword ptr fs:[00000030h]4_2_03429148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03429148 mov eax, dword ptr fs:[00000030h]4_2_03429148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03429148 mov eax, dword ptr fs:[00000030h]4_2_03429148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03437152 mov eax, dword ptr fs:[00000030h]4_2_03437152
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342C156 mov eax, dword ptr fs:[00000030h]4_2_0342C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03436154 mov eax, dword ptr fs:[00000030h]4_2_03436154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03436154 mov eax, dword ptr fs:[00000030h]4_2_03436154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F172 mov eax, dword ptr fs:[00000030h]4_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F172 mov eax, dword ptr fs:[00000030h]4_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F172 mov eax, dword ptr fs:[00000030h]4_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F172 mov eax, dword ptr fs:[00000030h]4_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F172 mov eax, dword ptr fs:[00000030h]4_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F172 mov eax, dword ptr fs:[00000030h]4_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F172 mov eax, dword ptr fs:[00000030h]4_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F172 mov eax, dword ptr fs:[00000030h]4_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F172 mov eax, dword ptr fs:[00000030h]4_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F172 mov eax, dword ptr fs:[00000030h]4_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F172 mov eax, dword ptr fs:[00000030h]4_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F172 mov eax, dword ptr fs:[00000030h]4_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F172 mov eax, dword ptr fs:[00000030h]4_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F172 mov eax, dword ptr fs:[00000030h]4_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F172 mov eax, dword ptr fs:[00000030h]4_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F172 mov eax, dword ptr fs:[00000030h]4_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F172 mov eax, dword ptr fs:[00000030h]4_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F172 mov eax, dword ptr fs:[00000030h]4_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F172 mov eax, dword ptr fs:[00000030h]4_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F172 mov eax, dword ptr fs:[00000030h]4_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F172 mov eax, dword ptr fs:[00000030h]4_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034C9179 mov eax, dword ptr fs:[00000030h]4_2_034C9179
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034DA118 mov ecx, dword ptr fs:[00000030h]4_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034DA118 mov eax, dword ptr fs:[00000030h]4_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034DA118 mov eax, dword ptr fs:[00000030h]4_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034DA118 mov eax, dword ptr fs:[00000030h]4_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F0115 mov eax, dword ptr fs:[00000030h]4_2_034F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03460124 mov eax, dword ptr fs:[00000030h]4_2_03460124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03431131 mov eax, dword ptr fs:[00000030h]4_2_03431131
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03431131 mov eax, dword ptr fs:[00000030h]4_2_03431131
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342B136 mov eax, dword ptr fs:[00000030h]4_2_0342B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342B136 mov eax, dword ptr fs:[00000030h]4_2_0342B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342B136 mov eax, dword ptr fs:[00000030h]4_2_0342B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342B136 mov eax, dword ptr fs:[00000030h]4_2_0342B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F61C3 mov eax, dword ptr fs:[00000030h]4_2_034F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F61C3 mov eax, dword ptr fs:[00000030h]4_2_034F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346D1D0 mov eax, dword ptr fs:[00000030h]4_2_0346D1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346D1D0 mov ecx, dword ptr fs:[00000030h]4_2_0346D1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034AE1D0 mov eax, dword ptr fs:[00000030h]4_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034AE1D0 mov eax, dword ptr fs:[00000030h]4_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]4_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034AE1D0 mov eax, dword ptr fs:[00000030h]4_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034AE1D0 mov eax, dword ptr fs:[00000030h]4_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035051CB mov eax, dword ptr fs:[00000030h]4_2_035051CB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034551EF mov eax, dword ptr fs:[00000030h]4_2_034551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034551EF mov eax, dword ptr fs:[00000030h]4_2_034551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034551EF mov eax, dword ptr fs:[00000030h]4_2_034551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034551EF mov eax, dword ptr fs:[00000030h]4_2_034551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034551EF mov eax, dword ptr fs:[00000030h]4_2_034551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034551EF mov eax, dword ptr fs:[00000030h]4_2_034551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034551EF mov eax, dword ptr fs:[00000030h]4_2_034551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034551EF mov eax, dword ptr fs:[00000030h]4_2_034551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034551EF mov eax, dword ptr fs:[00000030h]4_2_034551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034551EF mov eax, dword ptr fs:[00000030h]4_2_034551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034551EF mov eax, dword ptr fs:[00000030h]4_2_034551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034551EF mov eax, dword ptr fs:[00000030h]4_2_034551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034551EF mov eax, dword ptr fs:[00000030h]4_2_034551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034351ED mov eax, dword ptr fs:[00000030h]4_2_034351ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035061E5 mov eax, dword ptr fs:[00000030h]4_2_035061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034601F8 mov eax, dword ptr fs:[00000030h]4_2_034601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03470185 mov eax, dword ptr fs:[00000030h]4_2_03470185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034EC188 mov eax, dword ptr fs:[00000030h]4_2_034EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034EC188 mov eax, dword ptr fs:[00000030h]4_2_034EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B019F mov eax, dword ptr fs:[00000030h]4_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B019F mov eax, dword ptr fs:[00000030h]4_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B019F mov eax, dword ptr fs:[00000030h]4_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B019F mov eax, dword ptr fs:[00000030h]4_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342A197 mov eax, dword ptr fs:[00000030h]4_2_0342A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342A197 mov eax, dword ptr fs:[00000030h]4_2_0342A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342A197 mov eax, dword ptr fs:[00000030h]4_2_0342A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03487190 mov eax, dword ptr fs:[00000030h]4_2_03487190
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E11A4 mov eax, dword ptr fs:[00000030h]4_2_034E11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E11A4 mov eax, dword ptr fs:[00000030h]4_2_034E11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E11A4 mov eax, dword ptr fs:[00000030h]4_2_034E11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034E11A4 mov eax, dword ptr fs:[00000030h]4_2_034E11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0344B1B0 mov eax, dword ptr fs:[00000030h]4_2_0344B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03432050 mov eax, dword ptr fs:[00000030h]4_2_03432050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034D705E mov ebx, dword ptr fs:[00000030h]4_2_034D705E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034D705E mov eax, dword ptr fs:[00000030h]4_2_034D705E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0345B052 mov eax, dword ptr fs:[00000030h]4_2_0345B052
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03505060 mov eax, dword ptr fs:[00000030h]4_2_03505060
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03441070 mov eax, dword ptr fs:[00000030h]4_2_03441070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03441070 mov ecx, dword ptr fs:[00000030h]4_2_03441070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03441070 mov eax, dword ptr fs:[00000030h]4_2_03441070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03441070 mov eax, dword ptr fs:[00000030h]4_2_03441070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03441070 mov eax, dword ptr fs:[00000030h]4_2_03441070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03441070 mov eax, dword ptr fs:[00000030h]4_2_03441070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03441070 mov eax, dword ptr fs:[00000030h]4_2_03441070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03441070 mov eax, dword ptr fs:[00000030h]4_2_03441070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03441070 mov eax, dword ptr fs:[00000030h]4_2_03441070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03441070 mov eax, dword ptr fs:[00000030h]4_2_03441070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03441070 mov eax, dword ptr fs:[00000030h]4_2_03441070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03441070 mov eax, dword ptr fs:[00000030h]4_2_03441070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03441070 mov eax, dword ptr fs:[00000030h]4_2_03441070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0345C073 mov eax, dword ptr fs:[00000030h]4_2_0345C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034AD070 mov ecx, dword ptr fs:[00000030h]4_2_034AD070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0344E016 mov eax, dword ptr fs:[00000030h]4_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0344E016 mov eax, dword ptr fs:[00000030h]4_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0344E016 mov eax, dword ptr fs:[00000030h]4_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0344E016 mov eax, dword ptr fs:[00000030h]4_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342A020 mov eax, dword ptr fs:[00000030h]4_2_0342A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342C020 mov eax, dword ptr fs:[00000030h]4_2_0342C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F903E mov eax, dword ptr fs:[00000030h]4_2_034F903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F903E mov eax, dword ptr fs:[00000030h]4_2_034F903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F903E mov eax, dword ptr fs:[00000030h]4_2_034F903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F903E mov eax, dword ptr fs:[00000030h]4_2_034F903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034470C0 mov eax, dword ptr fs:[00000030h]4_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034470C0 mov ecx, dword ptr fs:[00000030h]4_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034470C0 mov ecx, dword ptr fs:[00000030h]4_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034470C0 mov eax, dword ptr fs:[00000030h]4_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034470C0 mov ecx, dword ptr fs:[00000030h]4_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034470C0 mov ecx, dword ptr fs:[00000030h]4_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034470C0 mov eax, dword ptr fs:[00000030h]4_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034470C0 mov eax, dword ptr fs:[00000030h]4_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034470C0 mov eax, dword ptr fs:[00000030h]4_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034470C0 mov eax, dword ptr fs:[00000030h]4_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034470C0 mov eax, dword ptr fs:[00000030h]4_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034470C0 mov eax, dword ptr fs:[00000030h]4_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034470C0 mov eax, dword ptr fs:[00000030h]4_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034470C0 mov eax, dword ptr fs:[00000030h]4_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034470C0 mov eax, dword ptr fs:[00000030h]4_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034470C0 mov eax, dword ptr fs:[00000030h]4_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034470C0 mov eax, dword ptr fs:[00000030h]4_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034470C0 mov eax, dword ptr fs:[00000030h]4_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035050D9 mov eax, dword ptr fs:[00000030h]4_2_035050D9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034AD0C0 mov eax, dword ptr fs:[00000030h]4_2_034AD0C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034AD0C0 mov eax, dword ptr fs:[00000030h]4_2_034AD0C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B20DE mov eax, dword ptr fs:[00000030h]4_2_034B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034590DB mov eax, dword ptr fs:[00000030h]4_2_034590DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034550E4 mov eax, dword ptr fs:[00000030h]4_2_034550E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034550E4 mov ecx, dword ptr fs:[00000030h]4_2_034550E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]4_2_0342A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034380E9 mov eax, dword ptr fs:[00000030h]4_2_034380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342C0F0 mov eax, dword ptr fs:[00000030h]4_2_0342C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034720F0 mov ecx, dword ptr fs:[00000030h]4_2_034720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0343208A mov eax, dword ptr fs:[00000030h]4_2_0343208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342D08D mov eax, dword ptr fs:[00000030h]4_2_0342D08D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03435096 mov eax, dword ptr fs:[00000030h]4_2_03435096
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0345D090 mov eax, dword ptr fs:[00000030h]4_2_0345D090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0345D090 mov eax, dword ptr fs:[00000030h]4_2_0345D090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346909C mov eax, dword ptr fs:[00000030h]4_2_0346909C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F60B8 mov eax, dword ptr fs:[00000030h]4_2_034F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F60B8 mov ecx, dword ptr fs:[00000030h]4_2_034F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03443740 mov eax, dword ptr fs:[00000030h]4_2_03443740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03443740 mov eax, dword ptr fs:[00000030h]4_2_03443740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03443740 mov eax, dword ptr fs:[00000030h]4_2_03443740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346674D mov esi, dword ptr fs:[00000030h]4_2_0346674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346674D mov eax, dword ptr fs:[00000030h]4_2_0346674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346674D mov eax, dword ptr fs:[00000030h]4_2_0346674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03430750 mov eax, dword ptr fs:[00000030h]4_2_03430750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472750 mov eax, dword ptr fs:[00000030h]4_2_03472750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472750 mov eax, dword ptr fs:[00000030h]4_2_03472750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03503749 mov eax, dword ptr fs:[00000030h]4_2_03503749
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B4755 mov eax, dword ptr fs:[00000030h]4_2_034B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342B765 mov eax, dword ptr fs:[00000030h]4_2_0342B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342B765 mov eax, dword ptr fs:[00000030h]4_2_0342B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342B765 mov eax, dword ptr fs:[00000030h]4_2_0342B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342B765 mov eax, dword ptr fs:[00000030h]4_2_0342B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03438770 mov eax, dword ptr fs:[00000030h]4_2_03438770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03440770 mov eax, dword ptr fs:[00000030h]4_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03440770 mov eax, dword ptr fs:[00000030h]4_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03440770 mov eax, dword ptr fs:[00000030h]4_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03440770 mov eax, dword ptr fs:[00000030h]4_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03440770 mov eax, dword ptr fs:[00000030h]4_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03440770 mov eax, dword ptr fs:[00000030h]4_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03440770 mov eax, dword ptr fs:[00000030h]4_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03440770 mov eax, dword ptr fs:[00000030h]4_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03440770 mov eax, dword ptr fs:[00000030h]4_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03440770 mov eax, dword ptr fs:[00000030h]4_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03440770 mov eax, dword ptr fs:[00000030h]4_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03440770 mov eax, dword ptr fs:[00000030h]4_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03437703 mov eax, dword ptr fs:[00000030h]4_2_03437703
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03435702 mov eax, dword ptr fs:[00000030h]4_2_03435702
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03435702 mov eax, dword ptr fs:[00000030h]4_2_03435702
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346C700 mov eax, dword ptr fs:[00000030h]4_2_0346C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03430710 mov eax, dword ptr fs:[00000030h]4_2_03430710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03460710 mov eax, dword ptr fs:[00000030h]4_2_03460710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346F71F mov eax, dword ptr fs:[00000030h]4_2_0346F71F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346F71F mov eax, dword ptr fs:[00000030h]4_2_0346F71F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034EF72E mov eax, dword ptr fs:[00000030h]4_2_034EF72E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03433720 mov eax, dword ptr fs:[00000030h]4_2_03433720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0344F720 mov eax, dword ptr fs:[00000030h]4_2_0344F720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0344F720 mov eax, dword ptr fs:[00000030h]4_2_0344F720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0344F720 mov eax, dword ptr fs:[00000030h]4_2_0344F720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F972B mov eax, dword ptr fs:[00000030h]4_2_034F972B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346C720 mov eax, dword ptr fs:[00000030h]4_2_0346C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346C720 mov eax, dword ptr fs:[00000030h]4_2_0346C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0350B73C mov eax, dword ptr fs:[00000030h]4_2_0350B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0350B73C mov eax, dword ptr fs:[00000030h]4_2_0350B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0350B73C mov eax, dword ptr fs:[00000030h]4_2_0350B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0350B73C mov eax, dword ptr fs:[00000030h]4_2_0350B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03429730 mov eax, dword ptr fs:[00000030h]4_2_03429730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03429730 mov eax, dword ptr fs:[00000030h]4_2_03429730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03465734 mov eax, dword ptr fs:[00000030h]4_2_03465734
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0343973A mov eax, dword ptr fs:[00000030h]4_2_0343973A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0343973A mov eax, dword ptr fs:[00000030h]4_2_0343973A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346273C mov eax, dword ptr fs:[00000030h]4_2_0346273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346273C mov ecx, dword ptr fs:[00000030h]4_2_0346273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346273C mov eax, dword ptr fs:[00000030h]4_2_0346273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034AC730 mov eax, dword ptr fs:[00000030h]4_2_034AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0343C7C0 mov eax, dword ptr fs:[00000030h]4_2_0343C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034357C0 mov eax, dword ptr fs:[00000030h]4_2_034357C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034357C0 mov eax, dword ptr fs:[00000030h]4_2_034357C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034357C0 mov eax, dword ptr fs:[00000030h]4_2_034357C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0343D7E0 mov ecx, dword ptr fs:[00000030h]4_2_0343D7E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034527ED mov eax, dword ptr fs:[00000030h]4_2_034527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034527ED mov eax, dword ptr fs:[00000030h]4_2_034527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034527ED mov eax, dword ptr fs:[00000030h]4_2_034527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034347FB mov eax, dword ptr fs:[00000030h]4_2_034347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034347FB mov eax, dword ptr fs:[00000030h]4_2_034347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034EF78A mov eax, dword ptr fs:[00000030h]4_2_034EF78A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B97A9 mov eax, dword ptr fs:[00000030h]4_2_034B97A9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034BF7AF mov eax, dword ptr fs:[00000030h]4_2_034BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034BF7AF mov eax, dword ptr fs:[00000030h]4_2_034BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034BF7AF mov eax, dword ptr fs:[00000030h]4_2_034BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034BF7AF mov eax, dword ptr fs:[00000030h]4_2_034BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034BF7AF mov eax, dword ptr fs:[00000030h]4_2_034BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_035037B6 mov eax, dword ptr fs:[00000030h]4_2_035037B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034307AF mov eax, dword ptr fs:[00000030h]4_2_034307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0345D7B0 mov eax, dword ptr fs:[00000030h]4_2_0345D7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F7BA mov eax, dword ptr fs:[00000030h]4_2_0342F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F7BA mov eax, dword ptr fs:[00000030h]4_2_0342F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F7BA mov eax, dword ptr fs:[00000030h]4_2_0342F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F7BA mov eax, dword ptr fs:[00000030h]4_2_0342F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F7BA mov eax, dword ptr fs:[00000030h]4_2_0342F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F7BA mov eax, dword ptr fs:[00000030h]4_2_0342F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F7BA mov eax, dword ptr fs:[00000030h]4_2_0342F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F7BA mov eax, dword ptr fs:[00000030h]4_2_0342F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F7BA mov eax, dword ptr fs:[00000030h]4_2_0342F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0344C640 mov eax, dword ptr fs:[00000030h]4_2_0344C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F866E mov eax, dword ptr fs:[00000030h]4_2_034F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F866E mov eax, dword ptr fs:[00000030h]4_2_034F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346A660 mov eax, dword ptr fs:[00000030h]4_2_0346A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346A660 mov eax, dword ptr fs:[00000030h]4_2_0346A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03469660 mov eax, dword ptr fs:[00000030h]4_2_03469660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03469660 mov eax, dword ptr fs:[00000030h]4_2_03469660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03462674 mov eax, dword ptr fs:[00000030h]4_2_03462674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03461607 mov eax, dword ptr fs:[00000030h]4_2_03461607
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034AE609 mov eax, dword ptr fs:[00000030h]4_2_034AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346F603 mov eax, dword ptr fs:[00000030h]4_2_0346F603
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0344260B mov eax, dword ptr fs:[00000030h]4_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0344260B mov eax, dword ptr fs:[00000030h]4_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0344260B mov eax, dword ptr fs:[00000030h]4_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0344260B mov eax, dword ptr fs:[00000030h]4_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0344260B mov eax, dword ptr fs:[00000030h]4_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0344260B mov eax, dword ptr fs:[00000030h]4_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0344260B mov eax, dword ptr fs:[00000030h]4_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03433616 mov eax, dword ptr fs:[00000030h]4_2_03433616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03433616 mov eax, dword ptr fs:[00000030h]4_2_03433616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03472619 mov eax, dword ptr fs:[00000030h]4_2_03472619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0344E627 mov eax, dword ptr fs:[00000030h]4_2_0344E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F626 mov eax, dword ptr fs:[00000030h]4_2_0342F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F626 mov eax, dword ptr fs:[00000030h]4_2_0342F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F626 mov eax, dword ptr fs:[00000030h]4_2_0342F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F626 mov eax, dword ptr fs:[00000030h]4_2_0342F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F626 mov eax, dword ptr fs:[00000030h]4_2_0342F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F626 mov eax, dword ptr fs:[00000030h]4_2_0342F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F626 mov eax, dword ptr fs:[00000030h]4_2_0342F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F626 mov eax, dword ptr fs:[00000030h]4_2_0342F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342F626 mov eax, dword ptr fs:[00000030h]4_2_0342F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03466620 mov eax, dword ptr fs:[00000030h]4_2_03466620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03505636 mov eax, dword ptr fs:[00000030h]4_2_03505636
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03468620 mov eax, dword ptr fs:[00000030h]4_2_03468620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0343262C mov eax, dword ptr fs:[00000030h]4_2_0343262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]4_2_0346A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346A6C7 mov eax, dword ptr fs:[00000030h]4_2_0346A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0343B6C0 mov eax, dword ptr fs:[00000030h]4_2_0343B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0343B6C0 mov eax, dword ptr fs:[00000030h]4_2_0343B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0343B6C0 mov eax, dword ptr fs:[00000030h]4_2_0343B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0343B6C0 mov eax, dword ptr fs:[00000030h]4_2_0343B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0343B6C0 mov eax, dword ptr fs:[00000030h]4_2_0343B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0343B6C0 mov eax, dword ptr fs:[00000030h]4_2_0343B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F16CC mov eax, dword ptr fs:[00000030h]4_2_034F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F16CC mov eax, dword ptr fs:[00000030h]4_2_034F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F16CC mov eax, dword ptr fs:[00000030h]4_2_034F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034F16CC mov eax, dword ptr fs:[00000030h]4_2_034F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034EF6C7 mov eax, dword ptr fs:[00000030h]4_2_034EF6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034616CF mov eax, dword ptr fs:[00000030h]4_2_034616CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034C36EE mov eax, dword ptr fs:[00000030h]4_2_034C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034C36EE mov eax, dword ptr fs:[00000030h]4_2_034C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034C36EE mov eax, dword ptr fs:[00000030h]4_2_034C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034C36EE mov eax, dword ptr fs:[00000030h]4_2_034C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034C36EE mov eax, dword ptr fs:[00000030h]4_2_034C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034C36EE mov eax, dword ptr fs:[00000030h]4_2_034C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0345D6E0 mov eax, dword ptr fs:[00000030h]4_2_0345D6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0345D6E0 mov eax, dword ptr fs:[00000030h]4_2_0345D6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034AE6F2 mov eax, dword ptr fs:[00000030h]4_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034AE6F2 mov eax, dword ptr fs:[00000030h]4_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034AE6F2 mov eax, dword ptr fs:[00000030h]4_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034AE6F2 mov eax, dword ptr fs:[00000030h]4_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B06F1 mov eax, dword ptr fs:[00000030h]4_2_034B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B06F1 mov eax, dword ptr fs:[00000030h]4_2_034B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034ED6F0 mov eax, dword ptr fs:[00000030h]4_2_034ED6F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B368C mov eax, dword ptr fs:[00000030h]4_2_034B368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B368C mov eax, dword ptr fs:[00000030h]4_2_034B368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B368C mov eax, dword ptr fs:[00000030h]4_2_034B368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034B368C mov eax, dword ptr fs:[00000030h]4_2_034B368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03434690 mov eax, dword ptr fs:[00000030h]4_2_03434690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03434690 mov eax, dword ptr fs:[00000030h]4_2_03434690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0346C6A6 mov eax, dword ptr fs:[00000030h]4_2_0346C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342D6AA mov eax, dword ptr fs:[00000030h]4_2_0342D6AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0342D6AA mov eax, dword ptr fs:[00000030h]4_2_0342D6AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034276B2 mov eax, dword ptr fs:[00000030h]4_2_034276B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034276B2 mov eax, dword ptr fs:[00000030h]4_2_034276B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_034276B2 mov eax, dword ptr fs:[00000030h]4_2_034276B2

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\rOr__amentoprim.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\rOr__amentoprim.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2B11008Jump to behavior
          Source: C:\Users\user\Desktop\rOr__amentoprim.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rOr__amentoprim.exe"Jump to behavior
          Source: rOr__amentoprim.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.2189639612.00000000008E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2189442414.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.2189639612.00000000008E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2189442414.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          DLL Side-Loading          		212
          Process Injection          		2
          Virtualization/Sandbox Evasion          		OS Credential Dumping12
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		212
          Process Injection          		LSASS Memory2
          Virtualization/Sandbox Evasion          		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
          Deobfuscate/Decode Files or Information          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          DLL Side-Loading          		NTDS11
          System Information Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
          Obfuscated Files or Information          		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          rOr__amentoprim.exe100%AviraDR/AutoIt.Gen8
          rOr__amentoprim.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1546127
          Start date and time:2024-10-31 14:31:05 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 4m 6s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:5
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:rOr__amentoprim.exe
          Detection:MAL
          Classification:mal80.troj.evad.winEXE@3/1@0/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 92%
          • Number of executed functions: 9
          • Number of non-executed functions: 317
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Stop behavior analysis, all processes terminated

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • VT rate limit hit for: rOr__amentoprim.exe

          Simulations

          Behavior and APIs

          TimeTypeDescription
          09:32:46API Interceptor3x Sleep call for process: svchost.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Temp\konked

          Download File
          Process:C:\Users\user\Desktop\rOr__amentoprim.exe
          File Type:data
          Category:dropped
          Size (bytes):287744
          Entropy (8bit):7.9944676905444005
          Encrypted:true
          SSDEEP:6144:WOXCBk4hruGSU4+dptdD8FjjX7hvDD8wZAZHaqNQJX:KBZfdpnmjLhvDD5ARaqNuX
          MD5:77BA553888AC157B3A2CF4F1EC657EDF
          SHA1:62716D4C9D0D235B5D4F9BDFE60CFD9DECAED4EC
          SHA-256:E05F3645D094DFF9E5A0229D17648B37619D63469A1F6854442B3F5137EA42A0
          SHA-512:E845AD697985B53C617639F405088EA8E95915CB06023B678ED7E7AEBA5AF303177E680819D7BCDFDFB24E223FA1D84E68DA90A871FF97280D0F087E4289A0FA
          Malicious:false
          Reputation:low
          Preview:.....5DS3..D...f.FM...{0\...HML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3.KNMFR.7Z.O.k.E..u.&$;m<K574/'.'2]:$:m*(lK/>f'$...`t&!)-cA4PtFNJ5DS3-JG.u-+.g0!.wU#.)..w(*.#...r*R.I...r-/..P98{.-.DS3TKNMH..9Z.GOJ..~iTKNMHML9.PDOA4OS3.ONMHML9ZPFn^5DS#TKN=LML9.PF^J5DQ3TMNMHML9ZVFNJ5DS3T;JMHOL9ZPFNH5..3T[NMXML9Z@FNZ5DS3TK^MHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5D}G13:MHM8i^PF^J5D.7TK^MHML9ZPFNJ5DS3tKN-HML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMHML9ZPFNJ5DS3TKNMH

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):7.403393038517443
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:rOr__amentoprim.exe
          File size:1'583'616 bytes
          MD5:612718c6253a9149b34e80f7bc47bef9
          SHA1:259510c8d3c327a040f60630ac3935aa82fbb91f
          SHA256:6e6db1ec92a7063e96f51aa8a22edd45be2e467fdf45f71be60e086382705684
          SHA512:fa53fadea6f9893e2eae4662dbbd77a6d5cf2c3b7a0cb677ebf7230634198e7c7e182b40ebb9c97422af7e37bdf95f2df3c25341af5ad5854c872951148257f9
          SSDEEP:49152:qTvC/MTQYxsWR7atHlmo+S95xNavhRsFyW:ajTQYxsWRhE52sF
          TLSH:5B75E1027381D062FFAB92334B9AF6515BBC7A260123E61F13981DB9BD701B1563E763
          File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

          File Icon

          Icon Hash:aaf3e3e3938382a0

          Static PE Info

          General

          Entrypoint:0x420577
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
          Time Stamp:0x67236AE9 [Thu Oct 31 11:32:57 2024 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:5
          OS Version Minor:1
          File Version Major:5
          File Version Minor:1
          Subsystem Version Major:5
          Subsystem Version Minor:1
          Import Hash:948cc502fe9226992dce9417f952fce3

