Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3HnH4uJtE7.exe

Overview

General Information

Sample name:3HnH4uJtE7.exe
renamed because original name is a hash value
Original sample name:cb8928597d08e9bb6c3c7ee9df7eb836df1f85a9668054765dd6eb75a33516a3.exe
Analysis ID:1587863
MD5:b88bab75a48b9fefcd3395afa9891d69
SHA1:d35d41a4330b17b8518204a483b8f4800012718a
SHA256:cb8928597d08e9bb6c3c7ee9df7eb836df1f85a9668054765dd6eb75a33516a3
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 3HnH4uJtE7.exe (PID: 8020 cmdline: "C:\Users\user\Desktop\3HnH4uJtE7.exe" MD5: B88BAB75A48B9FEFCD3395AFA9891D69)
    • svchost.exe (PID: 8108 cmdline: "C:\Users\user\Desktop\3HnH4uJtE7.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1600546418.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.1600838338.0000000002D20000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\3HnH4uJtE7.exe", CommandLine: "C:\Users\user\Desktop\3HnH4uJtE7.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\3HnH4uJtE7.exe", ParentImage: C:\Users\user\Desktop\3HnH4uJtE7.exe, ParentProcessId: 8020, ParentProcessName: 3HnH4uJtE7.exe, ProcessCommandLine: "C:\Users\user\Desktop\3HnH4uJtE7.exe", ProcessId: 8108, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\3HnH4uJtE7.exe", CommandLine: "C:\Users\user\Desktop\3HnH4uJtE7.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\3HnH4uJtE7.exe", ParentImage: C:\Users\user\Desktop\3HnH4uJtE7.exe, ParentProcessId: 8020, ParentProcessName: 3HnH4uJtE7.exe, ProcessCommandLine: "C:\Users\user\Desktop\3HnH4uJtE7.exe", ProcessId: 8108, ProcessName: svchost.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: 3HnH4uJtE7.exeVirustotal: Detection: 69%Perma Link
          Source: 3HnH4uJtE7.exeReversingLabs: Detection: 78%
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1600546418.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1600838338.0000000002D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: 3HnH4uJtE7.exeJoe Sandbox ML: detected
          Source: 3HnH4uJtE7.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: svchost.exe, 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1545708440.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1601029420.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1549567579.0000000003200000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1545708440.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1601029420.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1549567579.0000000003200000.00000004.00000020.00020000.00000000.sdmp
          Source: global trafficTCP traffic: 192.168.2.10:55129 -> 1.1.1.1:53
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1600546418.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1600838338.0000000002D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Binary is likely a compiled AutoIt script file
          Source: 3HnH4uJtE7.exe, 00000000.00000000.1340728953.0000000000C12000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0b5f9aed-0
          Source: 3HnH4uJtE7.exe, 00000000.00000000.1340728953.0000000000C12000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_0859b51b-1
          Source: 3HnH4uJtE7.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_52c4e7ec-1
          Source: 3HnH4uJtE7.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_540a015b-e
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042CB43 NtClose,2_2_0042CB43
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AA5A NtAllocateVirtualMemory,2_2_0040AA5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034735C0 NtCreateMutant,LdrInitializeThunk,2_2_034735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472B60 NtClose,LdrInitializeThunk,2_2_03472B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03472DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03474340 NtSetContextThread,2_2_03474340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473010 NtOpenDirectoryObject,2_2_03473010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473090 NtSetValueKey,2_2_03473090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03474650 NtSuspendThread,2_2_03474650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BE0 NtQueryValueKey,2_2_03472BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BF0 NtAllocateVirtualMemory,2_2_03472BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472B80 NtQueryInformationFile,2_2_03472B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BA0 NtEnumerateValueKey,2_2_03472BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AD0 NtReadFile,2_2_03472AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AF0 NtWriteFile,2_2_03472AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AB0 NtWaitForSingleObject,2_2_03472AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034739B0 NtGetContextThread,2_2_034739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F60 NtCreateProcessEx,2_2_03472F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F30 NtCreateSection,2_2_03472F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FE0 NtCreateFile,2_2_03472FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F90 NtProtectVirtualMemory,2_2_03472F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FA0 NtQuerySection,2_2_03472FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FB0 NtResumeThread,2_2_03472FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472E30 NtWriteVirtualMemory,2_2_03472E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472EE0 NtQueueApcThread,2_2_03472EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472E80 NtReadVirtualMemory,2_2_03472E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472EA0 NtAdjustPrivilegesToken,2_2_03472EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473D70 NtOpenThread,2_2_03473D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D00 NtSetInformationFile,2_2_03472D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D10 NtMapViewOfSection,2_2_03472D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473D10 NtOpenProcessToken,2_2_03473D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D30 NtUnmapViewOfSection,2_2_03472D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DD0 NtDelayExecution,2_2_03472DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DB0 NtEnumerateKey,2_2_03472DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C60 NtCreateKey,2_2_03472C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C70 NtFreeVirtualMemory,2_2_03472C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C00 NtQueryInformationProcess,2_2_03472C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CC0 NtQueryVirtualMemory,2_2_03472CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CF0 NtOpenProcess,2_2_03472CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CA0 NtQueryInformationToken,2_2_03472CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004030102_2_00403010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042F1732_2_0042F173
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041024A2_2_0041024A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004102532_2_00410253
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012202_2_00401220
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402B802_2_00402B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004043B52