          Entrypoint Preview

          Instruction
          call 00007FE46CDAECE3h
          jmp 00007FE46CDAE5EFh
          push ebp
          mov ebp, esp
          push esi
          push dword ptr [ebp+08h]
          mov esi, ecx
          call 00007FE46CDAE7CDh
          mov dword ptr [esi], 0049FDF0h
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          and dword ptr [ecx+04h], 00000000h
          mov eax, ecx
          and dword ptr [ecx+08h], 00000000h
          mov dword ptr [ecx+04h], 0049FDF8h
          mov dword ptr [ecx], 0049FDF0h
          ret
          push ebp
          mov ebp, esp
          push esi
          push dword ptr [ebp+08h]
          mov esi, ecx
          call 00007FE46CDAE79Ah
          mov dword ptr [esi], 0049FE0Ch
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          and dword ptr [ecx+04h], 00000000h
          mov eax, ecx
          and dword ptr [ecx+08h], 00000000h
          mov dword ptr [ecx+04h], 0049FE14h
          mov dword ptr [ecx], 0049FE0Ch
          ret
          push ebp
          mov ebp, esp
          push esi
          mov esi, ecx
          lea eax, dword ptr [esi+04h]
          mov dword ptr [esi], 0049FDD0h
          and dword ptr [eax], 00000000h
          and dword ptr [eax+04h], 00000000h
          push eax
          mov eax, dword ptr [ebp+08h]
          add eax, 04h
          push eax
          call 00007FE46CDB138Dh
          pop ecx
          pop ecx
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          lea eax, dword ptr [ecx+04h]
          mov dword ptr [ecx], 0049FDD0h
          push eax
          call 00007FE46CDB13D8h
          pop ecx
          ret
          push ebp
          mov ebp, esp
          push esi
          mov esi, ecx
          lea eax, dword ptr [esi+04h]
          mov dword ptr [esi], 0049FDD0h
          push eax
          call 00007FE46CDB13C1h
          test byte ptr [ebp+08h], 00000001h
          pop ecx

          Rich Headers

          Programming Language:
          • [ C ] VS2008 SP1 build 30729
          • [IMP] VS2008 SP1 build 30729

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000xabe28.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1800000x7594.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0xd40000xabe280xac0000f9f52756cc5a9eb77e3e529380a8c66False0.9625953851744186data7.962420506700886IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x1800000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_ICON0xd44a00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
          RT_ICON0xd45c80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
          RT_ICON0xd48b00x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
          RT_ICON0xd49d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
          RT_ICON0xd58800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
          RT_ICON0xd61280x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
          RT_ICON0xd66900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
          RT_ICON0xd8c380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
          RT_ICON0xd9ce00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
          RT_STRING0xda1480x594dataEnglishGreat Britain0.3333333333333333
          RT_STRING0xda6dc0x68adataEnglishGreat Britain0.2735961768219833
          RT_STRING0xdad680x490dataEnglishGreat Britain0.3715753424657534
          RT_STRING0xdb1f80x5fcdataEnglishGreat Britain0.3087467362924282
          RT_STRING0xdb7f40x65cdataEnglishGreat Britain0.34336609336609336
          RT_STRING0xdbe500x466dataEnglishGreat Britain0.3605683836589698
          RT_STRING0xdc2b80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
          RT_RCDATA0xdc4100xa34c0data1.0003154602430389
          RT_GROUP_ICON0x17f8d00x76dataEnglishGreat Britain0.6610169491525424
          RT_GROUP_ICON0x17f9480x14dataEnglishGreat Britain1.15
          RT_VERSION0x17f95c0xdcdataEnglishGreat Britain0.6181818181818182
          RT_MANIFEST0x17fa380x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

          Imports

          DLLImport
          WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
          VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
          MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
          WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
          PSAPI.DLLGetProcessMemoryInfo
          IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
          USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
          UxTheme.dllIsThemeActive
          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
          USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
          GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
          COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
          SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
          OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishGreat Britain

          Network Behavior

          No network behavior found

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:09:31:59
          Start date:31/10/2024
          Path:C:\Users\user\Desktop\rOr__amentoprim.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\rOr__amentoprim.exe"
          Imagebase:0xe10000
          File size:1'583'616 bytes
          MD5 hash:612718C6253A9149B34E80F7BC47BEF9
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:4
          Start time:09:32:21
          Start date:31/10/2024
          Path:C:\Windows\SysWOW64\svchost.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\rOr__amentoprim.exe"
          Imagebase:0x980000
          File size:46'504 bytes
          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2189639612.00000000008E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2189442414.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          Reputation:high
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:0.9%
            Dynamic/Decrypted Code Coverage:6.6%
            Signature Coverage:11%
            Total number of Nodes:91
            Total number of Limit Nodes:7
            execution_graph 76613 42e7c3 76616 42c943 76613->76616 76615 42e7de 76617 42c960 76616->76617 76618 42c971 RtlAllocateHeap 76617->76618 76618->76615 76619 4249e3 76620 4249ff 76619->76620 76621 424a27 76620->76621 76622 424a3b 76620->76622 76623 42c633 NtClose 76621->76623 76629 42c633 76622->76629 76625 424a30 76623->76625 76626 424a44 76632 42e803 RtlAllocateHeap 76626->76632 76628 424a4f 76630 42c64d 76629->76630 76631 42c65e NtClose 76630->76631 76631->76626 76632->76628 76633 42f7e3 76636 42e6e3 76633->76636 76639 42c993 76636->76639 76638 42e6fc 76640 42c9b0 76639->76640 76641 42c9c1 RtlFreeHeap 76640->76641 76641->76638 76653 424d73 76654 424d8c 76653->76654 76655 424dd7 76654->76655 76658 424e1a 76654->76658 76660 424e1f 76654->76660 76656 42e6e3 RtlFreeHeap 76655->76656 76657 424de7 76656->76657 76659 42e6e3 RtlFreeHeap 76658->76659 76659->76660 76661 42bc13 76662 42bc30 76661->76662 76665 3472df0 LdrInitializeThunk 76662->76665 76663 42bc58 76665->76663 76642 413cc3 76646 413ce3 76642->76646 76644 413d4c 76645 413d42 76646->76644 76647 41b3f3 RtlFreeHeap LdrInitializeThunk 76646->76647 76647->76645 76648 4177a3 76649 4177c7 76648->76649 76650 417803 LdrLoadDll 76649->76650 76651 4177ce 76649->76651 76650->76651 76652 3472b60 LdrInitializeThunk 76666 401a78 76667 401a80 76666->76667 76670 42fc53 76667->76670 76673 42e293 76670->76673 76674 42e2b9 76673->76674 76683 4074e3 76674->76683 76676 42e2cf 76682 401b50 76676->76682 76686 41b0e3 76676->76686 76678 42e2ee 76679 42e303 76678->76679 76680 42c9e3 ExitProcess 76678->76680 76697 42c9e3 76679->76697 76680->76679 76685 4074f0 76683->76685 76700 4164c3 76683->76700 76685->76676 76687 41b10f 76686->76687 76718 41afd3 76687->76718 76690 41b154 76692 41b170 76690->76692 76695 42c633 NtClose 76690->76695 76691 41b13c 76693 41b147 76691->76693 76694 42c633 NtClose 76691->76694 76692->76678 76693->76678 76694->76693 76696 41b166 76695->76696 76696->76678 76698 42c9fd 76697->76698 76699 42ca0e ExitProcess 76698->76699 76699->76682 76701 4164e0 76700->76701 76703 4164f9 76701->76703 76704 42d063 76701->76704 76703->76685 76706 42d07d 76704->76706 76705 42d0ac 76705->76703 76706->76705 76711 42bc63 76706->76711 76709 42e6e3 RtlFreeHeap 76710 42d125 76709->76710 76710->76703 76712 42bc7d 76711->76712 76715 3472c0a 76712->76715 76713 42bca9 76713->76709 76716 3472c11 76715->76716 76717 3472c1f LdrInitializeThunk 76715->76717 76716->76713 76717->76713 76719 41b0c9 76718->76719 76720 41afed 76718->76720 76719->76690 76719->76691 76724 42bd03 76720->76724 76723 42c633 NtClose 76723->76719 76725 42bd20 76724->76725 76728 34735c0 LdrInitializeThunk 76725->76728 76726 41b0bd 76726->76723 76728->76726

            Executed Functions

            Function 004177A3 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 14 4177a3-4177bf 15 4177c7-4177cc 14->15 16 4177c2 call 42f2c3 14->16 17 4177d2-4177e0 call 42f8c3 15->17 18 4177ce-4177d1 15->18 16->15 21 4177f0-417801 call 42dd63 17->21 22 4177e2-4177ed call 42fb63 17->22 27 417803-417817 LdrLoadDll 21->27 28 41781a-41781d 21->28 22->21 27->28
            APIs
            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417815
            Memory Dump Source
            • Source File: 00000004.00000002.2189442414.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: Load
            • String ID:
            • API String ID: 2234796835-0
            • Opcode ID: 98fc35d21ae9c87b45bd8c87b7e65ae8e5e460b3e4cca1a9cb6ab26f163bbd8d
            • Instruction ID: 92d71c0ef7b01014c67927cabda73d7a73e4be9fed99dac0b8d4bb38bd026ccf
            • Opcode Fuzzy Hash: 98fc35d21ae9c87b45bd8c87b7e65ae8e5e460b3e4cca1a9cb6ab26f163bbd8d
            • Instruction Fuzzy Hash: 600152B5E0010DABDB10DAE1DC42FDEB3789B14308F4081A6E91897240F635EB598795
            Function 0042C633 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 34 42c633-42c66c call 404913 call 42d853 NtClose
            APIs
            • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C667
            Memory Dump Source
            • Source File: 00000004.00000002.2189442414.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: Close
            • String ID:
            • API String ID: 3535843008-0
            • Opcode ID: 4ffb880530f8de667b1ac819bacbc3bb1031c734e8c830e7a21cb919343caa93
            • Instruction ID: 2b9f1a654e7dceffc318f1a0de5f8e74560b57e434903dfd077381f82d21bfd8
            • Opcode Fuzzy Hash: 4ffb880530f8de667b1ac819bacbc3bb1031c734e8c830e7a21cb919343caa93
            • Instruction Fuzzy Hash: F4E086756002147BD120FBAADC01F9B776CDFC5764F008019FA1867252C670BA00C7F4
            Function 034735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 50 34735c0-34735cc LdrInitializeThunk
            APIs
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: b9825105942e779f8b352d68d82bda0f9eae152e97186c4aee66648c490b0f21
            • Instruction ID: 4bca997d960333c53abf703bb35b18ff92955c10a8950eac8f555f58a6710de8
            • Opcode Fuzzy Hash: b9825105942e779f8b352d68d82bda0f9eae152e97186c4aee66648c490b0f21
            • Instruction Fuzzy Hash: 2690023160550802D100B258455474A1006C7E0301FA5C412A042496CD87958A5165A6
            Function 03472B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 48 3472b60-3472b6c LdrInitializeThunk
            APIs
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 95e15aa7820ea37cae0e72f35633bf8c4abfdef1cd67152372a387abca9edb48
            • Instruction ID: 7696a08e5a0c48e97cb664b4b09091bd128144885373470c9bf44bae4d9bad19
            • Opcode Fuzzy Hash: 95e15aa7820ea37cae0e72f35633bf8c4abfdef1cd67152372a387abca9edb48
            • Instruction Fuzzy Hash: 86900261202404034105B258445465A400BC7F0301B95C022E1014994DC72589916129
            Function 03472DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 49 3472df0-3472dfc LdrInitializeThunk
            APIs
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 46977b51b773d13d9b7de835fdf2022ba2715e9f56745a477666e3357d74669c
            • Instruction ID: a81098e5722d36f428ef954467ae2455a47630f9ac59229d58944769b4d7c5f7
            • Opcode Fuzzy Hash: 46977b51b773d13d9b7de835fdf2022ba2715e9f56745a477666e3357d74669c
            • Instruction Fuzzy Hash: A890023120140813D111B258454474B000AC7E0341FD5C413A042495CD97568A52A125
            Function 0042C993 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 9 42c993-42c9d7 call 404913 call 42d853 RtlFreeHeap
            APIs
            • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042C9D2
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189442414.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: FreeHeap
            • String ID: ZeA
            • API String ID: 3298025750-2268830864
            • Opcode ID: 8fa0d8df718efce9a71c429e33600b2221aa58bd412e6b095fef69f66ca86edc
            • Instruction ID: 90d070ffbadda185c6aa2c1d6793f078680fedb086bf17325d93e461150d7b7d
            • Opcode Fuzzy Hash: 8fa0d8df718efce9a71c429e33600b2221aa58bd412e6b095fef69f66ca86edc
            • Instruction Fuzzy Hash: BBE092B16002047FD610EE5ADC45F9F33ACEFC8714F004419FD18A7282D670B9108BB8
            Function 0042C943 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 29 42c943-42c987 call 404913 call 42d853 RtlAllocateHeap
            APIs
            • RtlAllocateHeap.NTDLL(?,0041E594,?,?,00000000,?,0041E594,?,?,?), ref: 0042C982
            Memory Dump Source
            • Source File: 00000004.00000002.2189442414.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: 9a7cb9bbab8677e69b4ddc49fdec9543568979ac4f2ea774c13628678b0a1d31
            • Instruction ID: f157ce8d1e4dce32d44a93d4eab2f02b5bb88543a224ab2674fdde8966896f15
            • Opcode Fuzzy Hash: 9a7cb9bbab8677e69b4ddc49fdec9543568979ac4f2ea774c13628678b0a1d31
            • Instruction Fuzzy Hash: 27E012B56042147BD614EF59EC41FAF77ACEFC9724F004419FE18A7242D670BA1087B5
            Function 0042C9E3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 39 42c9e3-42ca1c call 404913 call 42d853 ExitProcess
            APIs
            Memory Dump Source
            • Source File: 00000004.00000002.2189442414.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID: ExitProcess
            • String ID:
            • API String ID: 621844428-0
            • Opcode ID: 67f24aa0d6ce79a2bfe7d53d6243606a85b7f21cfda0f670e7cb6a0849770c4e
            • Instruction ID: bc26ae5e7f896da49944c1a01dea09f63fd907ca8f4a1ef416be6488f18d1840
            • Opcode Fuzzy Hash: 67f24aa0d6ce79a2bfe7d53d6243606a85b7f21cfda0f670e7cb6a0849770c4e
            • Instruction Fuzzy Hash: 3DE04F726006147BD620EA5ADC41F9B7B6CDFC5714F404429FA5867182C6757A1186B4
            Function 03472C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 44 3472c0a-3472c0f 45 3472c11-3472c18 44->45 46 3472c1f-3472c26 LdrInitializeThunk 44->46
            APIs
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 361699771760aa7245790f27e8a9b46a8e6ad34475901b572e98c609debcbedf
            • Instruction ID: 8f8620567cc94c6ef084f93af80d3e55f75ec2df566e58a965bfb607d0785538
            • Opcode Fuzzy Hash: 361699771760aa7245790f27e8a9b46a8e6ad34475901b572e98c609debcbedf
            • Instruction Fuzzy Hash: 91B09B719015C5C9DA11F760460875B7905A7E0701F59C463D3030A55E4779C1D1E179

            Non-executed Functions

            Function 034B2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
            • API String ID: 0-2160512332
            • Opcode ID: 904abda1931b20ce6482e1bc31a2c16ac8de1755c60dd4c7170784955dc8acc8
            • Instruction ID: 6d49643731085dff88d55b34d2d257a5c262f96c3b3fcd0c09875bb952449cc8
            • Opcode Fuzzy Hash: 904abda1931b20ce6482e1bc31a2c16ac8de1755c60dd4c7170784955dc8acc8
            • Instruction Fuzzy Hash: 7C925C75604741AFD720DE25C880BABB7F8BB84750F144D2EFA949F250D7B0E845CB6A
            Function 034268B8 Relevance: 19.0, Strings: 15, Instructions: 249COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim engine DLL$LdrpGetShimEngineInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_InitializeEngine$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$apphelp.dll$minkernel\ntdll\ldrinit.c
            • API String ID: 0-3089669407
            • Opcode ID: 237ea7aa131b191abd8767d0a26495d6140b92e5057cc3815df30a9e7e40a582
            • Instruction ID: 499db2f6c81346b22c79182c2c51ec5e81168529dafa106bc467a71c2cdf98aa
            • Opcode Fuzzy Hash: 237ea7aa131b191abd8767d0a26495d6140b92e5057cc3815df30a9e7e40a582
            • Instruction Fuzzy Hash: 008122B2D016186F8B11FB99DDC0DEEB7BDAB15610B150867B910FF114E730EE099BA4
            Function 03468620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
            Download Yara Rule
            Strings
            • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 034A54E2
            • Critical section address., xrefs: 034A5502
            • Address of the debug info found in the active list., xrefs: 034A54AE, 034A54FA
            • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 034A540A, 034A5496, 034A5519
            • 8, xrefs: 034A52E3
            • Invalid debug info address of this critical section, xrefs: 034A54B6
            • Thread identifier, xrefs: 034A553A
            • corrupted critical section, xrefs: 034A54C2
            • Critical section address, xrefs: 034A5425, 034A54BC, 034A5534
            • Critical section debug info address, xrefs: 034A541F, 034A552E
            • undeleted critical section in freed memory, xrefs: 034A542B
            • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 034A54CE
            • double initialized or corrupted critical section, xrefs: 034A5508
            • Thread is in a state in which it cannot own a critical section, xrefs: 034A5543
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
            • API String ID: 0-2368682639
            • Opcode ID: 98cb35ddcd8f15614c294b7f325e4fcf91588a0cdf18043cfb09e91b5e29a4a0
            • Instruction ID: 15de0230ce7a1537af1e4f9859bd316f6f7614358bf7158002275784461abdb9
            • Opcode Fuzzy Hash: 98cb35ddcd8f15614c294b7f325e4fcf91588a0cdf18043cfb09e91b5e29a4a0
            • Instruction Fuzzy Hash: 8281BEB1A00B58EFDB20CF99C940BAEBBB5FB19700F24415AF518BF241D371A945CB68
            Function 03460F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
            • API String ID: 0-360209818
            • Opcode ID: 46236668b420dac65189a42156e4189c52d2a6c7954b66c9b7c67225822c5a31
            • Instruction ID: 8a79a273a0b4f2c4d87d3fbdac31dc6fcda57a2dda30525a5a3692b2d27f5379
            • Opcode Fuzzy Hash: 46236668b420dac65189a42156e4189c52d2a6c7954b66c9b7c67225822c5a31
            • Instruction Fuzzy Hash: 1D6290B5E006298FDB24CF18C8417AAB7B6AFA5310F5882DBD449AF340D7325AD1CF49
            Function 034E12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
            • API String ID: 0-3591852110
            • Opcode ID: 8121ae0256373ef86f5b100b1a11fab926531e6e68e9329e20434c30ed5edf93
            • Instruction ID: c67eb5b30f35a198ed420fedb4ff112d2d123dcb4eb52633acb8f3874eafcfac
            • Opcode Fuzzy Hash: 8121ae0256373ef86f5b100b1a11fab926531e6e68e9329e20434c30ed5edf93
            • Instruction Fuzzy Hash: 8912BA746406429FD725CF29C440BBABBE1FF09706F18849EE4A68F782D734E881CB58
            Function 0344AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
            • API String ID: 0-3197712848
            • Opcode ID: c87bf58849cd9d236c6f17e71bf9bcb2c007326befbb0d28237a26d2a21960c6
            • Instruction ID: 6e6e1b48dddfc656793f8951ab57c82a5cef9b78f434b881e904194ed44c76d0
            • Opcode Fuzzy Hash: c87bf58849cd9d236c6f17e71bf9bcb2c007326befbb0d28237a26d2a21960c6
            • Instruction Fuzzy Hash: 5E12BA71A083418FE724DF28C840BABB7E4EF85704F08096FE9958F291E774D945CB9A
            Function 0342D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
            • API String ID: 0-3532704233
            • Opcode ID: f9af6e65f4f183343f42f62cd200e6778af01037fea24292d99c48602481cfe4
            • Instruction ID: 3c7b8c2b35a95d93dad58e4b4d5979ec1388248ad66ce7d218d946346b5d7666
            • Opcode Fuzzy Hash: f9af6e65f4f183343f42f62cd200e6778af01037fea24292d99c48602481cfe4
            • Instruction Fuzzy Hash: 59B19A719083619FC711EF24C440A6FBBE8AB89744F45092FF8A8EF350D7B0D9458B9A
            Function 034E0CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
            • API String ID: 0-1357697941
            • Opcode ID: b5fb2d93d0264e0ec26dd4d15b4fa3955f582e5fd37f5bc1833961a7b21e4464
            • Instruction ID: df326f79e4ba5446b4529ce3199e0818a7bc389c462d2bf210598765557f77fb
            • Opcode Fuzzy Hash: b5fb2d93d0264e0ec26dd4d15b4fa3955f582e5fd37f5bc1833961a7b21e4464
            • Instruction Fuzzy Hash: 8FF1DE35A00255EFCB25CF6AC440BAAFBF5FF09705F48809AE4A19F642C7B4A945CF58
            Function 034C9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
            • API String ID: 0-3063724069
            • Opcode ID: fdb73c106b18d97fdda2f1c08effb367dc1cb2979bbc7440e480ef4c895d9b44
            • Instruction ID: d2eb3a99821972a2ef8aa10e861c988505022a02fcc594f5479361af8b082ec6
            • Opcode Fuzzy Hash: fdb73c106b18d97fdda2f1c08effb367dc1cb2979bbc7440e480ef4c895d9b44
            • Instruction Fuzzy Hash: 4ED1E376918391BFD761DB64C840BAFB7E8AF84714F04492FFA949F260D770C9048B9A
            Function 034E0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
            • API String ID: 0-1700792311
            • Opcode ID: b5defac8c1aae467a4a0a5718dcc4342c8ea8f964e75e8edfb50389839bad91f
            • Instruction ID: d23c1727d13ccec169274de3667fa5720f4b8dd0c693dd007ec67bceaeccb9ef
            • Opcode Fuzzy Hash: b5defac8c1aae467a4a0a5718dcc4342c8ea8f964e75e8edfb50389839bad91f
            • Instruction Fuzzy Hash: 84D1CE75600685DFCB21DF6AC440AAEFBF1FF46611F08809AE465AF362C7749942CF18
            Function 0342D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
            Download Yara Rule
            Strings
            • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0342D146
            • @, xrefs: 0342D2AF
            • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0342D262
            • @, xrefs: 0342D313
            • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0342D0CF
            • Control Panel\Desktop\LanguageConfiguration, xrefs: 0342D196
            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0342D2C3
            • @, xrefs: 0342D0FD
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
            • API String ID: 0-1356375266
            • Opcode ID: 6b5309b55c0c48a737d7d5153248c54eb170b29eca9a37d08d1ddc3a0dd5d247
            • Instruction ID: 4b69a293ccdad02b407d3b8ac09260a1d71beea77780606d2c1763d1a5efacc9
            • Opcode Fuzzy Hash: 6b5309b55c0c48a737d7d5153248c54eb170b29eca9a37d08d1ddc3a0dd5d247
            • Instruction Fuzzy Hash: 36A17A719083559FD320DF25C444BAFFBE8BB85715F40492FE5A8AE240D7B4D908CBAA
            Function 03449EB0 Relevance: 9.2, Strings: 7, Instructions: 499COMMON
            Download Yara Rule
            Strings
            • [%x.%x] SXS: %s - Relative redirection plus env var expansion., xrefs: 034976EE
            • sxsisol_SearchActCtxForDllName, xrefs: 034976DD
            • @, xrefs: 03449EE7
            • Internal error check failed, xrefs: 03497718, 034978A9
            • minkernel\ntdll\sxsisol.cpp, xrefs: 03497713, 034978A4
            • Status != STATUS_NOT_FOUND, xrefs: 0349789A
            • !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT), xrefs: 03497709
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)$@$Internal error check failed$Status != STATUS_NOT_FOUND$[%x.%x] SXS: %s - Relative redirection plus env var expansion.$minkernel\ntdll\sxsisol.cpp$sxsisol_SearchActCtxForDllName
            • API String ID: 0-761764676
            • Opcode ID: 20c16c80ecfef242242bfde07e1dc93ea24f28a8ae58f4ddd212b84fc1c8b0dc
            • Instruction ID: 7c1b73f21cecfb4b5d377466e7bdf7536b2549a10ce69f5443f3b435e2d73168
            • Opcode Fuzzy Hash: 20c16c80ecfef242242bfde07e1dc93ea24f28a8ae58f4ddd212b84fc1c8b0dc
            • Instruction Fuzzy Hash: 53127E749102159FEF14CFA8C881AAEBBB4FF48714F1880ABE855EF351E7349841CB69
            Function 0343EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
            • API String ID: 0-1109411897
            • Opcode ID: ac5e19e74e4b0e43824b64a0a4e4574fc5fb55db9c53631f89e8e7f28d6d0912
            • Instruction ID: 0ed53c6dc7a038573379b357162e6d251e8b9c3c6fb859fe0e04d6c8f9791754
            • Opcode Fuzzy Hash: ac5e19e74e4b0e43824b64a0a4e4574fc5fb55db9c53631f89e8e7f28d6d0912
            • Instruction Fuzzy Hash: 85A22B75E056298FDF64CF19C8887AABBB5AF49304F1442DBD419AB350DB349E86CF08
            Function 0342F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
            • API String ID: 0-523794902
            • Opcode ID: accab0620e7ab1ac2480eb9270aaaa645e9030fc856f761a5610618cac9334fa
            • Instruction ID: def582e9bc45274ff4dfefbca0672cd4271fc8d69d0311b398d0dce635bd3517
            • Opcode Fuzzy Hash: accab0620e7ab1ac2480eb9270aaaa645e9030fc856f761a5610618cac9334fa
            • Instruction Fuzzy Hash: AD420F356083918FD714EF29C480A2BFBE5FF85204F88496EE8959F351D730D88ACB5A
            Function 0343ADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
            • API String ID: 0-4098886588
            • Opcode ID: e36e005fc489be51b133fcd584b56b57b272acc80958a8d27aa6295685e36c6a
            • Instruction ID: cf81ecdcec24e23c61d580d3c9ca1680cef6b8797d815ac871405f38867deefc
            • Opcode Fuzzy Hash: e36e005fc489be51b133fcd584b56b57b272acc80958a8d27aa6295685e36c6a
            • Instruction Fuzzy Hash: 01328E75A442698BEF21CF14C858BEEB7B9EB4A340F1441EBD859AF350D7319E818F48
            Function 0344B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
            • API String ID: 0-122214566
            • Opcode ID: 6e1761a69dd6934e2a18616b58ee344397d05b8bb552fb7179d5c7613ac8786c
            • Instruction ID: 4bc488deb819c2603e0f3a8c2adcd9964c58be60202a2b82f4739082271a1503
            • Opcode Fuzzy Hash: 6e1761a69dd6934e2a18616b58ee344397d05b8bb552fb7179d5c7613ac8786c
            • Instruction Fuzzy Hash: 4DC11931A00215ABEF24DB69C881BBFBB65EF46300F18407BE8959F391E7B4D945C399
            Function 034663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
            • API String ID: 0-792281065
            • Opcode ID: c04d91b265853cfa093eb008dee1ea166e47283803bf8b49d897c00c23240b7c
            • Instruction ID: c5690d66ffa543c7d8f8f687fa338890311a65d9e50e63af36b20ca4d1fde58a
            • Opcode Fuzzy Hash: c04d91b265853cfa093eb008dee1ea166e47283803bf8b49d897c00c23240b7c
            • Instruction Fuzzy Hash: B3913531A00B149FDB24EF1AE844BAEB7A4FB22714F19052BD4206F391D7B85802D79D
            Function 03462674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
            Download Yara Rule
            Strings
            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 034A21BF
            • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 034A219F
            • SXS: %s() passed the empty activation context, xrefs: 034A2165
            • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 034A2178
            • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 034A2180
            • RtlGetAssemblyStorageRoot, xrefs: 034A2160, 034A219A, 034A21BA
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
            • API String ID: 0-861424205
            • Opcode ID: d52e5ac201dca7cf45a1ea6733de6605e1cb20256bda686e124efa6778e6fc62
            • Instruction ID: 842ca6dcca6ebf11a655d0360970a0d77e22dad27831a203027802a92c5185bc
            • Opcode Fuzzy Hash: d52e5ac201dca7cf45a1ea6733de6605e1cb20256bda686e124efa6778e6fc62
            • Instruction Fuzzy Hash: B0313736F406147BE720CE998C41F5FBA78DBA4A41F09446BFA146F241D2F0DA01D7AA
            Function 0346C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
            Download Yara Rule
            Strings
            • Loading import redirection DLL: '%wZ', xrefs: 034A8170
            • Unable to build import redirection Table, Status = 0x%x, xrefs: 034A81E5
            • minkernel\ntdll\ldrredirect.c, xrefs: 034A8181, 034A81F5
            • LdrpInitializeImportRedirection, xrefs: 034A8177, 034A81EB
            • minkernel\ntdll\ldrinit.c, xrefs: 0346C6C3
            • LdrpInitializeProcess, xrefs: 0346C6C4
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
            • API String ID: 0-475462383
            • Opcode ID: 64898994065465f3ffd7bb99a65623f10ca0f5b2f1a1e61ca9abdd3cb7fa15d8
            • Instruction ID: 6793155cc980f9483cdffd79bbc2603a1b21c778b28406db5bc0fbb273c8faa7
            • Opcode Fuzzy Hash: 64898994065465f3ffd7bb99a65623f10ca0f5b2f1a1e61ca9abdd3cb7fa15d8
            • Instruction Fuzzy Hash: D43117757447019FC220EF29DD45E2BBBA5EF90B10F04095EF8806F3A2D660ED05C7AA
            Function 034B9C32 Relevance: 6.8, Strings: 5, Instructions: 542COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$AVRF: Verifier .dlls must not have thread locals$KnownDllPath$L$\KnownDlls32
            • API String ID: 0-3127649145
            • Opcode ID: 06963a83866296d7bc0051b0e66f640a5804eed296ce505e42aa8519c1e1bcba
            • Instruction ID: ef4e0528d90871c4125f1f7da42efef92d0f098c4af0aae7529caaccb4132dbe
            • Opcode Fuzzy Hash: 06963a83866296d7bc0051b0e66f640a5804eed296ce505e42aa8519c1e1bcba
            • Instruction Fuzzy Hash: 84323575A007199FDB61DF25CC88BDAB7F8EF48304F1045EAE509AB250DB70AA85CF58
            Function 03449950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
            • API String ID: 0-3393094623
            • Opcode ID: 5720584ce54dc5db203c3fc7543796203956c7cdadeedc593632fd1d9ca97629
            • Instruction ID: 530007342c2baac6c3516214c6ee05bdba10dc0920b5103f1dc3e7d94c4d396b
            • Opcode Fuzzy Hash: 5720584ce54dc5db203c3fc7543796203956c7cdadeedc593632fd1d9ca97629
            • Instruction Fuzzy Hash: 4D0257715083818FE760CF24C184B6BBBE4BF89714F58896FE9988F350D770D8459B9A
            Function 034551EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
            Download Yara Rule
            Strings
            • Kernel-MUI-Language-SKU, xrefs: 0345542B
            • Kernel-MUI-Number-Allowed, xrefs: 03455247
            • WindowsExcludedProcs, xrefs: 0345522A
            • Kernel-MUI-Language-Allowed, xrefs: 0345527B
            • Kernel-MUI-Language-Disallowed, xrefs: 03455352
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
            • API String ID: 0-258546922
            • Opcode ID: 9df93206d1654d07a2b0f010e65e159cff1c1f874ddff2f813dd33dec662ea08
            • Instruction ID: 7a3186dc777dd45395eaa7d3e5d22d66d162affe3d94614e8d9191aef5891166
            • Opcode Fuzzy Hash: 9df93206d1654d07a2b0f010e65e159cff1c1f874ddff2f813dd33dec662ea08
            • Instruction Fuzzy Hash: 7CF14C76D00218EFDF11DF95C980AEEBBB9EF49650F1540ABE902AF251D7709E01CB98
            Function 034B4F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
            • API String ID: 0-2518169356
            • Opcode ID: 80b111605aebd1a00ca663c787b8b1a0dd6cd8bc021b92c4f6d82b16f5fd328c
            • Instruction ID: d6f95d42cc8f6379100b4806bae1ebd9d6aa20abe6ffcf6b448143340997055c
            • Opcode Fuzzy Hash: 80b111605aebd1a00ca663c787b8b1a0dd6cd8bc021b92c4f6d82b16f5fd328c
            • Instruction Fuzzy Hash: 8B91AE76D006199BCB21CF69C881AEEF7B5EF4A310F5941AAE811EB350D735D901CBA8
            Function 0345D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
            • API String ID: 0-1975516107
            • Opcode ID: 7fc4c2257810302a56cecbc8f791b167c847cd5e120fe41228b64054e2dce19c
            • Instruction ID: 33018de20ec85835bb5f58b57187232d49f2a4dfa74cb127bfb5380a7a687670
            • Opcode Fuzzy Hash: 7fc4c2257810302a56cecbc8f791b167c847cd5e120fe41228b64054e2dce19c
            • Instruction Fuzzy Hash: 6D51F375E003459FDB24EF65C484B9EBBB1BF4A314F18405AE8216F3A2D774994ACB88
            Function 034276B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
            • API String ID: 0-3061284088
            • Opcode ID: 816b942997c244870cfcad291256ffd575fb5778106c8abb1bce47e13f9af577
            • Instruction ID: afc7c73e469d90b4ba52f8e8c8e393a4fb0d6b79daac4ebab664b06115322c64
            • Opcode Fuzzy Hash: 816b942997c244870cfcad291256ffd575fb5778106c8abb1bce47e13f9af577
            • Instruction Fuzzy Hash: 43012876208260DED225F31A9409F5ABFD4DF43A70F28409FE4205F6A2CAE4A885D92D
            Function 034470C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
            • API String ID: 0-3178619729
            • Opcode ID: eab77feb37ff9d1c8a52140546d432c12f90e657e7952faeea301a786cd46deb
            • Instruction ID: 9610d9aebfb6682e4ae529f98add7fa4e26409c66e3bd508fb1b4ee60ab34f18
            • Opcode Fuzzy Hash: eab77feb37ff9d1c8a52140546d432c12f90e657e7952faeea301a786cd46deb
            • Instruction Fuzzy Hash: E2139F70A006558FEB25CF69C4807AAFBF1FF49304F1881AAD855AF381D735A946CF98
            Function 03441070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
            • API String ID: 0-3570731704
            • Opcode ID: fb9830b6633a221f6cf0aa409cfc53737fc8eee35eff82cabda8ba3f6263b949
            • Instruction ID: 616b8a811ffca3edd168ed508eab9449378f1fffc92335e6a570c82d3e8ca6a1
            • Opcode Fuzzy Hash: fb9830b6633a221f6cf0aa409cfc53737fc8eee35eff82cabda8ba3f6263b949
            • Instruction Fuzzy Hash: DA926875A00228CFEB25CF19C840BAAB7B5BF45314F1981EBD959AB390D7309E81CF59
            Function 0344A840 Relevance: 5.4, Strings: 4, Instructions: 358COMMON
            Download Yara Rule
            Strings
            • SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 03497D39
            • SsHd, xrefs: 0344A885
            • SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 03497D56
            • RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 03497D03
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
            • API String ID: 0-2905229100
            • Opcode ID: c86c005a8bee0f754deddd2103bb8cc4a7d74f4758a605c717a9abdee979b978
            • Instruction ID: f9c6838038c0426aec181e4a0b5a629735bf246c60adb367fc452583aadd834c
            • Opcode Fuzzy Hash: c86c005a8bee0f754deddd2103bb8cc4a7d74f4758a605c717a9abdee979b978
            • Instruction Fuzzy Hash: 21D15975A402199BEB24CF98C880AAEFBB5EF48310F19416BE845AF351D371D985CB98
            Function 03443D40 Relevance: 5.4, Strings: 3, Instructions: 1603COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
            • API String ID: 0-3178619729
            • Opcode ID: cb725d2344c500853abab4569a37ee0b3e925ce4439e2660bc6a7ef31f47cd3d
            • Instruction ID: 4d91fb5e37437b46efc7ddccc7c7c726acb5c396f03a4a67095f819291459521
            • Opcode Fuzzy Hash: cb725d2344c500853abab4569a37ee0b3e925ce4439e2660bc6a7ef31f47cd3d
            • Instruction Fuzzy Hash: 62E2B374A006558FEB24CF5AC490BAAF7F1FF49304F1881AAD855AF385D734A846CF98
            Function 0343A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
            • API String ID: 0-379654539
            • Opcode ID: 9ebd3715ebe00e7f5f3f600ce7d8fc64c39620c4a705654247d4d452c8ab3401
            • Instruction ID: 48ebc854dd1a985aa21fb57029a3a80c908956aeb1b017b8dfaef4da36521e4b
            • Opcode Fuzzy Hash: 9ebd3715ebe00e7f5f3f600ce7d8fc64c39620c4a705654247d4d452c8ab3401
            • Instruction Fuzzy Hash: FBC187742483869FDB10CF18C144B6AB7E4AF8A704F04496BF8E68F350E374C94ACB5A
            Function 03440C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
            Download Yara Rule
            Strings
            • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 034954ED
            • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 034955AE
            • HEAP: , xrefs: 034954E0, 034955A1
            • HEAP[%wZ]: , xrefs: 034954D1, 03495592
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
            • API String ID: 0-1657114761
            • Opcode ID: 50b6cb21f5863f521da1d032d2cedd4302ce2707576771853593d2452c5e7dc0
            • Instruction ID: 85a97bd457df5d7c636db68b430330be3bd856686830a50cd4afeaf4783778aa
            • Opcode Fuzzy Hash: 50b6cb21f5863f521da1d032d2cedd4302ce2707576771853593d2452c5e7dc0
            • Instruction Fuzzy Hash: BFA1D070604605DFEB28DF25C840B6AFBA5AF45300F2885BFD5968F782D730A855CB98
            Function 0346273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
            Download Yara Rule
            Strings
            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 034A22B6
            • .Local, xrefs: 034628D8
            • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 034A21D9, 034A22B1
            • SXS: %s() passed the empty activation context, xrefs: 034A21DE
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
            • API String ID: 0-1239276146
            • Opcode ID: 9ff1d861334f100773043af3374a3e0ab98e8461d9c8c957d104b5b243a939fa
            • Instruction ID: 97ba20dcc9315d07106f2f7d4f60778b9ade40bc39c5c48113ec238da891fcad
            • Opcode Fuzzy Hash: 9ff1d861334f100773043af3374a3e0ab98e8461d9c8c957d104b5b243a939fa
            • Instruction Fuzzy Hash: C1A19235A002299FDB24CF54D884B9AB3B4BF58314F1849EBD818AF351D7709E85CF99
            Function 0342F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
            • API String ID: 0-2586055223
            • Opcode ID: 352558d418c32e17ee1c3556085543eca9d0f0a630d6819e1372129316d62b8b
            • Instruction ID: 4b558c6bd27376beac093991cde108266def5ac8a76d27b465933bef3b3621ba
            • Opcode Fuzzy Hash: 352558d418c32e17ee1c3556085543eca9d0f0a630d6819e1372129316d62b8b
            • Instruction Fuzzy Hash: 806114762047409FE711EB69C844F6BBBE8EF80B10F08046AE9659F3A1C734D846CB69
            Function 034E11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
            • API String ID: 0-336120773
            • Opcode ID: e2cd1ba51e4cab2111d17de5c9adda99122c8d3829194fcd5a57b918b0713d1c
            • Instruction ID: 2032562c5818e2528e2f81f2ecd2c00ed195a1f725a610a73f0aa24b01becdeb
            • Opcode Fuzzy Hash: e2cd1ba51e4cab2111d17de5c9adda99122c8d3829194fcd5a57b918b0713d1c
            • Instruction Fuzzy Hash: C731DE39254250EFC711DB99CC86F6AB7E8EF09625F28019BF811EF291D670EC40DA6D
            Function 03429148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
            • API String ID: 0-1391187441
            • Opcode ID: 345ec135c0dfb39fc736f4638bc9abca9af40c9db688d77592d87bd4c824f41b
            • Instruction ID: b8e4945c76a78335aed377dbffaa042d7fb827f660c29a776a9e60a0dd8bc4b7
            • Opcode Fuzzy Hash: 345ec135c0dfb39fc736f4638bc9abca9af40c9db688d77592d87bd4c824f41b
            • Instruction Fuzzy Hash: CE318436600214AFDB11DB56C885FEEBBB9EF45620F5440A7E824BF291D770DD40CE69
            Function 034429A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
            Download Yara Rule
            Strings
            • HEAP: , xrefs: 03443264
            • HEAP[%wZ]: , xrefs: 03443255
            • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0344327D
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
            • API String ID: 0-617086771
            • Opcode ID: 95ee7f056d9f0aaa58578925db3568d676411d51200f68bc0260eafd101142c7
            • Instruction ID: e332a1c399284c73c22b8a63708b54f940fd31f151f85735eda64107b1c92ea9
            • Opcode Fuzzy Hash: 95ee7f056d9f0aaa58578925db3568d676411d51200f68bc0260eafd101142c7
            • Instruction Fuzzy Hash: FA92BC74A042489FEB25CF69C4407AEBBF1FF08700F1884AAE859AF391D775A946CF54
            Function 03441F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
            • API String ID: 0-3178619729
            • Opcode ID: 406c33fa83626edea67583803a32ff31c298c03965eb219829ff0dc2e2b172c0
            • Instruction ID: d28e013a3e8ba83e3a8bc75c162431b48704edaea745b1dd081dfccbe2f07e51
            • Opcode Fuzzy Hash: 406c33fa83626edea67583803a32ff31c298c03965eb219829ff0dc2e2b172c0
            • Instruction Fuzzy Hash: 6322EC706006019FEB16DF29C494B7BFBA5EF06704F2884ABE9558F382D775D882CB58
            Function 03440770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
            • API String ID: 0-4253913091
            • Opcode ID: e0acf76d092a869a861dae0ed90478442981ea26ce4d15d127f897c7313f6159
            • Instruction ID: c5c2da4d684bb37822fd65ee4c75c6d083d31aac2994b3748c9f8a0b4da2b597
            • Opcode Fuzzy Hash: e0acf76d092a869a861dae0ed90478442981ea26ce4d15d127f897c7313f6159
            • Instruction Fuzzy Hash: 5EF1BB34A00605DFEB15CF69C980B6AFBB5FB45300F2841AAE5169F391D734E992CF98
            Function 03431460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
            Download Yara Rule
            Strings
            • HEAP: , xrefs: 03431596
            • HEAP[%wZ]: , xrefs: 03431712
            • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 03431728
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
            • API String ID: 0-3178619729
            • Opcode ID: 4b6265ccde3305658767e81b17c375144f09da1c4c49ab19759a205574fc6ffa
            • Instruction ID: a3a82a7b6b4222e4681270a07134b1a6a00ac9333182da54274c722ecb7ca33b
            • Opcode Fuzzy Hash: 4b6265ccde3305658767e81b17c375144f09da1c4c49ab19759a205574fc6ffa
            • Instruction Fuzzy Hash: E4E1E070A046419FDB25EF68C491A7ABBF5EF4A300F18849FE4A68F345D734E845CB58
            Function 00402530 Relevance: 4.1, Strings: 3, Instructions: 312COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189442414.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: VUUU$a```$gfff
            • API String ID: 0-2692549917
            • Opcode ID: 85f21942601172207fe0671a5f1566fcc39f0138ad776775546af439b42f1ef1
            • Instruction ID: 477cff6cc588184e8e12efc0ff88223ccd9a47f4c5bcb74ef91593cce2a0965b
            • Opcode Fuzzy Hash: 85f21942601172207fe0671a5f1566fcc39f0138ad776775546af439b42f1ef1
            • Instruction Fuzzy Hash: 4A911932B0041647CB1C895DCE652BAB296E7E4314F58823BDD16EF7C0E6B8AD1187C4
            Function 0343B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
            • API String ID: 0-1145731471
            • Opcode ID: 47447d6d4882c8badf7e12099db197f7a0815197ea92289a382ac82e30f81b63
            • Instruction ID: 4423df1ea3ef1bddfc55e122ca56f70948c42a05b2dedff07a3b3786b01c5b1c
            • Opcode Fuzzy Hash: 47447d6d4882c8badf7e12099db197f7a0815197ea92289a382ac82e30f81b63
            • Instruction Fuzzy Hash: A0B16C79A046049FEF25CF59C980BAEBBB6EF4A714F18456BE451EF380D730A841CB58
            Function 034B368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$DelegatedNtdll$\SystemRoot\system32\
            • API String ID: 0-2391371766
            • Opcode ID: 3a11b9e3d61228f98d83036c956862eec36346dd9b3c889eedb5694d1e28c060
            • Instruction ID: 82568bf10bde3806f4c42dd8f6171118401647f35430621d1df8c21e44bcc34b
            • Opcode Fuzzy Hash: 3a11b9e3d61228f98d83036c956862eec36346dd9b3c889eedb5694d1e28c060
            • Instruction Fuzzy Hash: 97B17D79604341AFD321DF56C880FABB7F8EB49710F15492BF9509F250D7B4E8058BAA
            Function 03456962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $@
            • API String ID: 0-1077428164
            • Opcode ID: f44568396bb8fc9e87e936001b7445f4c5b4b075618c0bb59cfea1bc598c8f11
            • Instruction ID: 9525803f52f15d8898f9316426a154067d64b783113f4801fbea0010547e1597
            • Opcode Fuzzy Hash: f44568396bb8fc9e87e936001b7445f4c5b4b075618c0bb59cfea1bc598c8f11
            • Instruction Fuzzy Hash: 32C28371A083419FEB25CF25C480BABBBE5AF88714F08896EF999CB351D734D805CB56
            Function 0342A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: FilterFullPath$UseFilter$\??\
            • API String ID: 0-2779062949
            • Opcode ID: ac6dc4345de337be4c6d3cf0dcc81cc1233818f773fef15de07254481da7328d
            • Instruction ID: ac00196f2b61f0f09e181aabf7d197841891c7fd29f380c1462df5069cdce94d
            • Opcode Fuzzy Hash: ac6dc4345de337be4c6d3cf0dcc81cc1233818f773fef15de07254481da7328d
            • Instruction Fuzzy Hash: 75A15E759016299BDB21EF24CC88BEEF7B8EF44700F1405EAD909AB250D7359E85CF68
            Function 034C36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
            • API String ID: 0-318774311
            • Opcode ID: 9510a991229610e4ecfd9a2a7d9dc0928e05dfe0156ec286c71ae373773e0e63
            • Instruction ID: 80a795d569f03cb169b335f0661fa7a09d718d7d6eda1ce999d474851781af52
            • Opcode Fuzzy Hash: 9510a991229610e4ecfd9a2a7d9dc0928e05dfe0156ec286c71ae373773e0e63
            • Instruction Fuzzy Hash: 93819B7D619380AFE351DF15C844B6BB7E8FB84B50F04892EB9909F390D778D9048B6A
            Function 0346909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: %$&$@
            • API String ID: 0-1537733988
            • Opcode ID: 7a8aa1e72c628007adf144046a73e596970759257c31c7ed146a89babcb3dea6
            • Instruction ID: cb5a829656ece80b15242ebfcafb7afacdd4d88ab304fd2270a7b384ce08a2c5
            • Opcode Fuzzy Hash: 7a8aa1e72c628007adf144046a73e596970759257c31c7ed146a89babcb3dea6
            • Instruction Fuzzy Hash: 3D71D0746087019FD710DF25C580A6BBBE9BF85618F14895FE4AA8F390C770D806CB9B
            Function 004011B0 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189442414.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: *g$8L4$sU
            • API String ID: 0-3149340777
            • Opcode ID: 67660eba7de8fceaa1dafd77fd1d60e60e179a40f20bb942d45ef123c3ae1249
            • Instruction ID: bc53ac594da6a81fbc1310b9827f3309e97e8d653cd6ec56bae71e9a1015f573
            • Opcode Fuzzy Hash: 67660eba7de8fceaa1dafd77fd1d60e60e179a40f20bb942d45ef123c3ae1249
            • Instruction Fuzzy Hash: E1616271E1060987CF14CF99C8901EDF7B1EFA8314F64926AE505FB3A0E7759A82CB94
            Function 0350B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
            Download Yara Rule
            Strings
            • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 0350B82A
            • TargetNtPath, xrefs: 0350B82F
            • GlobalizationUserSettings, xrefs: 0350B834
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
            • API String ID: 0-505981995
            • Opcode ID: 40796cd893b05958f1b7809a373c46a6dc15f7e36ff09a0f5f159f1ac9e00226
            • Instruction ID: a5f5aa92077b25c56775fa47bc184a206145739be4d82a40cfa8ed46b7d50ea2
            • Opcode Fuzzy Hash: 40796cd893b05958f1b7809a373c46a6dc15f7e36ff09a0f5f159f1ac9e00226
            • Instruction Fuzzy Hash: 16618F72D41229AFDB21DF54DC88BDAB7B8BF14710F0105EAA508AB2A0C775DE84CF94
            Function 0342F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
            Download Yara Rule
            Strings
            • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0348E6C6
            • HEAP: , xrefs: 0348E6B3
            • HEAP[%wZ]: , xrefs: 0348E6A6
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
            • API String ID: 0-1340214556
            • Opcode ID: e48211a9891826920f637a20e44182868110b57128f41cf37d578b2cf0c19fb6
            • Instruction ID: c9776b34cd80c2863c70cc0f07841285601d452c4c16ceb2084db20f58aeadc2
            • Opcode Fuzzy Hash: e48211a9891826920f637a20e44182868110b57128f41cf37d578b2cf0c19fb6
            • Instruction Fuzzy Hash: 92511435200754EFE712EBA9C844B6AFBF8EF05700F4800A6E951AF792D374E955CB18
            Function 034DDAAC Relevance: 3.9, Strings: 3, Instructions: 163COMMON
            Download Yara Rule
            Strings
            • HEAP: , xrefs: 034DDC1F
            • HEAP[%wZ]: , xrefs: 034DDC12
            • Heap block at %p modified at %p past requested size of %Ix, xrefs: 034DDC32
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
            • API String ID: 0-3815128232
            • Opcode ID: f7e37a4675b7cc50347d6fe67cc10b3596c73000e94ac36930ed02b293df5314
            • Instruction ID: 1dea257a184dfec5f158bbec3e769f6ea475850902e70435fe5e1927fff407f9
            • Opcode Fuzzy Hash: f7e37a4675b7cc50347d6fe67cc10b3596c73000e94ac36930ed02b293df5314
            • Instruction Fuzzy Hash: 3D513435A002508EE374DE2AC864773B7E1DF47648F18889BE4E28F285D275E807DB29
            Function 0346C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
            Download Yara Rule
            Strings
            • Failed to reallocate the system dirs string !, xrefs: 034A82D7
            • minkernel\ntdll\ldrinit.c, xrefs: 034A82E8
            • LdrpInitializePerUserWindowsDirectory, xrefs: 034A82DE
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
            • API String ID: 0-1783798831
            • Opcode ID: 3789b1e03a8ec10cef3a687a3ca345e970ea6af871223c1efda1278cf147c8f9
            • Instruction ID: b882ff560d9ea942ca02b5e3db0f08e2be73e2c76baa17bba7e0112b359c0a08
            • Opcode Fuzzy Hash: 3789b1e03a8ec10cef3a687a3ca345e970ea6af871223c1efda1278cf147c8f9
            • Instruction Fuzzy Hash: 1B41F3B5540310AFC720EF65D880F5BB7E8EB59650F04482BF998DF2A0E770E8059B9A
            Function 034616CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
            Download Yara Rule
            Strings
            • minkernel\ntdll\ldrtls.c, xrefs: 034A1B4A
            • LdrpAllocateTls, xrefs: 034A1B40
            • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 034A1B39
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
            • API String ID: 0-4274184382
            • Opcode ID: 1fd5a2ef08d5fba5367a55336bb623cf73dddeadd229d9eb274cfe010c7df577
            • Instruction ID: 2a7c60a6f8e353b38c70c1686618dc0470bcdf6b65be018490c7ca7946597bbe
            • Opcode Fuzzy Hash: 1fd5a2ef08d5fba5367a55336bb623cf73dddeadd229d9eb274cfe010c7df577
            • Instruction Fuzzy Hash: 1941ACB9A00604AFDB15DFA9D841BAEFBF5FF59710F14812AE405AF350E774A801CB98
            Function 034EC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
            Download Yara Rule
            Strings
            • PreferredUILanguages, xrefs: 034EC212
            • @, xrefs: 034EC1F1
            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 034EC1C5
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
            • API String ID: 0-2968386058
            • Opcode ID: 4037529b6465c1a0dc2df770f94e3b93f281aef05a9972b744ace62e06298643
            • Instruction ID: 27af0c22aad7b4e287e3cf6dfbe78feb6767478a5f7b590720bef51100d44c5d
            • Opcode Fuzzy Hash: 4037529b6465c1a0dc2df770f94e3b93f281aef05a9972b744ace62e06298643
            • Instruction Fuzzy Hash: 61417C76E00219EFDB11DED5C881FEEB7B8AB04701F14406BE915BF2A0D7B49E448B98
            Function 034C4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
            • API String ID: 0-1373925480
            • Opcode ID: 40265693b8bdbf3c929d9593e593e822b41058f0d91dab4d89d567858d4c3f2e
            • Instruction ID: 69ac438ce4cdd284fcc8129bd1e70e783346e05c867b39dbb4d0ecc5351e867f
            • Opcode Fuzzy Hash: 40265693b8bdbf3c929d9593e593e822b41058f0d91dab4d89d567858d4c3f2e
            • Instruction Fuzzy Hash: 3641E3799107888FEB22DBD6C954BADBBB8EF55340F18046FD851AF381DA348901CB18
            Function 034B4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
            Download Yara Rule
            Strings
            • minkernel\ntdll\ldrredirect.c, xrefs: 034B4899
            • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 034B4888
            • LdrpCheckRedirection, xrefs: 034B488F
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
            • API String ID: 0-3154609507
            • Opcode ID: 1f80e711c4bf6585e7a2d081bf2964b7cd4f9f9b4c72e96bde63d9312b481172
            • Instruction ID: fce7dd44f39a53cfcf89f9864465a8f22186ad1abf41b265308fc1d13be54445
            • Opcode Fuzzy Hash: 1f80e711c4bf6585e7a2d081bf2964b7cd4f9f9b4c72e96bde63d9312b481172
            • Instruction Fuzzy Hash: A541C436A007509FCB21CE6AD840AA7BBF8AF49650B09056FEC589F353D730D801CBA9
            Function 034633A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
            Download Yara Rule
            Strings
            • SXS: %s() passed the empty activation context data, xrefs: 034A29FE
            • RtlCreateActivationContext, xrefs: 034A29F9
            • Actx , xrefs: 034633AC
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
            • API String ID: 0-859632880
            • Opcode ID: c7b127f256a94dd57c8f04abfdea8e9807e0afe2419d3703eb1d0ab680c6169b
            • Instruction ID: 21c146bd9b4690c70b266ae23227e75db4e12f7cad0ff2ce9e499122651c6200
            • Opcode Fuzzy Hash: c7b127f256a94dd57c8f04abfdea8e9807e0afe2419d3703eb1d0ab680c6169b
            • Instruction Fuzzy Hash: F33142362007419FDB26DF58C880B9AB3A4FB44714F18886BEC049F3A1CB70E842CB98
            Function 03461607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
            Download Yara Rule
            Strings
            • LdrpInitializeTls, xrefs: 034A1A47
            • minkernel\ntdll\ldrtls.c, xrefs: 034A1A51
            • DLL "%wZ" has TLS information at %p, xrefs: 034A1A40
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
            • API String ID: 0-931879808
            • Opcode ID: 4fd145c8b6554437a18e3155a627d5ae42594733539b42ee14cf6409d3f2974d
            • Instruction ID: 54e725a8a7ad3db33fbfb1d3a5e5e82324e3cf9c2f78d2aa896928c5ef8c7937
            • Opcode Fuzzy Hash: 4fd145c8b6554437a18e3155a627d5ae42594733539b42ee14cf6409d3f2974d
            • Instruction Fuzzy Hash: E331F535A00200AFDB20DF59C885F7AB6A8FB56754F05045FE505BF2A0E770AE058799
            Function 03471270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
            Download Yara Rule
            Strings
            • BuildLabEx, xrefs: 0347130F
            • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0347127B
            • @, xrefs: 034712A5
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
            • API String ID: 0-3051831665
            • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
            • Instruction ID: cd5ebd13e0268f28db32a7c14a3179fdf27735f4f56d904dcddd73a3fce64e06
            • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
            • Instruction Fuzzy Hash: 3A318176900618AFEB11EF96CC44EEEBBBDEB84750F004467E914AF260D730DA058B98
            Function 034B20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
            Download Yara Rule
            Strings
            • LdrpInitializationFailure, xrefs: 034B20FA
            • minkernel\ntdll\ldrinit.c, xrefs: 034B2104
            • Process initialization failed with status 0x%08lx, xrefs: 034B20F3
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
            • API String ID: 0-2986994758
            • Opcode ID: 4ef57c7defa9a026b6b1a52f1f327d692a0728426001ec683e055c953723a007
            • Instruction ID: 0205cd16cb0d847c0d255619adb0da82cc9855336d6bb14dd520166f7fad771d
            • Opcode Fuzzy Hash: 4ef57c7defa9a026b6b1a52f1f327d692a0728426001ec683e055c953723a007
            • Instruction Fuzzy Hash: 33F02835640708AFD720E60DDC42FDA7768EB41B44F14085BF6007F292D2F0A510CA58
            Function 034403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID: ___swprintf_l
            • String ID: #%u
            • API String ID: 48624451-232158463
            • Opcode ID: 13d9ae2e95d3b9c9111b0d018449da4b01527bafef0a27ef2f767b0bea82a04a
            • Instruction ID: f05360cd471c22fe53beb089d9d3695529d86e1889b4c573a2f40e774bf90607
            • Opcode Fuzzy Hash: 13d9ae2e95d3b9c9111b0d018449da4b01527bafef0a27ef2f767b0bea82a04a
            • Instruction Fuzzy Hash: DA714C75A002499FEB01DF99D990FAEB7F8BF08704F15406AE905AF351E734E911CB68
            Function 034D705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID: DebugPrintTimes
            • String ID: kLsE
            • API String ID: 3446177414-3058123920
            • Opcode ID: b503fe5c8f6c881318cc2259ade033fdb54de7d8ba5379aeab3533aa7a1e7875
            • Instruction ID: 4081398e7f80bf8cdd8a4d8fbe5dc1454b7af597f6e2d8ac832ec5f704b8973e
            • Opcode Fuzzy Hash: b503fe5c8f6c881318cc2259ade033fdb54de7d8ba5379aeab3533aa7a1e7875
            • Instruction Fuzzy Hash: D64186715013504EE731FF66E894F6A7FA0AB12724F18021EED604F2E9CBB0548BD799
            Function 034452A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @$@
            • API String ID: 0-149943524
            • Opcode ID: 4770132635d0e9c59a32eb0d3d843d17911669016f18eda0cc5067b81660ed86
            • Instruction ID: 39b28c3f51df25211247d18610c1ff8f018512eee8ae2979d0f241d13acf0e7b
            • Opcode Fuzzy Hash: 4770132635d0e9c59a32eb0d3d843d17911669016f18eda0cc5067b81660ed86
            • Instruction Fuzzy Hash: 273299745083118BEB24CF19C580B3BB7E1AF86650F1949AFF8999F3A0E734C845CB5A
            Function 034FA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: `$`
            • API String ID: 0-197956300
            • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
            • Instruction ID: c4c36bf48715a4a4a0233e9f43f47fda546831d72160453ddc4a9f7a70b632f2
            • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
            • Instruction Fuzzy Hash: 41C1AD312043469FE724CE29C845B6BFBE5AF84318F0C4A2EF6998E290D775D509CF5A
            Function 03430CF2 Relevance: 2.8, Strings: 2, Instructions: 317COMMON
            Download Yara Rule
            Strings
            • Failed to retrieve service checksum., xrefs: 0348EE56
            • ResIdCount less than 2., xrefs: 0348EEC9
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Failed to retrieve service checksum.$ResIdCount less than 2.
            • API String ID: 0-863616075
            • Opcode ID: 1fdf580fb05b450cf49cdf8dd3dc1ccbd1e91f719a1a10c60fe838d8355dabde
            • Instruction ID: 2e4dbe39501a2ca385c00a74603b1294d58d8daa142ac86e7fee9e6a3ea17639
            • Opcode Fuzzy Hash: 1fdf580fb05b450cf49cdf8dd3dc1ccbd1e91f719a1a10c60fe838d8355dabde
            • Instruction Fuzzy Hash: ADE102B19087449FE324CF16C440BABBBE4FB89314F408A2FE5999B390DB719549CF5A
            Function 00402340 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189442414.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: ,$gfff
            • API String ID: 0-2284887374
            • Opcode ID: 628d49a163a48fbb0ce0d66464f523864562e4fc9be6d4ea2997b97ffec66863
            • Instruction ID: 31b66d432a3410b0f8e2cb3cc47dfac7815642c7e24ca690dfe29e90aab589fe
            • Opcode Fuzzy Hash: 628d49a163a48fbb0ce0d66464f523864562e4fc9be6d4ea2997b97ffec66863
            • Instruction Fuzzy Hash: D8514922B0010A07DB28486DDED82AE6256D3E8305F988637DD99EF3C5F5BCAD42528C
            Function 034AE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID: Legacy$UEFI
            • API String ID: 2994545307-634100481
            • Opcode ID: 93697295a8071118debb7e3156fff754e29b24ca633fa2551972dbdabd08171d
            • Instruction ID: aac09f02e668721a0cf8760385e3d4670f7f879abaeb0cb1ba8d8f23f0ef9490
            • Opcode Fuzzy Hash: 93697295a8071118debb7e3156fff754e29b24ca633fa2551972dbdabd08171d
            • Instruction Fuzzy Hash: E2615D75E007089FDB24DFA98880BAEBBB5FB54700F14406EE669EF251D731E940CB58
            Function 00402336 Relevance: 2.7, Strings: 2, Instructions: 171COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189442414.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: ,$gfff
            • API String ID: 0-2284887374
            • Opcode ID: 3d4632fb88eb509606465f4441da0b3b2d4920af5a4e2e8a52a71f689955c9e9
            • Instruction ID: c32f9d8e155fb4fcbc51a6c43808d24ccac6a877ff87db1d3b95863e7d9925a3
            • Opcode Fuzzy Hash: 3d4632fb88eb509606465f4441da0b3b2d4920af5a4e2e8a52a71f689955c9e9
            • Instruction Fuzzy Hash: 9E413732F0020607DB28885CDED82AA6256D3E4304F988637DD59EF3C5E5BCAD428788
            Function 0344F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $$$
            • API String ID: 0-233714265
            • Opcode ID: b29923a865a09425d4ea51cf7702f539aed2e749f18ad1e4b8c4ae78982d5a9e
            • Instruction ID: df7012dfc2caaefe01f03b938d59d4e9527eaf6549270f5f24550a957aab1b8c
            • Opcode Fuzzy Hash: b29923a865a09425d4ea51cf7702f539aed2e749f18ad1e4b8c4ae78982d5a9e
            • Instruction Fuzzy Hash: BD61BA75A00749DFEB20DFA5C580BAEBBB1FF48304F08446ED515AF690DB74A949CB88
            Function 0343A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
            Download Yara Rule
            Strings
            • RtlpResUltimateFallbackInfo Enter, xrefs: 0343A2FB
            • RtlpResUltimateFallbackInfo Exit, xrefs: 0343A309
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
            • API String ID: 0-2876891731
            • Opcode ID: 31e071b01e8291a2ef99faba09729b45f606cbc0244b9fb343ef05986ed3a587
            • Instruction ID: 10a029776ac6376d95eedd7fa2db1d5fc0f66b478b17a2f5235ee68e83f9a6e4
            • Opcode Fuzzy Hash: 31e071b01e8291a2ef99faba09729b45f606cbc0244b9fb343ef05986ed3a587
            • Instruction Fuzzy Hash: B741BB34A44649DBEB11CF69C840B6ABBB4EF8A710F1844ABEC54DF3A1E275C901CB59
            Function 0346329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: .Local\$@
            • API String ID: 0-380025441
            • Opcode ID: 04061eaefe92383d2c20fd7887cc65ff589cd28c9990631af2d252d28c4ed54e
            • Instruction ID: d5837a7166401a75b28e2f8c792d42ee47105dcf9770b5379660dc701e18ab9a
            • Opcode Fuzzy Hash: 04061eaefe92383d2c20fd7887cc65ff589cd28c9990631af2d252d28c4ed54e
            • Instruction Fuzzy Hash: 1231B37A6083449FD320DF29C880A6BBBE8FBC5654F48092FF5958B260DA30DD45CB97
            Function 0343C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: MUI
            • API String ID: 0-1339004836
            • Opcode ID: 213d3a1cd13058be44e41003a53d4bebcf0d59bbd676b81e9eafcdbd521d8020
            • Instruction ID: 7995c7478648fc77ecfb0fd331cbbaf64bcd9f2fd3615bfb2c14d1b2cba84c22
            • Opcode Fuzzy Hash: 213d3a1cd13058be44e41003a53d4bebcf0d59bbd676b81e9eafcdbd521d8020
            • Instruction Fuzzy Hash: D7821975E002189FDB24CFA9C980BAEF7B5BF4A710F18816AD859AF394D7309D41CB58
            Function 03482F28 Relevance: 2.0, Strings: 1, Instructions: 762COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: P`vRbv
            • API String ID: 0-2392986850
            • Opcode ID: f4edbd57eab50fcab1a71e77eb78d3ac1ef03da8583b620aaab649fe3da23e1d
            • Instruction ID: fd6c001c3d82581992fd85405af82ffa20a48fa1da07a6166abd1d049342c676
            • Opcode Fuzzy Hash: f4edbd57eab50fcab1a71e77eb78d3ac1ef03da8583b620aaab649fe3da23e1d
            • Instruction Fuzzy Hash: AE42D17DD04259AEDF29EFA8D8446BEFBB0AF05B10F18805BE451AF390D7748981CB58
            Function 03437370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 990cbf9fa050c07f397bb9108ebfb6e08971c2d0e25e9a42ea161d8c404be9a3
            • Instruction ID: 59cbeae94ff0f602ced543ddb812e27d5df893e0c58a5a6f6d100ea6bd09a366
            • Opcode Fuzzy Hash: 990cbf9fa050c07f397bb9108ebfb6e08971c2d0e25e9a42ea161d8c404be9a3
            • Instruction Fuzzy Hash: C0A167B5608342CFD724DF29C480A2BBBE9BF89314F14496EE5D58B350E730E945CB9A
            Function 03452E90 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: 0
            • API String ID: 0-4108050209
            • Opcode ID: 3879ace94afe817b90bbe46a23332a49a4d72a4644c19d40f29a02a3c7cf18dc
            • Instruction ID: 09e8124e4509debcb4bb985f3ae7ae0c40ed4804bf1f4e23bc39913d7e1d3a07
            • Opcode Fuzzy Hash: 3879ace94afe817b90bbe46a23332a49a4d72a4644c19d40f29a02a3c7cf18dc
            • Instruction Fuzzy Hash: 65F18F79A087458FDB21CF25C480B6BBBE5AB88650F09486FFC999F342CB30D945CB59
            Function 0041680C Relevance: 1.7, Strings: 1, Instructions: 436COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189442414.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: (
            • API String ID: 0-3887548279
            • Opcode ID: aaccd90dba57af81b67b373fd9cfc98d16774ae5098b301c15c93286fefc7c34
            • Instruction ID: de8a654303fecfbf3bd02c56b9fbdefdb419d14f23643f6e7b498ea378a3b151
            • Opcode Fuzzy Hash: aaccd90dba57af81b67b373fd9cfc98d16774ae5098b301c15c93286fefc7c34
            • Instruction Fuzzy Hash: B1120CB6E006199FDB14CF9AD48059DFBF2FF88314F1AC1AAD849A7315D674AA418F80
            Function 0041684E Relevance: 1.7, Strings: 1, Instructions: 424COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189442414.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: (
            • API String ID: 0-3887548279
            • Opcode ID: 34f411e079dc7edd0e4090f6f318c8fe75ffbaf05ecd37e2bfe7b847e83a615d
            • Instruction ID: c1498095cd04f39334f4455765c32f06129ba65c29d834407c8626be61699add
            • Opcode Fuzzy Hash: 34f411e079dc7edd0e4090f6f318c8fe75ffbaf05ecd37e2bfe7b847e83a615d
            • Instruction Fuzzy Hash: C1021EB6E006189FDB54CF9AC4805DDFBF2FF88314F1AC1AAD849A7315D674AA418F80
            Function 00416853 Relevance: 1.7, Strings: 1, Instructions: 423COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189442414.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: (
            • API String ID: 0-3887548279
            • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
            • Instruction ID: e78b9cf0e475e87b0fc6d327715f66406e5220a167d578916a05212bbcf92185
            • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
            • Instruction Fuzzy Hash: FA021EB6E006189FDB14CF9AC4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80
            Function 03432FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: PATH
            • API String ID: 0-1036084923
            • Opcode ID: eec731c5433a9ad15ed32ff7731119d42f5b49d3078f6c00a52865d5857ed05e
            • Instruction ID: 5da5ad2ac8ef17233e1791394ffe795b13ef6592d99565698e7103acfb26da9c
            • Opcode Fuzzy Hash: eec731c5433a9ad15ed32ff7731119d42f5b49d3078f6c00a52865d5857ed05e
            • Instruction Fuzzy Hash: 76F1B179E00218DFCB25DF99D881ABEB7B5FF4A700F58402AE441AF350D774A842CB99
            Function 0346F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0d5eaf7d085e0f0472d617843eb612436790b4b2cb88ee92f81b04532a84ab9a
            • Instruction ID: 8dfdacb1ce167c288fd004cea4aeaecef25992ac224c6b06862535b9d0b5fa85
            • Opcode Fuzzy Hash: 0d5eaf7d085e0f0472d617843eb612436790b4b2cb88ee92f81b04532a84ab9a
            • Instruction Fuzzy Hash: AC414B74D00688EFDB20DFA9D480AAEFBF4FB49300F54416ED899AB221D7309905DF64
            Function 03430100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID: 0-3916222277
            • Opcode ID: c0047d08748991a07c08f296687c3a790a16eceb5d13efe9e2354dc3fa11306c
            • Instruction ID: b83091799d4a52a129cba6edd5d9ae7801c60578234c7d7cedb8f4061ca1a3bb
            • Opcode Fuzzy Hash: c0047d08748991a07c08f296687c3a790a16eceb5d13efe9e2354dc3fa11306c
            • Instruction Fuzzy Hash: 47A10A31A043686ADF24DB598840BFFA7A95F4A304F0842DBED976F381C674CD858B5D
            Function 00423911 Relevance: 1.6, Strings: 1, Instructions: 305COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189442414.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: e
            • API String ID: 0-4024072794
            • Opcode ID: 6b910a2904172c8c40e749f3d600a8add20457151f68ebc6bfb407182120abac
            • Instruction ID: 6081209dbae853bed98f4dee38f56ad15f25ed330e1b47d15228b5fda8a244b4
            • Opcode Fuzzy Hash: 6b910a2904172c8c40e749f3d600a8add20457151f68ebc6bfb407182120abac
            • Instruction Fuzzy Hash: DBA159B1A04229AADB10DFA5DC81FFFB378FF85704F44415EE50497142E7789B428BA9
            Function 00402920 Relevance: 1.5, Strings: 1, Instructions: 235COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189442414.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: gfff
            • API String ID: 0-1553575800
            • Opcode ID: a66e5aede29c97aa8d223bc632f4126767bcf5629fda867dc9e1eb64f7e53378
            • Instruction ID: 261adc9e97dc6499e0ca149a2a8c0f2011ae9fecc602cb9f3e9a117c68d8232f
            • Opcode Fuzzy Hash: a66e5aede29c97aa8d223bc632f4126767bcf5629fda867dc9e1eb64f7e53378
            • Instruction Fuzzy Hash: 9371D371B0051A47DB2CCD5DDA5427AB3A2EB94314F18817FD90AEF7D1EAB8AE0187C4
            Function 0346A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: GlobalTags
            • API String ID: 0-1106856819
            • Opcode ID: ea049d22bd80c3ff29964befb9df97090d1064b8291757abcb12e5abb2cf868b
            • Instruction ID: 62e1466adc810ac9a9e89d53412e2de295475434b79cf05dd81f0352b071f0f7
            • Opcode Fuzzy Hash: ea049d22bd80c3ff29964befb9df97090d1064b8291757abcb12e5abb2cf868b
            • Instruction Fuzzy Hash: 97715C79E0160A8FDB28DF9DD5906AEBBB5BF58700F19816FE805AF350D7348801CB58
            Function 0343973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @
            • API String ID: 0-2766056989
            • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
            • Instruction ID: a13ddf2fbd0cf5108a48de513ac79d649daffa1e88269cd2638d58035c301a9d
            • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
            • Instruction Fuzzy Hash: 3C614C75D00219AFDF25DF95C840BEEFBB8EF89714F14456BE820AB290D7B49A01CB54
            Function 034BF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: @
            • API String ID: 0-2766056989
            • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
            • Instruction ID: 251f5064371e1cfbb4fb1102883778aef5d1ea49974000058aca57c75401a188
            • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
            • Instruction Fuzzy Hash: ED516A72604705AFE721DF55CC40FABB7B8EB84750F04092EB5889E290D7B4E9188BA9
            Function 0344E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: EXT-
            • API String ID: 0-1948896318
            • Opcode ID: 501ac305368f6c5d2b6b804e371c3b593c69d2a7bdaee3dde84a5fdd35bbc5a3
            • Instruction ID: 3d8eb3a0f9e22413f8f43462a7f06e93a64ae5999340aa7a7fb4ba3c000a2509
            • Opcode Fuzzy Hash: 501ac305368f6c5d2b6b804e371c3b593c69d2a7bdaee3dde84a5fdd35bbc5a3
            • Instruction Fuzzy Hash: BE417D766083119FE710DB658A80B6BB7E8BF88714F44093FF994DF280E674D944879A
            Function 034EB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: PreferredUILanguages
            • API String ID: 0-1884656846
            • Opcode ID: bc03fdd48dca9a3ce8b8910da1b836c682b6b38da908a921154311538cc59c61
            • Instruction ID: 66be4d48e2731513f5c2920a2b2e3a2607757a79a860f3350f6823437173c08c
            • Opcode Fuzzy Hash: bc03fdd48dca9a3ce8b8910da1b836c682b6b38da908a921154311538cc59c61
            • Instruction Fuzzy Hash: E741D136D04219ABCB11DA95C841BEFF7B9EF44711F05016BE951AF354D6B0DE40C7A8
            Function 034AC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: BinaryHash
            • API String ID: 0-2202222882
            • Opcode ID: 9533ad98e007e7c93302b8c1cd274ae9b752cc1314bb9f13117048b5a5f87fd9
            • Instruction ID: 85c039417e1dadd2035b6619d4fd26cb63fd424d4c352fa1412e328ceb2232db
            • Opcode Fuzzy Hash: 9533ad98e007e7c93302b8c1cd274ae9b752cc1314bb9f13117048b5a5f87fd9
            • Instruction Fuzzy Hash: 404144B5D0062CAEDB61DB55CC84FDEB77CAB45714F0045AAE608AF140DB709E498FA8
            Function 034B97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: verifier.dll
            • API String ID: 0-3265496382
            • Opcode ID: bc8039e2400dfaaab3b2f985465e01f503a463098320dbeac67fdd6b7ce690b7
            • Instruction ID: 497605a79a930d1697404efafd8803687230d822fc49d34ab265b85928045ca7
            • Opcode Fuzzy Hash: bc8039e2400dfaaab3b2f985465e01f503a463098320dbeac67fdd6b7ce690b7
            • Instruction Fuzzy Hash: A9318F75B103019FDB25DF69A850AB6B7F5EB4A310F58847FE6089F390E731888197A8
            Function 03435096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: Actx
            • API String ID: 0-89312691
            • Opcode ID: 14f42f66a77c068273c898f04f76f489a1ef0c413305e351e5c554d9b9f8f794
            • Instruction ID: a6e0cdc34d7dc36e092ffb742f483b55def58011b3a19172f8178e7d04559454
            • Opcode Fuzzy Hash: 14f42f66a77c068273c898f04f76f489a1ef0c413305e351e5c554d9b9f8f794
            • Instruction Fuzzy Hash: 981154307055128BEB24C91D98506B7B6E5EB9F264F3885ABD4A1CF391D672D8428788
            Function 0346E8F0 Relevance: 1.0, Instructions: 985COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f94fc2c06aead4c42c46ce32e4ae53c57a21512011b41cc29ae779415a0b00ef
            • Instruction ID: 361a1b03acf8e4ca0796afd0ac15fc5fa7eb0abe6519a5f8b2f62e9a43108d42
            • Opcode Fuzzy Hash: f94fc2c06aead4c42c46ce32e4ae53c57a21512011b41cc29ae779415a0b00ef
            • Instruction Fuzzy Hash: 1E822472F102188BCB58CFADDC916DDB7F2EF88314B19812DE416EB345DA34AC568B45
            Function 0347516C Relevance: .8, Instructions: 785COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8bed42d9ea82a47ab628577b264d17e4e89b9289721389e66fbec754a20d1c3f
            • Instruction ID: 5b33029e9a0f2847953fd732bd61bd4134af70cbc59890f319a166e6f007bfb4
            • Opcode Fuzzy Hash: 8bed42d9ea82a47ab628577b264d17e4e89b9289721389e66fbec754a20d1c3f
            • Instruction Fuzzy Hash: 87628F3280464AABCF24CF48D4905EEFB62FA56314B49C5DEC89A6F704D331B955CBD8
            Function 0348739A Relevance: .7, Instructions: 705COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b96890ead0b73511fa2e457145390f2a7b69de6a4cbbf606bc828de036887b1d
            • Instruction ID: e858232ca6f6d79dc2d6b9de88600374b0a4612588a370bd47a2dccee2ca4cc5
            • Opcode Fuzzy Hash: b96890ead0b73511fa2e457145390f2a7b69de6a4cbbf606bc828de036887b1d
            • Instruction Fuzzy Hash: 9342E334A006168FDB14DF59C4A0ABEFBB6FF88314B28856ED452AF350D734E842CB94
            Function 03485AA0 Relevance: .7, Instructions: 652COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
            • Instruction ID: eb35deafee5a148e98e8bfd7d17763f272ec6adeb0cd97324e3dbf259a8d3c2a
            • Opcode Fuzzy Hash: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
            • Instruction Fuzzy Hash: 89128273B716180BC344CD7DCC852C27293ABD452875FCA3CAD68CB706F66AED1A6684
            Function 0345B2C0 Relevance: .6, Instructions: 629COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 88c0d58ab0de0b7ce1584a1f10800c428b246ac672ab18b0f183f0f3fbde9bcf
            • Instruction ID: 8b03808e26b0dd9689ce572a206057886a6ece5143cf5d771a0a942ba2399576
            • Opcode Fuzzy Hash: 88c0d58ab0de0b7ce1584a1f10800c428b246ac672ab18b0f183f0f3fbde9bcf
            • Instruction Fuzzy Hash: 77329E75E012199FCF24DFA8C880BAEBBB1FF54714F18002AE815AF392E7759941CB95
            Function 03442840 Relevance: .6, Instructions: 605COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d9d131d8206ffb3a32a1bd274ee01062349354384e91363ede38a5d3741f810c
            • Instruction ID: 31a05c9f367f777b5d521d83ed877661dcd9be2a8bc7428142046c01c759c49e
            • Opcode Fuzzy Hash: d9d131d8206ffb3a32a1bd274ee01062349354384e91363ede38a5d3741f810c
            • Instruction Fuzzy Hash: 8332CB74A007158FEF24CF69C844BAAFBB6AF84320F19456FD4569F384D739A842CB58
            Function 034DA118 Relevance: .6, Instructions: 591COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 64a5025c7d5a9c8245863379606be1aa89387edcab828bd374a5efcf5701dd54
            • Instruction ID: db4b6d57c49e036a4556835fdfe7a69c0d01a9e15df876160917d9a23bb985f8
            • Opcode Fuzzy Hash: 64a5025c7d5a9c8245863379606be1aa89387edcab828bd374a5efcf5701dd54
            • Instruction Fuzzy Hash: 2922CC742046618BDB24CF29C0A4777B7F1AF45304F0C889BE8A68F796E735E452CB69
            Function 034F16CC Relevance: .6, Instructions: 571COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0301393f6fe521ba23267ee5dc93748acb36cf613fd51c473f78d2eaa72dff03
            • Instruction ID: b69902c5ed8379cb0ece42eea50828f1742e953226698ea9d5f73c70acac99f9
            • Opcode Fuzzy Hash: 0301393f6fe521ba23267ee5dc93748acb36cf613fd51c473f78d2eaa72dff03
            • Instruction Fuzzy Hash: F722A035A00216CFDB19CF59C490AAAF7B6FF88314B1C456EDA569F344DB30E942CB94
            Function 0345FB80 Relevance: .6, Instructions: 559COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0f8a859f2d58c54f92f578f05c878e5e2276277932e6fe9bfda5760a3b760b49
            • Instruction ID: a678b1a61ed55111aa18296e7b09635c201fc593fb4374a5fec4438194b8af3d
            • Opcode Fuzzy Hash: 0f8a859f2d58c54f92f578f05c878e5e2276277932e6fe9bfda5760a3b760b49
            • Instruction Fuzzy Hash: A6229E759006099FDB14DFA8C880BAFB7B5FF54310F1885AAE8149F385E770EA45CB98
            Function 034F1D5A Relevance: .6, Instructions: 559COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1544b16c87ed4035b12daec871c7fa51435d1f148529cebca231b3e1c7735535
            • Instruction ID: 3eaa6ef258dceb8ee77aa6199473519725193f71a6bc255112ae445e8e9859d2
            • Opcode Fuzzy Hash: 1544b16c87ed4035b12daec871c7fa51435d1f148529cebca231b3e1c7735535
            • Instruction Fuzzy Hash: C3229E396047128FC718CF29C490A2AF3E5FF89314B184A6EEA96CF351D770E842CB95
            Function 03458DBF Relevance: .6, Instructions: 554COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ab3fe7b6fa202fed1968ba22c2dc7f164023212dd22c310eabdfab992a58e75d
            • Instruction ID: 73747ee5d2cb2a7a11f42b60271ed094c70cd6cb3c453ee5bb30a5aa56d2a3df
            • Opcode Fuzzy Hash: ab3fe7b6fa202fed1968ba22c2dc7f164023212dd22c310eabdfab992a58e75d
            • Instruction Fuzzy Hash: 9A221A71E0021ADBDF14CF95C5809BEFBB6AF49704B58809BE855AF342E734D942CB68
            Function 034F2446 Relevance: .5, Instructions: 485COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 51d4eecbee6b1c72a141b5c374b1aa79b28837d717883cc4b048e696a669cafb
            • Instruction ID: 982e85ba1b33f3e9bb6b01d256f21f6b1fb6fe6048d4d58f94499d396742889e
            • Opcode Fuzzy Hash: 51d4eecbee6b1c72a141b5c374b1aa79b28837d717883cc4b048e696a669cafb
            • Instruction Fuzzy Hash: 7602F1386006518FDB64CF2AC450276F7F1AF45300B1C899BDAA6DF391D7B4D842DB68
            Function 0350B16B Relevance: .4, Instructions: 450COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7180d1ce6e10c3095fb6e27ac9c0df3cf853fa20175eef49a8f36fcbf5c0acb9
            • Instruction ID: 7e958c79e8aa6a8a762c746ee6c69108dfea0db480f9188ea4a594654adb3dc3
            • Opcode Fuzzy Hash: 7180d1ce6e10c3095fb6e27ac9c0df3cf853fa20175eef49a8f36fcbf5c0acb9
            • Instruction Fuzzy Hash: 41F1E572E006118BCB18CFA9D9E067EFBF6BF8821071941ADD456DB3D0E635EA41CB90
            Function 00410103 Relevance: .4, Instructions: 435COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189442414.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
            • Instruction ID: 3bac83172fb2329809f06c9d15e5b6b972a446073a79733da922526a6c0fc6c7
            • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
            • Instruction Fuzzy Hash: 70026E73E547164FE720CE4ACDC4765B3A3EFC8301F5B81B8CA142B613CA79BA525A90
            Function 0350A9A6 Relevance: .4, Instructions: 425COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 572a458045cf36bdc235742308327d79e948f65bc516bae58cdd0fc53f7d83ef
            • Instruction ID: b7425a27ff4634d1233ff6d7c686547a250a9b1c078ee47e66a104c920e1d335
            • Opcode Fuzzy Hash: 572a458045cf36bdc235742308327d79e948f65bc516bae58cdd0fc53f7d83ef
            • Instruction Fuzzy Hash: 57F1E573E006269BCB18CE69D5A05BDFBF5BF44200B1A426AD856EB3D0E735DE40CB90
            Function 0345FDC0 Relevance: .4, Instructions: 390COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 257ab352cceeb22eddedd78860f0d20d704a2e41929ae39536ddadf8c571d382
            • Instruction ID: c4623bf1e39b7f0b0f5d25064fc792f78307fb8b2416a42af43c713db0c07ba6
            • Opcode Fuzzy Hash: 257ab352cceeb22eddedd78860f0d20d704a2e41929ae39536ddadf8c571d382
            • Instruction Fuzzy Hash: EEF1AE74A00609DFDB14DFA8C880BAEB7B5FF58304F1885AAE815AF345E734DA45CB94
            Function 03428397 Relevance: .4, Instructions: 380COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9c871782be4bf2196e5950812303b9d2c703d6a5148413bcfa80baac0fadf2d4
            • Instruction ID: b2a65e7bf794a319d1721202e5291771cbf5e4bd273aa4fec5ba25519fad1fe9
            • Opcode Fuzzy Hash: 9c871782be4bf2196e5950812303b9d2c703d6a5148413bcfa80baac0fadf2d4
            • Instruction Fuzzy Hash: C8D1C175A006269FCB14DF65C890ABFBBA5FF44204F48466FE816EF290E734D941CB68
            Function 0345C6E0 Relevance: .4, Instructions: 367COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0abf65c6615c877719e7efde18b5957e4ff59fef27732925e58152334fb7cd5a
            • Instruction ID: 2b7b3a083df6fd18b734ec22a309d8ac0aa8974c94b2c884f3a1349742e97c8e
            • Opcode Fuzzy Hash: 0abf65c6615c877719e7efde18b5957e4ff59fef27732925e58152334fb7cd5a
            • Instruction Fuzzy Hash: 9BD14F71E043198BDF28CA98C5C47BEBBB5EB44305F18805BE852AF796D7748D82CB48
            Function 034438E0 Relevance: .3, Instructions: 349COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4c406320c255fe81fab5d08921be6b2787124d515868073131f274c3c80d3b5e
            • Instruction ID: 8e600d0beaf7d165cee5d9cd764d25c10d1b7d06313cb9802a5b760459c96beb
            • Opcode Fuzzy Hash: 4c406320c255fe81fab5d08921be6b2787124d515868073131f274c3c80d3b5e
            • Instruction Fuzzy Hash: 26E1AD75A00245CFDB18CF59C880AAAFBF1FF58710F1981AAE855AF391D734EA41CB94
            Function 0343D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1e3b53098db3cc21546b7707b3563925e57589c505ac416229dbc0b8ff0165f4
            • Instruction ID: 58bcbc561d5e9bb9563dc6f7d969cbcf3925afef97caf9804d71d9bfb02ac6cc
            • Opcode Fuzzy Hash: 1e3b53098db3cc21546b7707b3563925e57589c505ac416229dbc0b8ff0165f4
            • Instruction Fuzzy Hash: 7BC18871E002159FEF18CF5AC945BAEFBB5EB56310F18825BD825AF390D770A942CB84
            Function 03440535 Relevance: .3, Instructions: 300COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
            • Instruction ID: fcf05a7f56e8286c3ceccec38c9f9188496f8df0c257b810bfcad16a6be7ea47
            • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
            • Instruction Fuzzy Hash: DEB1F275600645AFEF21DB69C850BBFFBB6AF44200F1801ABD6529F391DB30E942CB58
            Function 034590DB Relevance: .3, Instructions: 287COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fb8c30abf6299318b7ee1ee2430773f6d8e0b471b958cd1522c9820f6629e81c
            • Instruction ID: 80241015efe3fed7678d3df84c297e07c9c827fbb48068e5c112d7e1ae45b143
            • Opcode Fuzzy Hash: fb8c30abf6299318b7ee1ee2430773f6d8e0b471b958cd1522c9820f6629e81c
            • Instruction Fuzzy Hash: A2A13A75900215AFEB22EF65CC41BAE7BB9AF46750F05046AF900AF2A0D7759D10CBA8
            Function 03470185 Relevance: .3, Instructions: 276COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 528e3913c505bf6b1910bf51b16d37aa201818c8230faf2997592376d6f76433
            • Instruction ID: 223e00a623a60b468aa20027a773bd72a444b953b917222ba2e56a48378c7fe6
            • Opcode Fuzzy Hash: 528e3913c505bf6b1910bf51b16d37aa201818c8230faf2997592376d6f76433
            • Instruction Fuzzy Hash: 78A1D075A0171A9FDB24DF69C590BEAB3B5FF54304F04402AEA159F391DB34E812CB98
            Function 0344E3F0 Relevance: .3, Instructions: 261COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9cfe8d473592b8ff6645dd511ebb749baa02a8dba52998f8f814d3e474f5fb2a
            • Instruction ID: b258235172fb41feb25b777500bcf5a57f71ffd12d8cfab052f90d907abd8dd4
            • Opcode Fuzzy Hash: 9cfe8d473592b8ff6645dd511ebb749baa02a8dba52998f8f814d3e474f5fb2a
            • Instruction Fuzzy Hash: 45910235A006218FFB24DB69D440B7ABBA5FB84710F0940BBE8159F391E7349982CB99
            Function 03431131 Relevance: .3, Instructions: 259COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 909b914a6c8e2f6685999a56abe2a7d35ae54eaaa5f6ee25d1e2c3a2bac43848
            • Instruction ID: 4012dca122d98c92be6c18aed3c668bffaa9dae7be19d26532d9803e5ad31490
            • Opcode Fuzzy Hash: 909b914a6c8e2f6685999a56abe2a7d35ae54eaaa5f6ee25d1e2c3a2bac43848
            • Instruction Fuzzy Hash: 8DB11175A093408FD364DF28C580A5AFBE1BB89704F184A6EF899DB352D370E945CB46
            Function 03464750 Relevance: .3, Instructions: 251COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
            • Instruction ID: 0461f3787e31e46c8ac757bdc60c831eb3fefa5ff034e46647c35c58176478d5
            • Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
            • Instruction Fuzzy Hash: 8F813B3AE047958FEF21CEADC8C026EBB55EF62200B1C467BD4529F341D264D986C79A
            Function 0347DBF9 Relevance: .2, Instructions: 244COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
            • Instruction ID: 7749d39a30f80fff50f1afdc9c70abe42c54816f16da92776d4abfa63bea46bd
            • Opcode Fuzzy Hash: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
            • Instruction Fuzzy Hash: 6E915371930A06CFD725CF2DC8856A2BBE0FF56324B188A1AD4E6DF6A0C375E511CB04
            Function 034FF7B0 Relevance: .2, Instructions: 242COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3cf5c8f8eab2e1764832a6ee8971314c4943b1632329f8d41118ec009824ff05
            • Instruction ID: d02031021431914013839ce884f6040e59daf38740d6bc43a8794835650c16dd
            • Opcode Fuzzy Hash: 3cf5c8f8eab2e1764832a6ee8971314c4943b1632329f8d41118ec009824ff05
            • Instruction Fuzzy Hash: 2C91BE72A00606AFDB14CF29C880BABB7E5EF44310F0C856AEA55DF391D774E919CB94
            Function 034FF43F Relevance: .2, Instructions: 241COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d2421a0244f7f5475e6e3a454940a19ccefaa1566172e05aad9328a5aa6b7e09
            • Instruction ID: f13c8d049861bfb23793a43516522ff43065f213dec2954f9000c2eb59598609
            • Opcode Fuzzy Hash: d2421a0244f7f5475e6e3a454940a19ccefaa1566172e05aad9328a5aa6b7e09
            • Instruction Fuzzy Hash: E3910172A001059FDB18CF69C891ABEBBF1FF88310F1982AAE915DF395D634D906CB54
            Function 034F81CC Relevance: .2, Instructions: 232COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ccd15d4c07b69ebd7a4ef49a4908f322803ac4f1161758ec31ed80a1ce1463f9
            • Instruction ID: 22307f75ced3a7b47510ac88cdf3916827953acb269ea3cb78d695fa1c05e37c
            • Opcode Fuzzy Hash: ccd15d4c07b69ebd7a4ef49a4908f322803ac4f1161758ec31ed80a1ce1463f9
            • Instruction Fuzzy Hash: F681A272E005299FCB14CF69C8805AEB7F5FB88210B1D426BD925EF390E774E952CB94
            Function 03440E59 Relevance: .2, Instructions: 231COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0f809f20eb2e02356c1df5c8b5bfdc25167683a32dc43c8a8d2fab99a1283517
            • Instruction ID: 44ae731e3e902229c420171606ae9806a2d86154806e76b23e40278b2792f317
            • Opcode Fuzzy Hash: 0f809f20eb2e02356c1df5c8b5bfdc25167683a32dc43c8a8d2fab99a1283517
            • Instruction Fuzzy Hash: 8081A531A00619DFEB14CE69C8809AFFBB2FF85210B2882B7E9149F345D770E951CB94
            Function 034EE4F6 Relevance: .2, Instructions: 224COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4157c57506cc1cb6767105a01b2648c9077f70f74f4a6a37280cc1421b54fa64
            • Instruction ID: dc3151647fa4b429aee8ee896e9aa937e9a4e487d4332be4cc8d4936321e85bb
            • Opcode Fuzzy Hash: 4157c57506cc1cb6767105a01b2648c9077f70f74f4a6a37280cc1421b54fa64
            • Instruction Fuzzy Hash: 6381A176E002159BCB18CFA9C580AAEFBF1EF88311F5981AAD815EF385D7309941CB94
            Function 034FAB40 Relevance: .2, Instructions: 222COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
            • Instruction ID: 11976456609d5b7b13db2b374449556999bd04b9febdcd9addaad9909a00c456
            • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
            • Instruction Fuzzy Hash: 75815075A102459FCF18DF59C490AAEBBF6AF84314F1C816ADA1A9F344D734D902CF58
            Function 0345D090 Relevance: .2, Instructions: 217COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
            • Instruction ID: 576d90d0b25a74f1e4ee2da6191383f27a3c17761031ec19c09fab2db8a8081a
            • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
            • Instruction Fuzzy Hash: 77818D76E001168FEF14CF59C9807AEFBB2FF85304F19816BD815AF341D6319A818B99
            Function 0346E284 Relevance: .2, Instructions: 212COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 43ec7eb1ee376f795ea4d08f60756f18b7f233e80a94c1fe787ab3d2b2d5547f
            • Instruction ID: 6b2112227ac30a753fb7a40d20b40e1fa4af22983fb5f45d4dcebe546c4a99b6
            • Opcode Fuzzy Hash: 43ec7eb1ee376f795ea4d08f60756f18b7f233e80a94c1fe787ab3d2b2d5547f
            • Instruction Fuzzy Hash: 72816E75A00709AFDB25CFA9C980AEEF7FAFB88340F14442AE555AB250D730AC85CB54
            Function 0345B950 Relevance: .2, Instructions: 209COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e6f365072322dad5a5c5602b3ada4deda133d8d67149f758c04133764a0c4ad8
            • Instruction ID: 47f290ccae03efd289da4722d4cd76ace1bde46494ba5f5fdc531c31c8c8eae9
            • Opcode Fuzzy Hash: e6f365072322dad5a5c5602b3ada4deda133d8d67149f758c04133764a0c4ad8
            • Instruction Fuzzy Hash: B671B234A046508EEB24CE2AC940737BBE1EB85704F58855FFC968F2D6D735AC46CB68
            Function 0344C640 Relevance: .2, Instructions: 206COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4b62761dfff48faf358aa2ff39df10e80c23005380e3eb578d4b8f7da6c1166d
            • Instruction ID: 70115595f2e0419deeac028074e2832eeeb2ee87de8c4a665bd56baeede3255b
            • Opcode Fuzzy Hash: 4b62761dfff48faf358aa2ff39df10e80c23005380e3eb578d4b8f7da6c1166d
            • Instruction Fuzzy Hash: B071CDB5C01225ABEB25CF59C590BBEBBB4FF5A700F18416BE851AB350D7309801CBA8
            Function 034EDAC6 Relevance: .2, Instructions: 202COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: abf1d9999ce9c730ce7cb13bcf33a5ce0f3d052af90e1ca31d466c43806855e5
            • Instruction ID: 442c3c8481b2fc3f15bf940dbc2e90945246f6aca34a35b451c7149bbc85def0
            • Opcode Fuzzy Hash: abf1d9999ce9c730ce7cb13bcf33a5ce0f3d052af90e1ca31d466c43806855e5
            • Instruction Fuzzy Hash: 53818B70D002959EDB24CF6AC444ABBBBF1EF4A741F04849AE4A5AF385D374D841DF58
            Function 034F70E9 Relevance: .2, Instructions: 201COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 510b564c1c33f38f9c6b9b67a0dc65e5b9009a0e25b3cabed7aa05606dda79eb
            • Instruction ID: 61536865ec3e2bbf5a6b50a976d9a4e13ccaf8ba9b2c1304f0c3827915fc3321
            • Opcode Fuzzy Hash: 510b564c1c33f38f9c6b9b67a0dc65e5b9009a0e25b3cabed7aa05606dda79eb
            • Instruction Fuzzy Hash: 3861B575E003169FDB10EEA6C8809BFBB69AF44250F1D447FEA11AF340DB78D9458B98
            Function 0344260B Relevance: .2, Instructions: 201COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 70044345ca6d4f29ed8234fa33532d8889d79d8d0c4bc38800f2d9abe2b3d45e
            • Instruction ID: 95d4514f0d3d197d1266c8d90830eb1fe8398aa11386f0f39d4246c49c482ab0
            • Opcode Fuzzy Hash: 70044345ca6d4f29ed8234fa33532d8889d79d8d0c4bc38800f2d9abe2b3d45e
            • Instruction Fuzzy Hash: 9471BF756046419FE711DF29C480B2AB7E5FF88210F0989BBF8948F361DB78D846CB99
            Function 034EF0CC Relevance: .2, Instructions: 199COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cb038c32a865fc6f5418d918f83b648f4bffc747d31af4c8147fbeeb5fbb2fcf
            • Instruction ID: f97fefe64f8a68b36b53b4f1f8e647112eb0d60e406f475a8237373767c4ba92
            • Opcode Fuzzy Hash: cb038c32a865fc6f5418d918f83b648f4bffc747d31af4c8147fbeeb5fbb2fcf
            • Instruction Fuzzy Hash: F371BD39A01626DBCB24CF5AC08053AF3F1BF45306B6A486FD8929B740D375ED49DB58
            Function 034B035C Relevance: .2, Instructions: 198COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
            • Instruction ID: b926e80f51aa0c025c77bdefb32d6d52e77c8b71e9d0d59271516b4ae3c98764
            • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
            • Instruction Fuzzy Hash: 2F716E75E00619AFDB10DFA9C984EDEBBB8FF48700F14456AE505AF250DB34EA01CBA4
            Function 034C62A0 Relevance: .2, Instructions: 198COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 96b3568bcb20c4a335bf96fca3e9cc4e1b3686b82a529248d67e990c19254528
            • Instruction ID: 69323f243f7a604f4872f72a801972b43f252d4d7a584e7f2054f12e8d5afca4
            • Opcode Fuzzy Hash: 96b3568bcb20c4a335bf96fca3e9cc4e1b3686b82a529248d67e990c19254528
            • Instruction Fuzzy Hash: AF71023A210B40AFE731DF15C844FA6B7A5EF44720F1A892EE2558F2A0D778E944CB5C
            Function 034F7A46 Relevance: .2, Instructions: 193COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 860b3993f5d338a2cae24e48343b3a02eddc631360bf87b2e5a39cdd03609629
            • Instruction ID: 404113ecebc9af41ec69abd902181d1014c74e31d98b737e7834d6c70d1c9a21
            • Opcode Fuzzy Hash: 860b3993f5d338a2cae24e48343b3a02eddc631360bf87b2e5a39cdd03609629
            • Instruction Fuzzy Hash: 29513A75A002255FCB14DF69C8809BBBFE6EF88354B1D416EEA54DF384DA38C902C7A4
            Function 034F132D Relevance: .2, Instructions: 188COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 911ad33cf2e92ea1f8baef3cec648c96f4ee228d44fda85e563cee96299e5e45
            • Instruction ID: 4976033a855dbb3c8a704afd12cdc288e904fd9cc1b23a20e6c768136cffc3e2
            • Opcode Fuzzy Hash: 911ad33cf2e92ea1f8baef3cec648c96f4ee228d44fda85e563cee96299e5e45
            • Instruction Fuzzy Hash: 3F817E75A00245DFCB09CF99C490AAEB7F1FF88300F1981AAD859EB355D734EA41CB94
            Function 034F903E Relevance: .2, Instructions: 186COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0dde9d8bdddd6b6206392971ff473d2d581cee1bbc7adb0aa1f08c588b996c0a
            • Instruction ID: 7580d88a02bd688f11148244f0a99623c63bb383b5d9234e7f008178bdc8f2c4
            • Opcode Fuzzy Hash: 0dde9d8bdddd6b6206392971ff473d2d581cee1bbc7adb0aa1f08c588b996c0a
            • Instruction Fuzzy Hash: E161D075600715AFD315DF65C884BABBBA8FF84710F08461EFA688F240DB30E915CB99
            Function 034FFCF2 Relevance: .2, Instructions: 181COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1dfba6d80052c3b2e10fb2b388307e0b005f2a59ac7ae11e5cf4f2df64f083f8
            • Instruction ID: e6cb4aec05b84515d9f43393c6dc9e92e6baba89f14255273842b0fca4301123
            • Opcode Fuzzy Hash: 1dfba6d80052c3b2e10fb2b388307e0b005f2a59ac7ae11e5cf4f2df64f083f8
            • Instruction Fuzzy Hash: 2561C371A0020A9FCB14DF68C880ABEB7F5FF48314F18456AE615EF284D734E95ACB58
            Function 03437703 Relevance: .2, Instructions: 179COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9850ba2704a8246bee4bc9524c672f17256216c372012c3a4fc82fa244e62244
            • Instruction ID: d9844eaf72e47a3566ac47bb3ac78a059ef7e030eb08cceac880926eeebf304e
            • Opcode Fuzzy Hash: 9850ba2704a8246bee4bc9524c672f17256216c372012c3a4fc82fa244e62244
            • Instruction Fuzzy Hash: DB6174B5A00606EFDB18DF69C480AAEFBB5FF49200F18856FD459AB350DB30A945CBD4
            Function 034F92A6 Relevance: .2, Instructions: 174COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b26bc6adb6323a361641ad953e89380fb6cabc90cc2cdd82bfd68c79d3ff1fb2
            • Instruction ID: 22d847a39185b43030bfb3d51c3f163aab6ebee199b8253eb0d72d9c852ce5f7
            • Opcode Fuzzy Hash: b26bc6adb6323a361641ad953e89380fb6cabc90cc2cdd82bfd68c79d3ff1fb2
            • Instruction Fuzzy Hash: 9B61AE356087828FD315CF65C494B6AB7E0BF94704F1C486EEA958F391D735E806CB89
            Function 034FCE93 Relevance: .2, Instructions: 172COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
            • Instruction ID: fd5e0b69d9f9a72ce218e65d4bb9387658b6d5a8176f993de13117627459c741
            • Opcode Fuzzy Hash: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
            • Instruction Fuzzy Hash: 61510932A047069FC714DE29889076BF7D6AFC1250F1D846FEA55CF389DA30DC0687A9
            Function 0040FEE3 Relevance: .2, Instructions: 165COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189442414.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
            • Instruction ID: fdf5f8ad6e29f4e26dbd19c7e97756ee468240f9d54d0d50876168183041382c
            • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
            • Instruction Fuzzy Hash: C95181B3E14A214BD318CE09CC40632B792FFC8312B5F81BEDD199B357CA74E9529A90
            Function 0342B2D3 Relevance: .2, Instructions: 161COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 063e9161c3c2bac278b24fc22cd04b535163e434c51032a8589414cf0265f4a2
            • Instruction ID: 1415bf1e300cd2f6ac39aba251518ef6904be72a3d3231c043feb927837740db
            • Opcode Fuzzy Hash: 063e9161c3c2bac278b24fc22cd04b535163e434c51032a8589414cf0265f4a2
            • Instruction Fuzzy Hash: 844134356007109FD726EF2AD880F2ABBA8EF45750F55846FE519AF3A0D770DC018B98
            Function 034F7D73 Relevance: .2, Instructions: 160COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 281e9808931b5bd203160d0e1406da2652e979f549f6336e5604ec5387c25e3c
            • Instruction ID: eb63c37275be9798bfa90c08e12d9f7ef5716e234b189e666756cbd5c0d729b2
            • Opcode Fuzzy Hash: 281e9808931b5bd203160d0e1406da2652e979f549f6336e5604ec5387c25e3c
            • Instruction Fuzzy Hash: A551D236A1014A8FCB08CF78C480AAEBBF1EF98314F19827AD915DB355E734DA15CB94
            Function 0040FEDC Relevance: .2, Instructions: 160COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189442414.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 95237d19aa04176347acf2554158ff12917d48e3853adffd5f4297bb64ca8904
            • Instruction ID: 6d399b897b32dd6ef9c4c322de6bac23a8a85f3bc264af77e6504bf82b635b5d
            • Opcode Fuzzy Hash: 95237d19aa04176347acf2554158ff12917d48e3853adffd5f4297bb64ca8904
            • Instruction Fuzzy Hash: 9E5182B3E14A214BD318CF09CC40632B792FFD8312B5F81BEDD199B357CA74A9529A90
            Function 03443740 Relevance: .2, Instructions: 159COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0f8dc1a99c685ed198038357e69c88b669c99e67cd8547bde8bc5920ee0faf95
            • Instruction ID: 40f5c57da9df6911497ac2a7c5a5b5cba08e38cc431c7b375fdb38b22e2fe2e9
            • Opcode Fuzzy Hash: 0f8dc1a99c685ed198038357e69c88b669c99e67cd8547bde8bc5920ee0faf95
            • Instruction Fuzzy Hash: C751E379A00615AFE711CF58C48066AF7B0FF44B10B0981BAE855DF740D734E9A6CBC8
            Function 03437152 Relevance: .2, Instructions: 158COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d11f6052f8dafe12c2bb68293a639b39df1adc31c8b0287b57644551394ddd6b
            • Instruction ID: 48d3c933157333340bad443370ad164583dff4cce747d8bb5161ebfcb2c877fa
            • Opcode Fuzzy Hash: d11f6052f8dafe12c2bb68293a639b39df1adc31c8b0287b57644551394ddd6b
            • Instruction Fuzzy Hash: CC51E1B5A00606EFEF15DF64C944BAEBFB4BF49311F1440ABE4529B390DB709912CB88
            Function 034B3A6C Relevance: .2, Instructions: 156COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a5b11fa60b55935b2af0c65471e96c1508680af3e0b717d6dff9f4cf326db0cd
            • Instruction ID: 8f2fef4c402590367377a3999bc076bbca33c74e600f46d139dbd72c8e32010f
            • Opcode Fuzzy Hash: a5b11fa60b55935b2af0c65471e96c1508680af3e0b717d6dff9f4cf326db0cd
            • Instruction Fuzzy Hash: DB519936E4412D4BEF24CE58E461BEFF3F2AB85310F48081AE845BF3C5C2B66956D664
            Function 034AD800 Relevance: .2, Instructions: 155COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c47168ffeae7916593fdf3acb649367c62a4fa1a69c3e3b5da1ac0b704f12bfa
            • Instruction ID: 15d27faf6ceb67c9b23f9e04fed292a13752b73a145838b880627102e7fc5b76
            • Opcode Fuzzy Hash: c47168ffeae7916593fdf3acb649367c62a4fa1a69c3e3b5da1ac0b704f12bfa
            • Instruction Fuzzy Hash: 5151AC74A00A15ABCB14DF69C4A0ABAB7B8FF66700F08416EE851DFB90E734D850CB95
            Function 034FD26B Relevance: .2, Instructions: 153COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
            • Instruction ID: 5948e36b7f5a18469186b64de86f30d9441b669796f1b369b3bba25dcfb359b9
            • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
            • Instruction Fuzzy Hash: C8517D72A087429FD301CF28C880B5BB7E5FBC9244F08892EFA948B385D734E905CB56
            Function 034F7571 Relevance: .2, Instructions: 153COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4ba4b11747b80f4d83a02bbb5a6be7339928c5bbbab2edeca3fe04ea3394d641
            • Instruction ID: 4af23e0ebeb18be60777518509b2f568a6fdff7d123eb0b185f73448b05d444e
            • Opcode Fuzzy Hash: 4ba4b11747b80f4d83a02bbb5a6be7339928c5bbbab2edeca3fe04ea3394d641
            • Instruction Fuzzy Hash: 6951E331A00115AFDB14DB69C844A7EBBF9FF48390F0C416ADA11DB260DB74AD16CB84
            Function 034351ED Relevance: .1, Instructions: 149COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dceb2a5b859c7b3b52b9ba9a575f909cb411dfeb65d3f20581b870d8d2707976
            • Instruction ID: a193828204f0e6878ce44e99e08ac1888090bba5e9bcc9ca0c1e70dc0e6d64b4
            • Opcode Fuzzy Hash: dceb2a5b859c7b3b52b9ba9a575f909cb411dfeb65d3f20581b870d8d2707976
            • Instruction Fuzzy Hash: FF517C75A05215DFEF21DBAAC840BAEB7B8BB0F714F18009BD811EF250D7B499418B5A
            Function 0346F71F Relevance: .1, Instructions: 143COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: aafde7dcda45950ed623106e3c1ad972807572f3b5ded4a5574ad0a07bbd43dd
            • Instruction ID: 877841b7a405ad34bcd1461fb7796eff382c00c8df6dcf9af636f0000c8aa24a
            • Opcode Fuzzy Hash: aafde7dcda45950ed623106e3c1ad972807572f3b5ded4a5574ad0a07bbd43dd
            • Instruction Fuzzy Hash: B5417476D04229AFDF11DFA99884AAFF6BCAF05650F05016BE911EF300D634DE0587E9
            Function 034601F8 Relevance: .1, Instructions: 138COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8c583e59ed59b3b171f5ecdb0aacba307aebf2107573aed195ff202b7178495b
            • Instruction ID: 201d24fd48f748ebdc082c75655aad1d7d1676db9b685e2220588c4c12ed08f2
            • Opcode Fuzzy Hash: 8c583e59ed59b3b171f5ecdb0aacba307aebf2107573aed195ff202b7178495b
            • Instruction Fuzzy Hash: 8941AC36A042189BCB14DF98C440AEEF7B4BF88610F18816BE816EF350D7359C41CBAA
            Function 03472750 Relevance: .1, Instructions: 137COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
            • Instruction ID: f1a9340b4efcd860625917fb8365d614c3ef99e070ffe6244093137a13888f58
            • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
            • Instruction Fuzzy Hash: 82515B75A00615DFDB14CF9CC580AAEF7B6FF94710F2881AAD815AB350D730AE42CB94
            Function 034AD1C0 Relevance: .1, Instructions: 135COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
            • Instruction ID: 3e4c8020fde09d5cc82a71ec5c72973cdace0c340d5d54fa26a49ab43bab68fd
            • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
            • Instruction Fuzzy Hash: 1B514671E00606DFCB18CF68C4916AAFBF1FF58314B18816ED819AB745E734EA80CB94
            Function 03436154 Relevance: .1, Instructions: 133COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 089fa968b89bb64e0b9c0b60d43bcfaf2d1e41005662a97a15408d08b838efd1
            • Instruction ID: 389ec6582958182a61f51d2badab8c8265fe15ea1d7e1779718e1b955a90a3fc
            • Opcode Fuzzy Hash: 089fa968b89bb64e0b9c0b60d43bcfaf2d1e41005662a97a15408d08b838efd1
            • Instruction Fuzzy Hash: 1951D670904216EFEB25DB64CC44BA9BBB5EB06314F1942ABD425AF3D0D7785981CF88
            Function 0342B136 Relevance: .1, Instructions: 131COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b29fcddecef804ca2bdcd7f9eb05d2f36a0baa846cd5067631d772750e229216
            • Instruction ID: cf6b0f706a59060c8a87e5f2980fb2a44919e421859016eed9689b20d7f9c103
            • Opcode Fuzzy Hash: b29fcddecef804ca2bdcd7f9eb05d2f36a0baa846cd5067631d772750e229216
            • Instruction Fuzzy Hash: DB418A75640711AFDB21EF66C884B2ABBA8EF10794F44846BE511AF260D770DC01CBA8
            Function 034FF0E0 Relevance: .1, Instructions: 129COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2c4294f1ca823b650130390ef81a9301ddb6791e6a742e15c72352a47e9f17e7
            • Instruction ID: 7a448994d7749a2abc82915f4f4715af0f81990884ad9909ea41a56aefb22702
            • Opcode Fuzzy Hash: 2c4294f1ca823b650130390ef81a9301ddb6791e6a742e15c72352a47e9f17e7
            • Instruction Fuzzy Hash: 8541DF712083419FD704CF25D8A587BBBE1FB84225F088A5EF9958F382C730D81ACBA5
            Function 034F866E Relevance: .1, Instructions: 129COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
            • Instruction ID: 9418d76a23b5a52fa893c4acfa190f4ca784b8952e4ea16ace50458937600734
            • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
            • Instruction Fuzzy Hash: 4C418675B00219AFEB15DF99CC95AAFBBBAAF84600F1C406AE6049F351D770DD01C764
            Function 034DD5B0 Relevance: .1, Instructions: 128COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9dfaf528aea09cd753a23989f7735b77306bb62de4a44e5aacd7b378766883de
            • Instruction ID: 7b0b279abc71fcac419cfefdbb962356b222c6f9e6e7c4171a91387299dbb07e
            • Opcode Fuzzy Hash: 9dfaf528aea09cd753a23989f7735b77306bb62de4a44e5aacd7b378766883de
            • Instruction Fuzzy Hash: 2A41F230E082959FCB14DF29C4A5ABAFBF1EF4A300F09849AE4C58F355C735A456DBA4
            Function 0345D6E0 Relevance: .1, Instructions: 126COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4e8ed7b5208ee7c06feffeb47c55b35b2a910418b695d798db1018068c60f79e
            • Instruction ID: a0ceaec4bb1a20e3d1bd0d35f9afdf176b8c71b0a891cdb439b8f5e2a441c466
            • Opcode Fuzzy Hash: 4e8ed7b5208ee7c06feffeb47c55b35b2a910418b695d798db1018068c60f79e
            • Instruction Fuzzy Hash: 2D41D5759047409FD724EF26C950F6BBBA8EF56320F04052FF8158F2A1DB30A84ADB99
            Function 0342A020 Relevance: .1, Instructions: 122COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
            • Instruction ID: 27763913da1eb13aa6489ac2fd52173c17fd73df8a86257c0a864bcc0074d336
            • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
            • Instruction Fuzzy Hash: 1E41F631A00221DFDB21EF9584507BFBB62EB50754F99806BEE45EF340DA359D41CB98
            Function 03460710 Relevance: .1, Instructions: 121COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
            • Instruction ID: 61810ad3a62037bca9b738cb176ebb8f25de7985b5940e4bb6df3ecb96c84c90
            • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
            • Instruction Fuzzy Hash: 4F413775A04705EFDB24CF99C980AAAB7F8FF08700B10496EE556DB290D330EA44CF99
            Function 0343262C Relevance: .1, Instructions: 119COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f83bffb8f518da605ed4c95588a49d11216cd120c90d6315c4a7e44b6800f9d5
            • Instruction ID: f14b675e746a3aa82f1abe90f5654fc1b64f5863bbe2e6b727c86b1e2cec88ff
            • Opcode Fuzzy Hash: f83bffb8f518da605ed4c95588a49d11216cd120c90d6315c4a7e44b6800f9d5
            • Instruction Fuzzy Hash: 3B41AB75501714CFCB21EF29D940A6AB7F5FF4A310F148AAFC8169F2A0DBB09942CB49
            Function 034FFFB1 Relevance: .1, Instructions: 117COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: becd24f9b575b86fafca8a56225493150a0a935f7eee82a46ec9204e6592ceaa
            • Instruction ID: 6cfdd2c66a8b45142abf0bd959238e11ad39d252143c199a101840d088e8b3fb
            • Opcode Fuzzy Hash: becd24f9b575b86fafca8a56225493150a0a935f7eee82a46ec9204e6592ceaa
            • Instruction Fuzzy Hash: 36415675A002599BC700CB2694B0ABABFF1FF85205F4CC1AAD8819B2C2D63AC55BC770
            Function 034FFA49 Relevance: .1, Instructions: 113COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 13c21dc29b12113a9d9761714a252444ccc7e5f55412a3d6daf049973e0767e5
            • Instruction ID: f22338a4dab3fdce1497f763cbb3d81a06aaf18c68e6a60c53cc985f403c4f91
            • Opcode Fuzzy Hash: 13c21dc29b12113a9d9761714a252444ccc7e5f55412a3d6daf049973e0767e5
            • Instruction Fuzzy Hash: B8311636B101069FC718CF29CC44AA7BB99EF85750F0C867AEA18CF384E674D949C798
            Function 034FEEDB Relevance: .1, Instructions: 113COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ced00b3b67be9c741da93fedadf7fc215f64ca99eef8df2027f91e9df010430e
            • Instruction ID: 553d6a44b1d4031d9b134ec1de5d9befc05b0992445e8d6e0200a36f45246f44
            • Opcode Fuzzy Hash: ced00b3b67be9c741da93fedadf7fc215f64ca99eef8df2027f91e9df010430e
            • Instruction Fuzzy Hash: C441B433E0002A9FCB18CF68D49197AF3F1FB4830579A41BED905AB294DB34AD45CB94
            Function 034FFB76 Relevance: .1, Instructions: 109COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 193b804cc91f41af1f174b2aa6e29c3aad5d3af5dec48ff9b8191839d49e7e5a
            • Instruction ID: 98b71bcf97cfeb146fcfb365b99abf67c3a9c1fac9a4b674a51e2f2df444680d
            • Opcode Fuzzy Hash: 193b804cc91f41af1f174b2aa6e29c3aad5d3af5dec48ff9b8191839d49e7e5a
            • Instruction Fuzzy Hash: 05313676600215AFD710DF29CC44EABBBE5FF88350F49842AFA08CF240D674E90AC798
            Function 0040E183 Relevance: .1, Instructions: 108COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189442414.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
            • Instruction ID: 83411e6d709a4cb6368d4959cede36910f5c5c7dedef707d6a44b8dbae8bcab8
            • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
            • Instruction Fuzzy Hash: 493193116586F14DD30E836D08BD675AEC18E9720174EC2FEDADA6F2F3C0988418D3A5
            Function 034402E1 Relevance: .1, Instructions: 106COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
            • Instruction ID: e19f7196e1f1c850f5b3fedb23c85565ad37bf80fbd65ed772a3b4c8e329f433
            • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
            • Instruction Fuzzy Hash: 9C31E632A04244AFEB21DB69CC40B9AFFA9FF05350F0845BBE455DF351D6749885CB98
            Function 03459274 Relevance: .1, Instructions: 105COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a0f5ab957db3093bafe96161c89258c986f53903972de7be78b25881997fa322
            • Instruction ID: 5746e5cbd6d016e6db78bf3e6d9f9cfece300adc5d6f7328cd9761cc94c50d57
            • Opcode Fuzzy Hash: a0f5ab957db3093bafe96161c89258c986f53903972de7be78b25881997fa322
            • Instruction Fuzzy Hash: 3B316475E00328EFDB21DB25CC40B9AB7B5AF8A710F1501EAB94CAF281D7309E45CB55
            Function 03435702 Relevance: .1, Instructions: 104COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2d905bd790d4058cef6462fa6b736e620f5a001f027e3164b2d32661345e66ac
            • Instruction ID: 5dc63004f5bbd7635baa5919d1c03457380e94834b1269412eae17900d174d79
            • Opcode Fuzzy Hash: 2d905bd790d4058cef6462fa6b736e620f5a001f027e3164b2d32661345e66ac
            • Instruction Fuzzy Hash: F231C039601A02EFDB51DF21C980A9AFBA9BF4A754F0410ABE9518FB50D770E821CBD4
            Function 03434260 Relevance: .1, Instructions: 102COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5f4320ca21c3db3bd8c056b4de771b02c8205c6a6282f5042491b3de1c6e3e7a
            • Instruction ID: 788dec62cfda3a2e0f4fed2101d24e5001f911b14de4a9a43bf106ae49176c92
            • Opcode Fuzzy Hash: 5f4320ca21c3db3bd8c056b4de771b02c8205c6a6282f5042491b3de1c6e3e7a
            • Instruction Fuzzy Hash: 03419E35200B459FDB22CF25C981BD6BBE9AB4A314F14842FE5A98F350C774E804CB98
            Function 034550E4 Relevance: .1, Instructions: 101COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
            • Instruction ID: 11b68e1602b70722a08700362f52c89965ba3849ca20d50f37ca1e67d8ac0f57
            • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
            • Instruction Fuzzy Hash: 8331E531E083419FEB21DA29C800777BA94AB86754F0C85AFFC968F786D274CC41C79A
            Function 034F61C3 Relevance: .1, Instructions: 97COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b596abad9374cace4a324606c8b5a68a6b7af962f34013c8cd1b9c870b8da671
            • Instruction ID: 79c74ede91e9004ca4a034654464919aa87d44a869bf0b2d45f1303745a96cbf
            • Opcode Fuzzy Hash: b596abad9374cace4a324606c8b5a68a6b7af962f34013c8cd1b9c870b8da671
            • Instruction Fuzzy Hash: F031A376A00255EFDB15EF99C840BAEB7B9EB44740F4A416AE500AF344D774ED01CB98
            Function 03429730 Relevance: .1, Instructions: 96COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c8829691fcc26e9e9ff3f6b5cdda20c3a7a177689c6101b75c412d76214551a0
            • Instruction ID: b71f6a2abe6bbb2b5b9b4fd4d186e0bc59fa95664e4299eb484183ae72829032
            • Opcode Fuzzy Hash: c8829691fcc26e9e9ff3f6b5cdda20c3a7a177689c6101b75c412d76214551a0
            • Instruction Fuzzy Hash: 3721D33AA00B20AFD322EF598400B1ABFB4FB84B50F15046FE965AF350D770E811CB98
            Function 034F6BD7 Relevance: .1, Instructions: 96COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ebac86d7bb2ee5a1140b3fc3aa3e748d3fd62eb58568be1a1f0fe5014bb0c73c
            • Instruction ID: 7587c4b863d2d5a274cbf7475552f36e08d608792589dd2239c781664bb2d8d5
            • Opcode Fuzzy Hash: ebac86d7bb2ee5a1140b3fc3aa3e748d3fd62eb58568be1a1f0fe5014bb0c73c
            • Instruction Fuzzy Hash: 97318E716002449FCB24DF2AD885A5B7BF4FF59300B86846AE908DF249D270E949CBA8
            Function 034F60B8 Relevance: .1, Instructions: 95COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d4176dfb37ee20186969f0474fdec51d05c7be620f8c7178bdb5eb4a5e1c6144
            • Instruction ID: 2ebe9876c229f8c2bdbdc174224be938306caa2ddf9fbdc5106ab59cf8b49acf
            • Opcode Fuzzy Hash: d4176dfb37ee20186969f0474fdec51d05c7be620f8c7178bdb5eb4a5e1c6144
            • Instruction Fuzzy Hash: 4B310275700215AFDB12EFAAC940B6FBBB9AB44300F0900AEE641DF351DA34DC018B98
            Function 034307AF Relevance: .1, Instructions: 95COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4a4600052c9713ea2ae2f3807cf900385c19f1d6e5c920c06d51e2ba5a9cb5fe
            • Instruction ID: a94149f0b8b1381d16e328fa320f6e973af973ada306b6ea9409885e9348992f
            • Opcode Fuzzy Hash: 4a4600052c9713ea2ae2f3807cf900385c19f1d6e5c920c06d51e2ba5a9cb5fe
            • Instruction Fuzzy Hash: 8331B636A04711DFC715EE258880A6BBBA5EF9A650F05462FFC66AF310DA30DC118BD9
            Function 0342D6AA Relevance: .1, Instructions: 93COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
            • Instruction ID: d454e7b2ba0e30cd989507c44ce9f4a0f3c5dbf5c2a15e3afcb2f3a109878b91
            • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
            • Instruction Fuzzy Hash: 3531C036E00A24AFDB21DE54C880B6BBBB9DBC1750F5D846AED25AF310D278DD40CB58
            Function 0042EC43 Relevance: .1, Instructions: 93COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189442414.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b96a7e8d9d04029ab8521360f68096d74de12273e55186dc9c14f70e4c77e7ac
            • Instruction ID: 447f4bbf3d2b2e81b51f315e442c21a34c9781904cf267b3f0b528f4044e7ac9
            • Opcode Fuzzy Hash: b96a7e8d9d04029ab8521360f68096d74de12273e55186dc9c14f70e4c77e7ac
            • Instruction Fuzzy Hash: FA31D472B106265BD354CE7AD880656B3E6FB883507548739C918C3B40E774F962CBD0
            Function 034357C0 Relevance: .1, Instructions: 92COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 568f557d14343925fd0579b1166fc4799a771e8b4c0d2621e2541247a0569807
            • Instruction ID: a9dce266c4766655809225325cb00dc83d5b3d04f66fd314b95a8f38db6a43eb
            • Opcode Fuzzy Hash: 568f557d14343925fd0579b1166fc4799a771e8b4c0d2621e2541247a0569807
            • Instruction Fuzzy Hash: B231B039705A06FFEB15DB25DA40A5ABBA5FF49200F0450AAE9118FB50D731E831CB84
            Function 0346A6C7 Relevance: .1, Instructions: 92COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
            • Instruction ID: f1bcc627e831d582264bd1e6a1743dd05e4bceb70e024fe0be0fb978aba97483
            • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
            • Instruction Fuzzy Hash: D43130B2B00B00AFD760CF69DD41B57B7F8BB18750F18052EA55ADB750E630E900CB69
            Function 004031F0 Relevance: .1, Instructions: 92COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189442414.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_400000_svchost.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 59189662be1b060acf25a3c181d033bb22d874f8e3e384701cf8ad19543c4017
            • Instruction ID: f626405e738a6e0bb8c8032d60ccd1f1001c25da4bd2de751fc850ed97b97e3e
            • Opcode Fuzzy Hash: 59189662be1b060acf25a3c181d033bb22d874f8e3e384701cf8ad19543c4017
            • Instruction Fuzzy Hash: B731AE72A14A108FD368CE6DD945603B7E5EB9C310B454A7EE88AD7B82D6B8ED01C7C4
            Function 0345438F Relevance: .1, Instructions: 89COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5789972c2c25b2f2c2c9eaa2c1f0850b6907bdf29e921d93497d63a54f7707b7
            • Instruction ID: 3144367f973f4011a375238f07eff904b2d2eb59245f69c5c20612ee2c5ab55b
            • Opcode Fuzzy Hash: 5789972c2c25b2f2c2c9eaa2c1f0850b6907bdf29e921d93497d63a54f7707b7
            • Instruction Fuzzy Hash: 3F319031F002059FDB20EFAAC980A6BB7F9AB85705F00852BE845DF265D770E985CB55
            Function 034392C5 Relevance: .1, Instructions: 89COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
            • Instruction ID: 2a7864ff71e01eda7474d36490f23bb5f51eeae41e8d3f6221e0d442591afacd
            • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
            • Instruction Fuzzy Hash: DC3189B56083099FDB01DF19D840A9ABBE9EF89710F04096BF8519F3A0D770DC15CBAA
            Function 03487190 Relevance: .1, Instructions: 89COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
            • Instruction ID: cf5849b392c0d306b05a11fb1f2478a100800f8ae9af9b515e1b0a1658a883e0
            • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
            • Instruction Fuzzy Hash: 1A318875604206CFC710CF28C49095AFBF5FF89350B2986AAE9589F325EB30ED06CB95
            Function 034EC3CD Relevance: .1, Instructions: 88COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
            • Instruction ID: beacb524d416f179c4bcf0bc8d9b4e1e530ec8a68bfb83c80e86fe0efd7ce135
            • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
            • Instruction Fuzzy Hash: CE21F93F600655AECB24EBA68C80ABBF7B4EF40611F40801FF9668E651E634DD50C764
            Function 0342C156 Relevance: .1, Instructions: 88COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cfdfcd5449c098c6871904edb42667e9cda7c94828050d3dd6c3d1afd5ec2dbf
            • Instruction ID: 90aeffa4c596e22e188ca22fb20db53439f55d497edbde3718cf435200561473
            • Opcode Fuzzy Hash: cfdfcd5449c098c6871904edb42667e9cda7c94828050d3dd6c3d1afd5ec2dbf
            • Instruction Fuzzy Hash: E131E8759013108BD734FF14CC41BADB7B4AF46314F5881AED8469F3D1DA749986CB98
            Function 035003E6 Relevance: .1, Instructions: 86COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fbd2315a78bc2a3449d7e5ca5a26df4356dcd0de370782e109b8a81b963445b1
            • Instruction ID: 359ce885a30bd62797440896cfe266292880a0ee5501fe18e54859676869198b
            • Opcode Fuzzy Hash: fbd2315a78bc2a3449d7e5ca5a26df4356dcd0de370782e109b8a81b963445b1
            • Instruction Fuzzy Hash: 89316171A00119AFCF14DBA5D894F9FBBB9FB88214F414169E905E7290DB306D05CBA4
            Function 0342E388 Relevance: .1, Instructions: 86COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
            • Instruction ID: 648245121e17cd72b2d6ee5744904a7bf8186fb05f61a43ea2ba5c18cec037fe
            • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
            • Instruction Fuzzy Hash: 7E31B831600614EFEB20CF69C884F6ABBB8EF85314F1444AAE5129F390E730EE42CB54
            Function 034AE609 Relevance: .1, Instructions: 86COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fa542c94f5a415468feb73aaf2ff52408bb382b7a1b53f34de01091532c00244
            • Instruction ID: f8d2dde5250ae79e7fc96f54194f34058cc8b63cfe1ff81dc3c3abfdac1be1e7
            • Opcode Fuzzy Hash: fa542c94f5a415468feb73aaf2ff52408bb382b7a1b53f34de01091532c00244
            • Instruction Fuzzy Hash: 9231D475A00605DFCB14CF1CC480DAEB7B5FF94300B55495AE8159F3A0E770EA81CB98
            Function 03433616 Relevance: .1, Instructions: 84COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b4b4407b38a4f556a32a8719b469abcbda729be59416b55ad777e2475570d251
            • Instruction ID: 4cc48eb07a4ebdbfe933f1b44b79511cd5001379a33f8c4acdecddd10281d9b9
            • Opcode Fuzzy Hash: b4b4407b38a4f556a32a8719b469abcbda729be59416b55ad777e2475570d251
            • Instruction Fuzzy Hash: CE21E1392457609FDB71EF05D944B2BBBA4FB8AA10F09486EE8410F761C7B0E844CB85
            Function 03500591 Relevance: .1, Instructions: 84COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 52995cc512526ba7b896df2f295ffff7bcd30ac4e16f79a8927e5def960abd7c
            • Instruction ID: aa236191f5101b95f4f4a1a7fb1ca84ac962d98d9387f8323f9ed0cb52c2a164
            • Opcode Fuzzy Hash: 52995cc512526ba7b896df2f295ffff7bcd30ac4e16f79a8927e5def960abd7c
            • Instruction Fuzzy Hash: 0A21F6326002058FD728CE29E880BBAB3A6FFD5310F594878D905CB1E5D732F846C790
            Function 0345F32A Relevance: .1, Instructions: 79COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
            • Instruction ID: 0c45178ad5deb50a1dacbdd494e55e26ade496940c5b0ee068e9a803503f9e43
            • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
            • Instruction Fuzzy Hash: 6321BE72600300DFD719DF16C441B6ABBE9EF95361F15816EE90A8F3A1EB70E805CA99
            Function 034B06F1 Relevance: .1, Instructions: 79COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7e47804471cd4e71bfc16f9d6499dfda3ad228738fad19b4aa2451898355a2a5
            • Instruction ID: 9e1e042875a2c536fd30faed8cdfda49c1b41efcc70b9c5aaf70141d36c4c79e
            • Opcode Fuzzy Hash: 7e47804471cd4e71bfc16f9d6499dfda3ad228738fad19b4aa2451898355a2a5
            • Instruction Fuzzy Hash: 64217C75A00629AFCF20DF59C881ABFF7F8FF48740B55006AE541AB250D778AD52CBA4
            Function 034B019F Relevance: .1, Instructions: 78COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e5d90aece192291bca46f193d8e89961d8d5849cd729682df1632da03f8988eb
            • Instruction ID: 7fc0e49fba35de5c7b20de84b70b2e976a4228d6785e5a312fbc12dd3726619c
            • Opcode Fuzzy Hash: e5d90aece192291bca46f193d8e89961d8d5849cd729682df1632da03f8988eb
            • Instruction Fuzzy Hash: 8D217775600644AFDB15DFA9C840AAAB7B8FF48740F18006AF944DB7A0E734ED50CBA8
            Function 03469660 Relevance: .1, Instructions: 78COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0deeceb250aec3f0dbb1b93aad1ea3d12b899d50ecc8d043233bcc85de2cd384
            • Instruction ID: bf6ae02ad4c30a54abb1910c7e7d49cf67b266366a306f72d145de8d02609404
            • Opcode Fuzzy Hash: 0deeceb250aec3f0dbb1b93aad1ea3d12b899d50ecc8d043233bcc85de2cd384
            • Instruction Fuzzy Hash: 5321E431204B01DFDB31EE25D900B2777E5BB51224F18465FE8928E6F0D7B1A8529A5E
            Function 034B0283 Relevance: .1, Instructions: 74COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9092aec3c1f64e3cfe8689f3cbf5d24081c2d56e0ece5ae4cfa9fad8bff73895
            • Instruction ID: 21c57187818ed48d3180e7a322d8a2b41fa9b0076b03d0acf31146fce2d0eb91
            • Opcode Fuzzy Hash: 9092aec3c1f64e3cfe8689f3cbf5d24081c2d56e0ece5ae4cfa9fad8bff73895
            • Instruction Fuzzy Hash: 77218C729043459FD711EFAAC848B9BF7ECAF81640F08446BB8908F251D734D949C6BA
            Function 034AD0C0 Relevance: .1, Instructions: 73COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
            • Instruction ID: ac55e74794e594ea5ebfee2b18a95b0ed0c2432f9cf2ecbd0658bd7e95a62bbe
            • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
            • Instruction Fuzzy Hash: D121B072A44B00ABD311DF1D8C51B5BBBA4EB9A720F14052EF9559F7A0D730D90187AD
            Function 035001AA Relevance: .1, Instructions: 71COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8c3253d35fbce06d2b622da13b83f2d8cc54825d9085ab6c5770fd5da1cdab40
            • Instruction ID: f9890f5d67de1cb6403c7c96297b1c945bf279904c7a293f9bff305f2599106a
            • Opcode Fuzzy Hash: 8c3253d35fbce06d2b622da13b83f2d8cc54825d9085ab6c5770fd5da1cdab40
            • Instruction Fuzzy Hash: 5B21E4613042505FD745CB1A98B54B6BFE5EFC6125B0982E6D884CF382C134D917C7A4
            Function 0346A30B Relevance: .1, Instructions: 70COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 248f9474a2389e79c462f400aa154835ae3424ed402e2d9c7bc7231b20321bd9
            • Instruction ID: 1f72e2ba5e83e64f66b83b7beab7126303765bf985c95ea2b15f252b8588c8d6
            • Opcode Fuzzy Hash: 248f9474a2389e79c462f400aa154835ae3424ed402e2d9c7bc7231b20321bd9
            • Instruction Fuzzy Hash: CD21AC79200B10DFC724DF29C800B46B7F5AF58B04F2884ADA919CF761E331E842CB98
            Function 0342B765 Relevance: .1, Instructions: 69COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 50f868d4b4db34128a33a58977f460eb08145b9310d0d2c8ca687f26c83cd6e2
            • Instruction ID: d172a8cd635638de92016e82ab756115eb1de436065fa8b496666dddd6d5f3d0
            • Opcode Fuzzy Hash: 50f868d4b4db34128a33a58977f460eb08145b9310d0d2c8ca687f26c83cd6e2
            • Instruction Fuzzy Hash: B8215A36100710DFC721EF59C940F5ABBB5FF18704F14496EE00A9FAA1C774A815DB48
            Function 034FEE26 Relevance: .1, Instructions: 69COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5fb44f78c29a4ea8fe663b9463635dfc9255a9768fee091931c20caec9d3820a
            • Instruction ID: 6a237dba31ad227c908853693bf78292ef6065e57561fb77d485169a11d2eb1b
            • Opcode Fuzzy Hash: 5fb44f78c29a4ea8fe663b9463635dfc9255a9768fee091931c20caec9d3820a
            • Instruction Fuzzy Hash: 4021E433A104119FDB18CF3DD800866F7E6EFDD31436A427AD512DB268D770BD558A84
            Function 03460124 Relevance: .1, Instructions: 68COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
            • Instruction ID: 9cfaa1505f469a1c7f83dd83f9c88cf3507025d2e370fa251561bb0948b6ffa1
            • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
            • Instruction Fuzzy Hash: B711DDB6604704AFE722DF85C840FAABBB8EB80754F14002AE6009F280D676ED44CB69
            Function 03438770 Relevance: .1, Instructions: 68COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d182b7dabff19ebb81c53b7b77f3f58baf8029470d7917e1bc875abba01d77ee
            • Instruction ID: e25c77d0b792de93f72dfba4403fdab39b9bb1cec0ec05d660943842f4ee77e5
            • Opcode Fuzzy Hash: d182b7dabff19ebb81c53b7b77f3f58baf8029470d7917e1bc875abba01d77ee
            • Instruction Fuzzy Hash: 64116D356016219FCB15CF59C980A6BF7EAAF4F750B1880AAFD08DF305D7B2E9068794
            Function 03433720 Relevance: .1, Instructions: 67COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fb30a396c61dbbe76568207d28c6932a20906a95d5520885d0b0f62b99762d80
            • Instruction ID: 988b84935ede345730890fe8f7addd00dafebfe7c43aa65d40f7131104685425
            • Opcode Fuzzy Hash: fb30a396c61dbbe76568207d28c6932a20906a95d5520885d0b0f62b99762d80
            • Instruction Fuzzy Hash: 0121B378A002098AE725DF5ED0487EEB7A4AB8E318F29C019D8115B3D0CBB89945CB59
            Function 034380E9 Relevance: .1, Instructions: 66COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6cfc5c4fd8a7392a26389508a6439bb3e1279042ee0f5c7fa02168dd0f63a176
            • Instruction ID: 06a8e6ff62a42ca52b6481f253d611c32c4fd5ca139ab1c9b0a6f1a683d88e82
            • Opcode Fuzzy Hash: 6cfc5c4fd8a7392a26389508a6439bb3e1279042ee0f5c7fa02168dd0f63a176
            • Instruction Fuzzy Hash: 5B215E75A00205DFCB14CF98C581A6EFBB5FB89314F24416EE105AB314C771AD0ACBD4
            Function 0346674D Relevance: .1, Instructions: 65COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2ba53b8d1d51879fed2cdb487809c3da2233984859a8286b3f9859c5102b2ffd
            • Instruction ID: fbf840a14b61576878f963b8cff689f2080dacd65c0adfc0cddbef3f6f37df72
            • Opcode Fuzzy Hash: 2ba53b8d1d51879fed2cdb487809c3da2233984859a8286b3f9859c5102b2ffd
            • Instruction Fuzzy Hash: 53218E75601B00EFD720DF69C841F66B3E8FF44250F45882EE4AACB250DA74BC51CBA9
            Function 03429240 Relevance: .1, Instructions: 64COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e75a1db94fd288c2a3ac7a0ba1be070038364b2b3cbbce0e673e181940b59abf
            • Instruction ID: a307281bfb2c031a6c4d1b52bb16a657f45a55a2a7e7f740eeb94e206a804fc4
            • Opcode Fuzzy Hash: e75a1db94fd288c2a3ac7a0ba1be070038364b2b3cbbce0e673e181940b59abf
            • Instruction Fuzzy Hash: C911E97E110240DED731EF56D841E6277A8EB76680F14402AE8009B764E338DD07DF68
            Function 034FFF09 Relevance: .1, Instructions: 60COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a0a4bca1f21c6860ee9fd87bdec8d319403468f46c951973528c9735c6165b5b
            • Instruction ID: f8f6f91cc1acb3b5d8290d07d0af9e3ddad8054aa4b1b19d5f8d62d1c0adf61c
            • Opcode Fuzzy Hash: a0a4bca1f21c6860ee9fd87bdec8d319403468f46c951973528c9735c6165b5b
            • Instruction Fuzzy Hash: EA2186B16102059FD754DF2AE880B42BBE4FB5D210B8585BAE90CCF25AE370D888DF94
            Function 034527ED Relevance: .1, Instructions: 58COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 97747a3ea8cef0f65307d041595a076969cd097ae8a2bdc614a4f80da437f9a9
            • Instruction ID: e406a18e6c9c0452b7cc68758ba8daddd5a49b674a4315b1d49640557db01a56
            • Opcode Fuzzy Hash: 97747a3ea8cef0f65307d041595a076969cd097ae8a2bdc614a4f80da437f9a9
            • Instruction Fuzzy Hash: B2010475A05644AFF316E6AA9884F2BAA9DEF41754F09057BF8008F251DA54DC01C2A9
            Function 0345B052 Relevance: .1, Instructions: 57COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2e9d94aea4421c449a2f29cb9ecb89b11a98ec8dff41ada1f74c7879e08cb96d
            • Instruction ID: 7486d56b53ada5a0205dd74de525fe7c1daee13c7319330c683058e616e38979
            • Opcode Fuzzy Hash: 2e9d94aea4421c449a2f29cb9ecb89b11a98ec8dff41ada1f74c7879e08cb96d
            • Instruction Fuzzy Hash: 6C019B76F047406FD711DB6A9C41F6BB6E8DF84614F04042AFA15DF242D670E9018655
            Function 034ED6F0 Relevance: .1, Instructions: 57COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
            • Instruction ID: e8fbf3f9fc5b64447a68fb4bb7d9542af197f616779d7b1047690d564c4bc4de
            • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
            • Instruction Fuzzy Hash: 78015275B00209AF9B04EBA6CD44DAFBBBDEF85A44F05045AA9159B200E770EE01D765
            Function 03434690 Relevance: .1, Instructions: 57COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 589976c8365fb6781ce5a7ef47bbe642bd665d94f29bf0cedf5289d18db097c0
            • Instruction ID: 9e9faa9c29c0c0f6c98bc4ba8fd12cb7f114b087d4e7c6a6e2798d9676af317e
            • Opcode Fuzzy Hash: 589976c8365fb6781ce5a7ef47bbe642bd665d94f29bf0cedf5289d18db097c0
            • Instruction Fuzzy Hash: 80118F752406449FDB25CF9AD940B9677A8EB8A764F14411AF8148F750C370E800CF68
            Function 03466620 Relevance: .1, Instructions: 56COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 251fba92f207af7cbb291c950803e55fe4aadb64b0d166de4e915bfd7dca15e7
            • Instruction ID: 78670d7964f08bd1f6021ed9abcbad5e9e1bc9815593562f4df79de684b05835
            • Opcode Fuzzy Hash: 251fba92f207af7cbb291c950803e55fe4aadb64b0d166de4e915bfd7dca15e7
            • Instruction Fuzzy Hash: 16112536A00715AFCB21EF5AE980B5FF7B8EF48740F55005AD900AF310D734AD018B99
            Function 03427330 Relevance: .1, Instructions: 55COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f37c01d2de1639c95d8d4707273c7c20156f9b3c958008f1e41a8dbe2516e0f2
            • Instruction ID: 1a98e3e9c33212a7c70b7a373a21693f7586e69ddc51d7437ea0aa52ff95af03
            • Opcode Fuzzy Hash: f37c01d2de1639c95d8d4707273c7c20156f9b3c958008f1e41a8dbe2516e0f2
            • Instruction Fuzzy Hash: 86118C716006249FD721CF65C841FAB7FE8EF44304F05442AE9859B211D735E811CBA9
            Function 0345F2D0 Relevance: .1, Instructions: 54COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f03fdbe44cf218b80f0c498a22748edf3b9c52bfe10c9b47289d16dde6d9a34e
            • Instruction ID: e7c828e88e7cbe35e047aa7b79dc4119e0d69c9f811559756884e244e9bb18bb
            • Opcode Fuzzy Hash: f03fdbe44cf218b80f0c498a22748edf3b9c52bfe10c9b47289d16dde6d9a34e
            • Instruction Fuzzy Hash: 7711E075A00648DFD720DF69D844BAAB7A8AB54700F08007BE901AF341D638D905C758
            Function 034C72A0 Relevance: .1, Instructions: 53COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
            • Instruction ID: a9ddf47c6dff552dea7a100bb180aef4a61f2f173f53b98bc4afa7fac8f70102
            • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
            • Instruction Fuzzy Hash: F801D27A240605BFE711EF16CC80EA3FB6DFF44790B04492AF2004E560C721ACA0CAA8
            Function 0342A250 Relevance: .1, Instructions: 52COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
            • Instruction ID: 70e8d53d71172cd4b6d0217bb4fe98b13a89b5d6a3005b7df24f937ff97e9747
            • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
            • Instruction Fuzzy Hash: D60104754047219BCB30CF159840A23BFA9EF45760744896EFC95AF380CB31D421CB78
            Function 03436259 Relevance: .1, Instructions: 51COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5c15fecd20dffaa9336a983b9c70e08d6c59505f8de8a1199bb84ff70446818a
            • Instruction ID: c9fa08bbc403df043db3c4b2463fd08c71e27f7d4003370bc7834a7dc864c953
            • Opcode Fuzzy Hash: 5c15fecd20dffaa9336a983b9c70e08d6c59505f8de8a1199bb84ff70446818a
            • Instruction Fuzzy Hash: AF115E75541218AFEB25EF65CC41FE9B278EB08710F5045DAA314AE1E0DB749E91CF88
            Function 034AE1D0 Relevance: .1, Instructions: 51COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3a64b0b64d1ac25f4760452d007a37d4fb039a7c1f49bd88e3f78f16d495c916
            • Instruction ID: 1c959dca69e9c67d07946cdb4511926000e59821062a5fcefaecde9de86a7edc
            • Opcode Fuzzy Hash: 3a64b0b64d1ac25f4760452d007a37d4fb039a7c1f49bd88e3f78f16d495c916
            • Instruction Fuzzy Hash: 1F118B3A641740EFCB15EF19C980F56BBB8FF58B44F24006AE9059F6A2C235ED01CA94
            Function 0343208A Relevance: .0, Instructions: 50COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
            • Instruction ID: 9e9e6639c1d9fc9fcbda5648712390454cb6a3a621407ba9c01975ecc49b1f28
            • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
            • Instruction Fuzzy Hash: D20128326002109BDF11EE19D880B97B77ABFC9710F1948ABEE118F345DAB1C885C794
            Function 0342C020 Relevance: .0, Instructions: 49COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
            • Instruction ID: f2e6bef4f4bd09461277527b591c61eba7329fe4d8385aea0a12287b700d5888
            • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
            • Instruction Fuzzy Hash: 33012D325017449FDB22EB66D440E6BB7EDFFC6650F44441FA9568F640DE70E802C754
            Function 034720F0 Relevance: .0, Instructions: 49COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3fbc88acfc586515e252da2336411c44dec48f58ecf76b1a3ae718e23ff1f5fe
            • Instruction ID: 829822cc1972bb0e82cfa9bb2513a20c38c536ba9c2a193cf950de0bb8338112
            • Opcode Fuzzy Hash: 3fbc88acfc586515e252da2336411c44dec48f58ecf76b1a3ae718e23ff1f5fe
            • Instruction Fuzzy Hash: 88115775A00208AFDB15EFA5C850EAEBBB9EB44640F00409AE9119F390DA35EE12CB94
            Function 03429353 Relevance: .0, Instructions: 48COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
            • Instruction ID: 1eeaa6389852ea26b35730b4aff09738a4bc5f2f6a679e3b7d185f18524b9a97
            • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
            • Instruction Fuzzy Hash: A5118B32900B219FD721DF16C880F22BBE4FF48762F19886ED4995E6A5C374E891CB18
            Function 034533A5 Relevance: .0, Instructions: 47COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
            • Instruction ID: d3e7d536dd202f4c57e0d194ebe16d5b0f08825a18939fa191cb12330062a396
            • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
            • Instruction Fuzzy Hash: 2301863AB00205ABCB12DF9BDD00F5FBA6C9F85681B15442BFD15DF262EA30D902C768
            Function 0346D1D0 Relevance: .0, Instructions: 47COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
            • Instruction ID: 9aa680fabed36272fa009701237d971e91bd282ba1670b4edd38ef9d78d5bc74
            • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
            • Instruction Fuzzy Hash: 540147BAF006049BD710DE55E800F66B3A9EFC6A20F14855BFE228F380DB34D801C78A
            Function 0342826B Relevance: .0, Instructions: 46COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cc52ff1210a0c80b09557b678b29473bb300da3de9e047b0e21e0c1f32ba62f0
            • Instruction ID: 66e297013aae5d33aa4a5509f828163e20fcddfe74980ca8d13089e7a1f26c94
            • Opcode Fuzzy Hash: cc52ff1210a0c80b09557b678b29473bb300da3de9e047b0e21e0c1f32ba62f0
            • Instruction Fuzzy Hash: 8E01AC35700614DFD714EB66D810EAFBBB9EF91610B59406F9901BF650EE30DD02C6B9
            Function 0344E016 Relevance: .0, Instructions: 46COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
            • Instruction ID: f3e01d610a50e2decf4e75a78365f23e2c1c5646beb81c46c9caddb85fbfce9a
            • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
            • Instruction Fuzzy Hash: 12014872200A809FE322D719C948F2BB7E8EB49750F0D04B6A815CFA92D728D881C629
            Function 034EF367 Relevance: .0, Instructions: 45COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 92e563f708110629ede039a5f208e00e2b94901978c1ac1bcc6ab9957a15ca79
            • Instruction ID: 3e9027bc8e7a8166031494adaca12826527f74fbc1d920960a92c5f15f55342a
            • Opcode Fuzzy Hash: 92e563f708110629ede039a5f208e00e2b94901978c1ac1bcc6ab9957a15ca79
            • Instruction Fuzzy Hash: 02017175A10358AFDB14EFA6D805FAEB7B8EF44700F04406AA500EF380D674D905C798
            Function 034F972B Relevance: .0, Instructions: 44COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
            • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
            • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
            • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
            Function 03505636 Relevance: .0, Instructions: 44COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 176acd7322ed24a91e565d7811d53a8df544c30ad9be782dad5f4669ed03bfd1
            • Instruction ID: b704730af4a4f66cedd55867b770ef60dd311972c2e54dbcb7043b0f5453dcce
            • Opcode Fuzzy Hash: 176acd7322ed24a91e565d7811d53a8df544c30ad9be782dad5f4669ed03bfd1
            • Instruction Fuzzy Hash: 83116D78D10249EFDB04DFA9D440AAEB7B8FF18704F14845AA814EB390E634DA02CB95
            Function 0342C310 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
            • Instruction ID: ebb5804caa65620d2579101dae463ad429c58985ce6c0d432b477253d3b1b4fa
            • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
            • Instruction Fuzzy Hash: A3F0FC372447329FD732DB9A48C0F6FAD958FC5AE4F5A043BE119BF244CA648C0256D8
            Function 03505152 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d9a6aee7cb95ae104297d03f0a8d7554e092bc7ab58112a19b15c0f073158e95
            • Instruction ID: 3a764805e534c52d9744304cc61a663fa9eeca1a738556deed183abec2e38e7b
            • Opcode Fuzzy Hash: d9a6aee7cb95ae104297d03f0a8d7554e092bc7ab58112a19b15c0f073158e95
            • Instruction Fuzzy Hash: CA012175A10349AFDB00DF69D9419EEB7B8FF49700F14445AE500EB390D6749A018BA5
            Function 03505060 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e4dcedf7e51cde0b56707a0f3400f42cbaf811c3504165fbf78253a40a0cde4a
            • Instruction ID: f3f0085365c474e9e6d4ec51e288e857a9da61c70e51d8bf577c1cd7d06fe761
            • Opcode Fuzzy Hash: e4dcedf7e51cde0b56707a0f3400f42cbaf811c3504165fbf78253a40a0cde4a
            • Instruction Fuzzy Hash: 7C017CB5A00309AFDB00DFA9D9419EEB7B8FF49300F10405AF900EB391D634AA018BA5
            Function 0345C073 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
            • Instruction ID: 7d3eb9db4c8088be369b8750762f5eb9149187b1dab0bfb7ea6aa4668a58ce08
            • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
            • Instruction Fuzzy Hash: 65F0C2B3A00610AFD324CF8EDC40E57F7EADBC0A80F088129A905CB320EA31DD04CB94
            Function 035050D9 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 99e69b683131b467cb48abf6d6aebf13fda27e2ffcdb375c6b3c6f176ede88f0
            • Instruction ID: d8669a7dee8484ce3c72383778a4167113b11f457ed4239ee4b953c7bf644f80
            • Opcode Fuzzy Hash: 99e69b683131b467cb48abf6d6aebf13fda27e2ffcdb375c6b3c6f176ede88f0
            • Instruction Fuzzy Hash: C3012CB5A00349AFDB00DFA9E9419EEB7B8FF49700F50445AE500FB390E674A9018BA5
            Function 03465734 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
            • Instruction ID: 884bcdc1545cd5841677b322bc44875bd5b72604944f81cc5837c9ec7bafa4e4
            • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
            • Instruction Fuzzy Hash: 6AF0FF72A01214AFE719CF5CC840F6AF7EDEB46651F0940BAD500DF230E671DE04CA98
            Function 034EF78A Relevance: .0, Instructions: 42COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5b8f6c126788fbe3bf4fc599febe9e5e6ba79d6935708d2f294de37c4e161da4
            • Instruction ID: 14fdc8d524188781b8e93e32c9b8fda5e9447d73776c4b26b7431b9f4b50121d
            • Opcode Fuzzy Hash: 5b8f6c126788fbe3bf4fc599febe9e5e6ba79d6935708d2f294de37c4e161da4
            • Instruction Fuzzy Hash: 48014CB8E00349AFDB04DFA9D441AAEBBF4EF08300F00806AA855EB340E674DA00DB95
            Function 034EF2F8 Relevance: .0, Instructions: 41COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: eb7884ad8d1f1dd4a4999b11c5eabedd71ec0d6e3c114a76ccfe2f6652549293
            • Instruction ID: 809e522a3c3fdfd38914612592212fd097b1b9631be4d1abf700bb7f4337490e
            • Opcode Fuzzy Hash: eb7884ad8d1f1dd4a4999b11c5eabedd71ec0d6e3c114a76ccfe2f6652549293
            • Instruction Fuzzy Hash: 40F0A476A10348AFDB14DFBAC805AEEB7B8EF44710F00806BE511EF290DA74D9058795
            Function 035061E5 Relevance: .0, Instructions: 41COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5f3afa62c0b5bc7bb3a7fee10f801080e0385da95f78b9f2d2e4c14db8ae86fd
            • Instruction ID: b586647bcaaf895bc9a8fc1f645a16cceeb47e4c9fc93e8fbcca1e43962348fc
            • Opcode Fuzzy Hash: 5f3afa62c0b5bc7bb3a7fee10f801080e0385da95f78b9f2d2e4c14db8ae86fd
            • Instruction Fuzzy Hash: 16018F71A00259DFDB10DFAAE841AEEB7F8FF48310F14005AE500AB390D774EA01CB99
            Function 0346724D Relevance: .0, Instructions: 40COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
            • Instruction ID: de0a9ea7aa9bf6476b053f30410a22e76d95489571144c6a135b8de9c3185b3c
            • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
            • Instruction Fuzzy Hash: 23F0F675A013556FEB10DFAA8940FEBBFA8AF84614F088597B9029F241DA30E940CB59
            Function 035053FC Relevance: .0, Instructions: 39COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 977162f0d6587274677c7a78f345b5f0562110148065175e277afc7d517e68bd
            • Instruction ID: 69d585d19d21c31adaba8e1e3dc36064f65f894ced15fed5d3de64607b9d9f72
            • Opcode Fuzzy Hash: 977162f0d6587274677c7a78f345b5f0562110148065175e277afc7d517e68bd
            • Instruction Fuzzy Hash: E1015AB4A00209DFDB04DFAAD441B9EF7F4FF08300F04826AA519EB391EA749A008B95
            Function 0342C0F0 Relevance: .0, Instructions: 39COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f2999233bc4788db6cb7069878cfef68dcb24e375bb8e10e562a21eb2d762772
            • Instruction ID: ed5e3e0875abe6b0eb044d1acd0f4d541b6084456f3947cdf9fd9a7abf7c7f64
            • Opcode Fuzzy Hash: f2999233bc4788db6cb7069878cfef68dcb24e375bb8e10e562a21eb2d762772
            • Instruction Fuzzy Hash: 69F0F6713042245FE250D6559C42B777A99DBC0650FA9806BE6059F7C1EA70DC01869D
            Function 03503749 Relevance: .0, Instructions: 38COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
            • Instruction ID: ca92635d8bf5e6da057f0013c55dcfb10e7785471cb195d1311b24c59f89513a
            • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
            • Instruction Fuzzy Hash: 2BF04FBA940304BFE711EBA4CD41FDA77BCEB04710F10056AA916DA1D0EA70EB44CB94
            Function 034D437C Relevance: .0, Instructions: 37COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
            • Instruction ID: 77f92c57d54b33af73efbbbea678ffa63f261870a6b1d18572ffb6503010770a
            • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
            • Instruction Fuzzy Hash: AFF0BE3A341A124BDB35EA2F8430B2BE296AF80A00B49052F9811CFB80DF30D8218788
            Function 034EF3E6 Relevance: .0, Instructions: 35COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ea6e8bff5e54ebfee5eba7daea3d9a309abd8658c1e04c6a935146b389071a3f
            • Instruction ID: 9bfc103fb0c68eca0d466b5dc0838d27667cea486f0f678ae8169631093491d4
            • Opcode Fuzzy Hash: ea6e8bff5e54ebfee5eba7daea3d9a309abd8658c1e04c6a935146b389071a3f
            • Instruction Fuzzy Hash: 28F08C75A00248EFDB04EFA9D505AAEB7F4EF18300F40406AB945EF381D674DA01CB58
            Function 034292FF Relevance: .0, Instructions: 35COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 730903b4992622277009d2d8618add7ab0f9df1a0122bc153780796fb7e6df07
            • Instruction ID: 1e29d44d2d0744f57245270c68da18d76f90cbbbc25f82b3698cbf223d93641e
            • Opcode Fuzzy Hash: 730903b4992622277009d2d8618add7ab0f9df1a0122bc153780796fb7e6df07
            • Instruction Fuzzy Hash: B0F0F032200340AFD731EB4ACC04F9BBBEDEF88B00F08012EA54297190C7A0A909C654
            Function 034347FB Relevance: .0, Instructions: 33COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3628b14a8fe7c638453de3437cfcdc6327ccce1ea2f6e233e03d7b2c626f490c
            • Instruction ID: 2b88f73f4015990c90a8ebd303a4d3965335e444b1dac761c761d1747795fbad
            • Opcode Fuzzy Hash: 3628b14a8fe7c638453de3437cfcdc6327ccce1ea2f6e233e03d7b2c626f490c
            • Instruction Fuzzy Hash: 11F0F03D9023D08ED725CB1BC404BA6B7D8DB0A720F0C98ABC4998F741C320D881CA08
            Function 034EF6C7 Relevance: .0, Instructions: 33COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f0feb34ec122888713823ea5b93c9378ccdaedebd805b3d3a20f4539ff478f2d
            • Instruction ID: 578a662eb16ae826595d33037fd695ceef5dd7a0d9fb82e169fca8ea0524778a
            • Opcode Fuzzy Hash: f0feb34ec122888713823ea5b93c9378ccdaedebd805b3d3a20f4539ff478f2d
            • Instruction Fuzzy Hash: 67F06D79A10348EFDB14EFAAD805EAEB7F4AF08304F00406AE901EF391E674D901DB58
            Function 034F0115 Relevance: .0, Instructions: 32COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2c9e389ccf7715fedb59e3bcfb868314cfe936987c36a5704f009666651c0a94
            • Instruction ID: 64ea0020f703750876ed26b91102ddb02dee912d68fefcb62e22f90d4863065b
            • Opcode Fuzzy Hash: 2c9e389ccf7715fedb59e3bcfb868314cfe936987c36a5704f009666651c0a94
            • Instruction Fuzzy Hash: A0F0273A4167C04ECF31FB297690692AF68A793010F1E108BC5A15F316C9B98887D62C
            Function 0350539D Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 729157448129532a0c06a92a4e20042bd668682bc71501ddb207ef40fde7acf1
            • Instruction ID: 495942dcc94e196df7e2cc3d41986e02bfbaeb8c16d0d4a4036788f123ffe975
            • Opcode Fuzzy Hash: 729157448129532a0c06a92a4e20042bd668682bc71501ddb207ef40fde7acf1
            • Instruction Fuzzy Hash: 7BF0B474A1074C9FDB04EF79E441EADB7B4EF04300F108459E501EF290EA74D901CB24
            Function 035052E2 Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 24d074997e188c8d88a5d60030afc4a39707b7b5f6609d545dc874397b1b3f96
            • Instruction ID: be5c2df4cdb4a9dc206209319dfd2ae3254958c2a135984e26ca1f2868f6f84f
            • Opcode Fuzzy Hash: 24d074997e188c8d88a5d60030afc4a39707b7b5f6609d545dc874397b1b3f96
            • Instruction Fuzzy Hash: CBF0BE74A10348AFDB04EFBAE901EAEB3B8BF14300F444469A401EF2D0EA74D900CB58
            Function 03505283 Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fd6d298ae3d45b786a4236d90b8c0e456aed326072d224fcc801b7ff01562862
            • Instruction ID: 94959df3601ab5af5733ae1eb9e0dbe9c74e60b6f05b85f7b1b90ca3bdc0b624
            • Opcode Fuzzy Hash: fd6d298ae3d45b786a4236d90b8c0e456aed326072d224fcc801b7ff01562862
            • Instruction Fuzzy Hash: 52F0B474A10349DFDB04EFA5E501EAEB7B4BF04300F004859A441EF3D1EA34D9008B54
            Function 03472619 Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
            • Instruction ID: 6f7a9c943c37f98e3f0e0873bc036f3957cbb25a9d0a354364fb562de068d9e6
            • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
            • Instruction Fuzzy Hash: 0BE092723006402BE721DE5ACC80F87776EAF92B10F04047FB5045E251CAE29D0982A8
            Function 03505341 Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3b1d65a00bc45bb56f2001d05c11f987ff30541ceb3d97b536bd80dd74699df9
            • Instruction ID: 8e3762c0eaeff1699cffa7dba4681751da7f55f2fafdcd3067e940342229de02
            • Opcode Fuzzy Hash: 3b1d65a00bc45bb56f2001d05c11f987ff30541ceb3d97b536bd80dd74699df9
            • Instruction Fuzzy Hash: C9F08274A04248AFDB14EFBAE945E9EB7B8AF0A304F540459A501EF2E0EA74D9008719
            Function 03467208 Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d1b406b89f365b94b599e2cd04a704da6d834045c4d933fceae25050edb9ce0c
            • Instruction ID: 1eaa88b368ebfe2f86499bc504f04404c32dc530e411ae01dde0a6828313d502
            • Opcode Fuzzy Hash: d1b406b89f365b94b599e2cd04a704da6d834045c4d933fceae25050edb9ce0c
            • Instruction Fuzzy Hash: 83F02771911BA49FD7A1D71EC084B1BB7D99F10770F0C80A3D5058F701CBB8C880C259
            Function 03505227 Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 59cc8b7241de3fbeea1c669e4f20509af4bd73bb452a1adb50ec4a2542573929
            • Instruction ID: fcaadf93357ef1dfcf58462df79681eca5621c7e08a50d0638912278f5518a0c
            • Opcode Fuzzy Hash: 59cc8b7241de3fbeea1c669e4f20509af4bd73bb452a1adb50ec4a2542573929
            • Instruction Fuzzy Hash: 89F08274A14349AFDB14EFA9E905EAEB3B8BF04704F040459A901EF2D5EA74D9018759
            Function 035051CB Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 27614c0b321722cd015389a4f72218c943e4e3f4d7bd84dbc556bd9437fc9de7
            • Instruction ID: 38d543d8e079a75c91aa53d6bdcd891f4cfed83fd2100d4e3bb7cfdd33a0077a
            • Opcode Fuzzy Hash: 27614c0b321722cd015389a4f72218c943e4e3f4d7bd84dbc556bd9437fc9de7
            • Instruction Fuzzy Hash: 94F08974614249DFDB14EBA5D505E6EB3B4FF04704F040459A501DF2D1E674D901C759
            Function 034AD070 Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
            • Instruction ID: 9ffeef169d6e50c0aef01988037c3aff95fb27d24efe7667c3892856a433a01b
            • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
            • Instruction Fuzzy Hash: E2F0EC3350461467C230A90D8C05F57F79CDBD5B70F10431ABA149F1D0DA709911D7D9
            Function 034EF72E Relevance: .0, Instructions: 30COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4fe9a5fe1952e2a9ad80cd24ae950a72b7331560a68edb950f7b65dff4361818
            • Instruction ID: 35ed4d1bd63d22a2262f0b3e104f95f45ae09c71ccf743989a31d218bc6a4eb7
            • Opcode Fuzzy Hash: 4fe9a5fe1952e2a9ad80cd24ae950a72b7331560a68edb950f7b65dff4361818
            • Instruction Fuzzy Hash: 80F0E274A00348AFDB04EFAAC545E9EB7B8EF08700F01006AE101EF380D974D9059718
            Function 03430710 Relevance: .0, Instructions: 28COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
            • Instruction ID: 1fd0710a63319da2ed11644edca554b72fba0162c5c75ed33d38838e812b6e8c
            • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
            • Instruction Fuzzy Hash: C9F0657D2047449FEB16DF16D050A997BA8EB46350F0405EAEC568F351D731E982CB98
            Function 035037B6 Relevance: .0, Instructions: 27COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
            • Instruction ID: c4aa3e67223fd07197469eea4735bb9931b4250a0d77a3865fe05afd84d458f4
            • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
            • Instruction Fuzzy Hash: C6E06D76210600AFE764DB59DD05FE673ACFB00720F140259B1159B0E0DAB0AE40CB64
            Function 034EB3D0 Relevance: .0, Instructions: 21COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
            • Instruction ID: 5f596663d67330c6833901c815b17496e20e8ef41a98c2c39fea7e269281ceee
            • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
            • Instruction Fuzzy Hash: 84E0CD36244714BBDB22AE40CC00F697B15DB407D1F104037FA086E690C5719C51D6DC
            Function 0342823B Relevance: .0, Instructions: 21COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
            • Instruction ID: e69526862965b4d9414350328357fc873aaf71c7657905c100fdafe78f0a0eb6
            • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
            • Instruction Fuzzy Hash: 9EE08C36501A20EEDB31EF12DC04B9A7AA5FB44B10F14486FE0812E4A487B0A892DA6C
            Function 034B92BC Relevance: .0, Instructions: 20COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0b91f33541d64c2ab7218c3688c7990c6652dcafc89b10d842e63d12dc1c4641
            • Instruction ID: bf6aadc6c5cf7c94f79bcfe7abc214436cc4d27ced658a5eb2fb7785bf62cc42
            • Opcode Fuzzy Hash: 0b91f33541d64c2ab7218c3688c7990c6652dcafc89b10d842e63d12dc1c4641
            • Instruction Fuzzy Hash: 55F0ED34651B84CFE72ADF04C1E1F5173B9F756B40F500459D4464FBA1C73A9942DA54
            Function 03432050 Relevance: .0, Instructions: 20COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cbcd54b3d98ea7d063969fdf53cc1b0f519435bcc10e41ddfe668f0d1b7113a6
            • Instruction ID: ac1cf4014db6c236416173e125b753d49fb9d75f2d912ed5dcdf7151ac83f387
            • Opcode Fuzzy Hash: cbcd54b3d98ea7d063969fdf53cc1b0f519435bcc10e41ddfe668f0d1b7113a6
            • Instruction Fuzzy Hash: 02E08C322006506FC221FA6EDD00F8A739AEFAA660F00412AB1518F6A0CA60AC01C798
            Function 0342A0E3 Relevance: .0, Instructions: 15COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
            • Instruction ID: eca863c40c247bf8976d57c8f2fcdcfd702b1be4a4e008988d111462f8fc5efe
            • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
            • Instruction Fuzzy Hash: E9D0223331203097CB28EA516800F63AD059B80AA0F0A002E3C0AEB900C8048C43C2E4
            Function 034402A0 Relevance: .0, Instructions: 13COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
            • Instruction ID: 1af8e11dd02a69df77d2ff0a5028ff2a213971c9ba26eefb425c2146bf22ed1f
            • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
            • Instruction Fuzzy Hash: 94D0C935212E80CFE61ACF0DC5A4B16B3B8BB44B44F8504E2E501CFB61D66CDD50CE04
            Function 034B930B Relevance: .0, Instructions: 12COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
            • Instruction ID: 8918a1498d00e542248342c66a48e58a5d2b5b77496fc0ff8bedb9bc0fc27af2
            • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
            • Instruction Fuzzy Hash: 38D05E35945AC4CFE72BCB08C165B917BF8F709B40F891099E0424BBA2C37C9984CB20
            Function 0346C700 Relevance: .0, Instructions: 12COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
            • Instruction ID: 2a890b930bd7248cbb28adac052e22f6e59eb69fe66143d4371bc2c99c1214f9
            • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
            • Instruction Fuzzy Hash: 69C0123B290648AFD712EE99CD01F027BA9EB98B40F004022F2048B670C631E820EA88
            Function 03450310 Relevance: .0, Instructions: 11COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
            • Instruction ID: ae899504ba08d532988dd7c668f4a4dc3db266a2a41fade5b46fd64f0a98a0d5
            • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
            • Instruction Fuzzy Hash: 9BD0123A100248EFCB01DF41C890D9A772AFBD8710F148019FD190B6118A31ED62DA50
            Function 03430750 Relevance: .0, Instructions: 9COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
            • Instruction ID: 9d00354ccffe02c1898cbcf578241d35f91f9cb65e197e717ed12aa70b4c33da
            • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
            • Instruction Fuzzy Hash: F6C04C797016418FDF15DF1AD294F4977E4F744740F1508D1E805CF721E624E851CA14
            Function 03474340 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 999881ee96d21e81fef1215127109708f4520cbe74ac6073b0c152aa10bc69b4
            • Instruction ID: 72c92bbcb24c92b6a2295692ef5c4e4972709a11658c111f7618beda93aab60a
            • Opcode Fuzzy Hash: 999881ee96d21e81fef1215127109708f4520cbe74ac6073b0c152aa10bc69b4
            • Instruction Fuzzy Hash: 4D900231605804129140B25848C458A4006D7F0301B95C012E0424958C8B148A565365
            Function 03473010 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4636aa21bb0cb6e4996e42b8d858158955d8d26882de98b84783c179bc3fe6ef
            • Instruction ID: ef1b1ced0675ba27183f9a7242c5c4417bef8cf81a9cd3bb6e097ee7ba9d86a8
            • Opcode Fuzzy Hash: 4636aa21bb0cb6e4996e42b8d858158955d8d26882de98b84783c179bc3fe6ef
            • Instruction Fuzzy Hash: BD90022120184842D140B3584844B4F4106C7F1302FD5C01AA4156958CCB1589555725
            Function 03473090 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5150c22baf50930bce8b332d14c8cae3ea1e6299f99c2500ee074dda019a5744
            • Instruction ID: 2c1624e538560c4c9fdae012cbbade4d66aef5da52686e89108512db981852b5
            • Opcode Fuzzy Hash: 5150c22baf50930bce8b332d14c8cae3ea1e6299f99c2500ee074dda019a5744
            • Instruction Fuzzy Hash: D790022124140C02D140B258845474B0007C7E0701F95C012A0024958D87168A6566B5
            Function 03474650 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dc00c96bad191c4697036bd28f6d791f7d8457f265c58a44dc25d1c8497a6615
            • Instruction ID: 09a6dc104a7221763c81892134439d020f2e9f20716e62529d814148475769c9
            • Opcode Fuzzy Hash: dc00c96bad191c4697036bd28f6d791f7d8457f265c58a44dc25d1c8497a6615
            • Instruction Fuzzy Hash: 84900261601504424140B258484444A6006D7F13013D5C116A0554964C87188955926D
            Function 03472BE0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 56c43f02746c319b28b8f694ab1669c35885a25df32d35be58ac5247bd37f954
            • Instruction ID: 5cb4092ec6905c91303e444233e23db69c8a7823047fe6b16d9bf8a262b4ba3a
            • Opcode Fuzzy Hash: 56c43f02746c319b28b8f694ab1669c35885a25df32d35be58ac5247bd37f954
            • Instruction Fuzzy Hash: 7F90023120544C42D140B2584444A8A0016C7E0305F95C012A0064A98D97258E55B665
            Function 03472BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ae6dae04a31183f797cd141bcc70c21eabe959961fb1413dbc5ba4a2e4001053
            • Instruction ID: bfb556593fc9188f6595328e0eef3940e6ea9b95108cc597480273b1cd83c652
            • Opcode Fuzzy Hash: ae6dae04a31183f797cd141bcc70c21eabe959961fb1413dbc5ba4a2e4001053
            • Instruction Fuzzy Hash: 0F90023120140C02D180B258444468E0006C7E1301FD5C016A0025A58DCB158B5977A5
            Function 03472B80 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2a197ac23318200b7564a2045a912062a00f3ead51b91d54e88246d2539b4633
            • Instruction ID: bb98d3205496ada1ec8f6399f6c67ec8e504d4bcf0408c1b0014609fb924b4fb
            • Opcode Fuzzy Hash: 2a197ac23318200b7564a2045a912062a00f3ead51b91d54e88246d2539b4633
            • Instruction Fuzzy Hash: BE90023120140C02D104B25848446CA0006C7E0301F95C012A6024A59E976589917135
            Function 03472BA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 205dda8ca7947066e8c048ef7efef9781cf025ac443f82423534e85e4cf55a9c
            • Instruction ID: 11c38fe69be812629be4a4c4d52382f0f1785cab8268b41d6f3e95fd67f10d3c
            • Opcode Fuzzy Hash: 205dda8ca7947066e8c048ef7efef9781cf025ac443f82423534e85e4cf55a9c
            • Instruction Fuzzy Hash: 9290023160540C02D150B258445478A0006C7E0301F95C012A0024A58D87558B5576A5
            Function 03472AD0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 22f7de448098a9f4c48f2a682c8f1ef755fbcfaa47434f822ea38d34894acd90
            • Instruction ID: 69daad7016237f5548ded85334c572891d3c2dbd83542f723c1ab4b59bccc68d
            • Opcode Fuzzy Hash: 22f7de448098a9f4c48f2a682c8f1ef755fbcfaa47434f822ea38d34894acd90
            • Instruction Fuzzy Hash: EA900435311404030105F75C074454F0047C7F53513D5C033F1015D54CD731CD715135
            Function 03472AF0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: eafd9c12e4bcd058fc169bb57aef2e9dbbebacc96cadbc8138ce139f17d9f337
            • Instruction ID: 3439920f6f3c2e2ce0ef6eb975adae44e9dbe64eb16bc2de4f4d596b8514799e
            • Opcode Fuzzy Hash: eafd9c12e4bcd058fc169bb57aef2e9dbbebacc96cadbc8138ce139f17d9f337
            • Instruction Fuzzy Hash: 37900225221404020145F658064454F0446D7E63513D5C016F1416994CC72189655325
            Function 03472AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 78032f4d8103c9520c3c3c73ecfd3e06f80d7e42db609ebc5109c627320c0db2
            • Instruction ID: 6334777e1deaf2ce256e5635b7a99c7f439acc816010344976ae90d6232f257b
            • Opcode Fuzzy Hash: 78032f4d8103c9520c3c3c73ecfd3e06f80d7e42db609ebc5109c627320c0db2
            • Instruction Fuzzy Hash: C79002A1201544924500F3588444B4E4506C7F0301B95C017E1054964CC72589519139
            Function 034739B0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 185f9c956e42f43e7be4556c48d3a137fda8d4e4f601cb687d0473a206269c4a
            • Instruction ID: 47cdf6eec6ed39feeeb7053ae7b290b7846c0bf0ef8dc50b8db8d3e1c38d803e
            • Opcode Fuzzy Hash: 185f9c956e42f43e7be4556c48d3a137fda8d4e4f601cb687d0473a206269c4a
            • Instruction Fuzzy Hash: B490022124545502D150B25C444465A4006E7F0301F95C022A0814998D875589556225
            Function 03472F60 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b5a42c96833ee465c85642f07621caf4f2a2629328ed28bab2b8d9e17492b657
            • Instruction ID: 21f84e446a88bb02145d3cab3107e2298acfa9339c0fccfcd1799706e9943cdf
            • Opcode Fuzzy Hash: b5a42c96833ee465c85642f07621caf4f2a2629328ed28bab2b8d9e17492b657
            • Instruction Fuzzy Hash: 8090026121140442D104B258444474A0046C7F1301F95C013A2154958CC7298D615129
            Function 03472F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a6c46bb0a739b6535eca5193581950f4bb4144fe7aed55b0fd806c8cb6a62006
            • Instruction ID: c14d874ccc1f0c1e00700b0332997a2ac578efca10b798a98b9ae6454404502b
            • Opcode Fuzzy Hash: a6c46bb0a739b6535eca5193581950f4bb4144fe7aed55b0fd806c8cb6a62006
            • Instruction Fuzzy Hash: F090026134140842D100B2584454B4A0006C7F1301F95C016E1064958D8719CD52612A
            Function 03472FE0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 658390109daa7272b6d252a106a63f1ec800042c1589717b036c1192c10602ac
            • Instruction ID: 8578209f691f6f6d3f36360c5e96c9e92a940fe244bfb2d04a34e426fd988201
            • Opcode Fuzzy Hash: 658390109daa7272b6d252a106a63f1ec800042c1589717b036c1192c10602ac
            • Instruction Fuzzy Hash: 6B900221211C0442D200B6684C54B4B0006C7E0303F95C116A0154958CCB1589615525
            Function 03472F90 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b20f8bbb71df9137e109f31caedc5a56ee0cf081caa111bccc693983ff269468
            • Instruction ID: a1b10872354a22db717931eaa8a5ccbf7e5a5c287dff298ea38925f5f3e67ddd
            • Opcode Fuzzy Hash: b20f8bbb71df9137e109f31caedc5a56ee0cf081caa111bccc693983ff269468
            • Instruction Fuzzy Hash: A790023120180802D100B258485474F0006C7E0302F95C012A1164959D872589516575
            Function 03472FA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 22fc12a2685a6be4b47bb12905d02a8dafba19e707ff7bc83c7eecb7135eaed1
            • Instruction ID: 4fd4ea6257cc6a5956cbeecab6a11a3e19f00c96f8c23b2e1c7cfa08ddc84d21
            • Opcode Fuzzy Hash: 22fc12a2685a6be4b47bb12905d02a8dafba19e707ff7bc83c7eecb7135eaed1
            • Instruction Fuzzy Hash: 8990023120180802D100B258484878B0006C7E0302F95C012A5164959E8765C9916535
            Function 03472FB0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c5893831817649cb1e1e44d0510f1dc0d2af392abf5f640d6a28f0f95e01da98
            • Instruction ID: 1b8e297135e053990b57d6a5726b469420328d6dd36b46e306be3dfe52296c16
            • Opcode Fuzzy Hash: c5893831817649cb1e1e44d0510f1dc0d2af392abf5f640d6a28f0f95e01da98
            • Instruction Fuzzy Hash: 97900221601404424140B268888494A4006EBF1311795C122A0998954D875989655669
            Function 03472E30 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4d955ba4e1be1f9f8bab713e987f41977471cc657b0e840e50f85bdb33f29dde
            • Instruction ID: 65132f1205f39add78fdf2a53685adc8f3bf2982a33afbee968ce22d1220638a
            • Opcode Fuzzy Hash: 4d955ba4e1be1f9f8bab713e987f41977471cc657b0e840e50f85bdb33f29dde
            • Instruction Fuzzy Hash: 2B90022130140802D102B258445464A000AC7E1345FD5C013E1424959D87258A53A136
            Function 03472EE0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5e93a703c7f5f54fc9e144388878dbb1c25cbcaf6e3f42b7074de15c1c7a85be
            • Instruction ID: dfe9b4d20b83632294945e48237db2af787c42e5f342c93c6f8b94d8409d2823
            • Opcode Fuzzy Hash: 5e93a703c7f5f54fc9e144388878dbb1c25cbcaf6e3f42b7074de15c1c7a85be
            • Instruction Fuzzy Hash: DF90026120180803D140B658484464B0006C7E0302F95C012A2064959E8B298D516139
            Function 03472E80 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5ad20d37507022d2f2273f13ea7a713b5c9947c9313c6518467cc18144a7028d
            • Instruction ID: 5b2508f1a83d2d699049f6d0716aa297cdb4ef6126c4b29bee7b16b2be661737
            • Opcode Fuzzy Hash: 5ad20d37507022d2f2273f13ea7a713b5c9947c9313c6518467cc18144a7028d
            • Instruction Fuzzy Hash: C390022160140902D101B258444465A000BC7E0341FD5C023A1024959ECB258A92A135
            Function 03472EA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7100db012def2b0bbbf263ce108f076d09d5a54425d3900cab2ba46494054c56
            • Instruction ID: 4abfbba142434adec4460873ee202493d5e6294d3ba8062f7428d1cf29506f5e
            • Opcode Fuzzy Hash: 7100db012def2b0bbbf263ce108f076d09d5a54425d3900cab2ba46494054c56
            • Instruction Fuzzy Hash: 2590027120140802D140B258444478A0006C7E0301F95C012A5064958E87598ED56669
            Function 03473D70 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3f0bccb976f22f9d697445e27023030ec3e9cd18eebedda095c33fed21bddf57
            • Instruction ID: 84404a08f22c07be66698be284cda465f0b9658ed4b11bbed20e1ba2347588e0
            • Opcode Fuzzy Hash: 3f0bccb976f22f9d697445e27023030ec3e9cd18eebedda095c33fed21bddf57
            • Instruction Fuzzy Hash: 8590023520140802D510B258584468A0047C7E0301F95D412A042495CD875489A1A125
            Function 03472D00 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0bc61d4a4a54ec31839cd2255202ee416375b6327c78a2bf2874e43ae9d82867
            • Instruction ID: f86384e5648168a8c7efcf50e52089e3f94c5881b9d4f7b8a1cd6f055e41013e
            • Opcode Fuzzy Hash: 0bc61d4a4a54ec31839cd2255202ee416375b6327c78a2bf2874e43ae9d82867
            • Instruction Fuzzy Hash: AF90022120544842D100B6585448A4A0006C7E0305F95D012A1064999DC7358951A135
            Function 03472D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a54b2899dfc8ca35ca12bdcca9794f85d5d64e0c25401c02d4e9d8d88d6ee4f3
            • Instruction ID: ffc033f7e1f6c6890b4aac20874f2776d581f4be96ba09313c4e47e33bd37ac5
            • Opcode Fuzzy Hash: a54b2899dfc8ca35ca12bdcca9794f85d5d64e0c25401c02d4e9d8d88d6ee4f3
            • Instruction Fuzzy Hash: D790022921340402D180B258544864E0006C7E1302FD5D416A001595CCCB1589695325
            Function 03473D10 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b587f3663bec5e6e50a9c594d1d95212efc12a3f6a443b08e008b24b60665b98
            • Instruction ID: efa34ec265412a91014986160917549e17317042c3f681a959d16d9426b4e8b4
            • Opcode Fuzzy Hash: b587f3663bec5e6e50a9c594d1d95212efc12a3f6a443b08e008b24b60665b98
            • Instruction Fuzzy Hash: 59900231202405429540B3585844A8E4106C7F1302BD5D416A0015958CCB1489615225
            Function 03472D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f2c96e209ac0d30abacb3cdfe97c92a9a03af4fdca27059db6f32e8a6a1893c8
            • Instruction ID: 3e068da38f2575aa266daf77abc10c18cfa6c1e4e4eb60675e31b78fc05b6fb4
            • Opcode Fuzzy Hash: f2c96e209ac0d30abacb3cdfe97c92a9a03af4fdca27059db6f32e8a6a1893c8
            • Instruction Fuzzy Hash: E690022130140403D140B258545864A4006D7F1301F95D012E0414958CDB1589565226
            Function 03472DD0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9c92a54f9a4b905a300c94c250f8182f472e4bfe2beb934851d46e0a235b45dd
            • Instruction ID: 59f5aeeb119ec5e2b9127aed687eddae7065d09bc08c4bfc827971450e953640
            • Opcode Fuzzy Hash: 9c92a54f9a4b905a300c94c250f8182f472e4bfe2beb934851d46e0a235b45dd
            • Instruction Fuzzy Hash: 60900221242445525545F258444454B4007D7F03417D5C013A1414D54C87269956D625
            Function 03472DB0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: be9ab9a34ed053ebe7e115e71e602d868011da3c5897177c1771e566fa96301c
            • Instruction ID: 5e7e0bcc90fcd5acff92a06363dc1b40c7b5f7a0316bfad2fc678054a9fd36a2
            • Opcode Fuzzy Hash: be9ab9a34ed053ebe7e115e71e602d868011da3c5897177c1771e566fa96301c
            • Instruction Fuzzy Hash: 0590023124140802D141B258444464A000AD7E0341FD5C013A0424958E87558B56AA65
            Function 03472C60 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c1515ba76762767aee053f2ff061a1d560423c64ed3c9c577a0706a4e807a2e5
            • Instruction ID: bac37f058a9e44e3df3b834c4ea919e15cc8c498e56e899edf1770c556259564
            • Opcode Fuzzy Hash: c1515ba76762767aee053f2ff061a1d560423c64ed3c9c577a0706a4e807a2e5
            • Instruction Fuzzy Hash: DA90023120140C42D100B2584444B8A0006C7F0301F95C017A0124A58D8715C9517525
            Function 03472C70 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f2b091017c9f28c8a900117e2b27d45c1c94003280a1e4a53f373666f3404167
            • Instruction ID: b67a08933cf5a815060eef9f3b48562ffb39c8f438640fc5365241e215c9c810
            • Opcode Fuzzy Hash: f2b091017c9f28c8a900117e2b27d45c1c94003280a1e4a53f373666f3404167
            • Instruction Fuzzy Hash: 5F90023120148C02D110B258844478E0006C7E0301F99C412A4424A5CD879589917125
            Function 03472CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ac29edba6b7b7046f57b1685b0cf64795c3f1e5d8d84e3ced624d4fc8996f1c8
            • Instruction ID: f06c1f908be437909d050ca40309b51332627b7eb4e360361cbc4ebbdc595c59
            • Opcode Fuzzy Hash: ac29edba6b7b7046f57b1685b0cf64795c3f1e5d8d84e3ced624d4fc8996f1c8
            • Instruction Fuzzy Hash: 3090022160540802D140B258545874A0016C7E0301F95D012A0024958DC7598B5566A5
            Function 03472CF0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b7a04e4bf0088d69d13e376e8da3d955ed0aa8960bc2ed3dd72658e904c7a42c
            • Instruction ID: a5f7e444ad941f78757c7fa50ded580913021834dca4b29cbff90b466098e92c
            • Opcode Fuzzy Hash: b7a04e4bf0088d69d13e376e8da3d955ed0aa8960bc2ed3dd72658e904c7a42c
            • Instruction Fuzzy Hash: 6D90023120140803D100B258554874B0006C7E0301F95D412A042495CDD75689516125
            Function 03472CA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 37e6147fe09257f3122507df560be3285eef27172d5cc52c7f670308aa226da7
            • Instruction ID: 946a263a7d4d4efd4ba6c07d996a6645221cdf0dd07269b2c62c99fa2a5343fa
            • Opcode Fuzzy Hash: 37e6147fe09257f3122507df560be3285eef27172d5cc52c7f670308aa226da7
            • Instruction Fuzzy Hash: 4790023120140802D100B698544868A0006C7F0301F95D012A5024959EC76589916135
            Function 03472C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
            • Instruction ID: 4f8004c5e8ac37823df6458296f537abc56ba31f6f56780d998710515bb2dd5b
            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
            • Instruction Fuzzy Hash:
            Function 03472890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID: ___swprintf_l
            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
            • API String ID: 48624451-2108815105
            • Opcode ID: dfb2ab201aba613860b8ddaddb2c2ce2a578490b72da1ce0d487f64dedbc36d7
            • Instruction ID: 3849aca05d3806e097de92d7cbcdbed50a850603cac0f28d50e16cbdd20129d1
            • Opcode Fuzzy Hash: dfb2ab201aba613860b8ddaddb2c2ce2a578490b72da1ce0d487f64dedbc36d7
            • Instruction Fuzzy Hash: 9451D5B5B00516BFCB10DB9888909BFF7B8BB49200758866BE4A5DF641D274DE40CBA8
            Function 03467630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
            Download Yara Rule
            Strings
            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 034A4655
            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 034A4742
            • Execute=1, xrefs: 034A4713
            • CLIENT(ntdll): Processing section info %ws..., xrefs: 034A4787
            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 034A46FC
            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 034A4725
            • ExecuteOptions, xrefs: 034A46A0
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
            • API String ID: 0-484625025
            • Opcode ID: 6155378a286dc3fc4561b155d6678c8ba13fa7811350f1e1be1f24cac9b4c065
            • Instruction ID: 6633c514fc4ea3ec2782d37d2437d68f5bea1f8772490947faf64e61b3f56107
            • Opcode Fuzzy Hash: 6155378a286dc3fc4561b155d6678c8ba13fa7811350f1e1be1f24cac9b4c065
            • Instruction Fuzzy Hash: F5513B756003096EDB20EFA9DC85FEE7BB8AF14314F1400ABD505AF390E771AA458B59
            Function 0347B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID: __aulldvrm
            • String ID: +$-$0$0
            • API String ID: 1302938615-699404926
            • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
            • Instruction ID: 190be8e3f855835c29307f5b229531a12148b597511bb2a7c84519a7f6e38254
            • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
            • Instruction Fuzzy Hash: 6E81BF74E052499EDF24CE68C8917FEBBB6EF45320F1C425BD861AF390C73498418B69
            Function 0345F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
            Download Yara Rule
            Strings
            • RTL: Re-Waiting, xrefs: 034A031E
            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 034A02E7
            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 034A02BD
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
            • API String ID: 0-2474120054
            • Opcode ID: 38d9de2bd5d68b9d22f3905dcbaf2d0b2a99242a0acd0263f59817186a547686
            • Instruction ID: 500a430ecd6e8a603e56fcd3d3d0ca1709eda35d9053f14df8333e05cd389bdd
            • Opcode Fuzzy Hash: 38d9de2bd5d68b9d22f3905dcbaf2d0b2a99242a0acd0263f59817186a547686
            • Instruction Fuzzy Hash: D8E18C31A04B41DFD724CF28C884B6AB7E4BB44314F180A5EF9A58F3A1D775D949CB4A
            Function 0346BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
            Download Yara Rule
            Strings
            • RTL: Re-Waiting, xrefs: 034A7BAC
            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 034A7B7F
            • RTL: Resource at %p, xrefs: 034A7B8E
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
            • API String ID: 0-871070163
            • Opcode ID: c813fac53e79939e7bb44130736654a8397e5e0490ac7cfa967e43b15b27aa1f
            • Instruction ID: 744f114dd1256efbd74b17aaf5c9c18e0a9d0bafc8693eca25f5ba6320665f04
            • Opcode Fuzzy Hash: c813fac53e79939e7bb44130736654a8397e5e0490ac7cfa967e43b15b27aa1f
            • Instruction Fuzzy Hash: 7D41E5353007029FC728DE2ACC40B6BB7E9EB98710F14091EE956DF790D731E4058B9A
            Function 0346B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
            Download Yara Rule
            APIs
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 034A728C
            Strings
            • RTL: Re-Waiting, xrefs: 034A72C1
            • RTL: Resource at %p, xrefs: 034A72A3
            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 034A7294
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
            • API String ID: 885266447-605551621
            • Opcode ID: 97fbdf91e9992b2d152f3593f8fa0b2421b6c8445247565f1ec57a1f7e57c24c
            • Instruction ID: 86e0366dad6b11ba8a6465968d3d7410d6f35a5f7bbe669803305ce7843c7ec0
            • Opcode Fuzzy Hash: 97fbdf91e9992b2d152f3593f8fa0b2421b6c8445247565f1ec57a1f7e57c24c
            • Instruction Fuzzy Hash: 3D41E136700A06AFC720DE6ACC41B6ABBA5FB94714F14462BF855DF380DB21F81687D9
            Function 03477D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID: __aulldvrm
            • String ID: +$-
            • API String ID: 1302938615-2137968064
            • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
            • Instruction ID: 3797f2461f9603d70e8fd521aef8a8712ad08115261ae9cbbc3048cfe937b5e3
            • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
            • Instruction Fuzzy Hash: 9B918170E002169EDB24DF69C981AFFBBA5AF44720F98451BE865EF3D0D73099428B58
            Function 03439126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2189946586.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_3400000_svchost.jbxd
            Similarity
            • API ID:
            • String ID: $$@
            • API String ID: 0-1194432280
            • Opcode ID: 3d3a6df4a55a9d22efad0b02051240eda7e941a3c43e449110ee5704ea889b29
            • Instruction ID: ab6d1f0bf04d725aa5249a3fc28d94c7fe4129c2b41d4a5fb15b4e3b71714d27
            • Opcode Fuzzy Hash: 3d3a6df4a55a9d22efad0b02051240eda7e941a3c43e449110ee5704ea889b29
            • Instruction Fuzzy Hash: D5814B76D002699BEB31CF54CC44BEEB6B4AB09710F0445EBE919BB290D7709E85CFA4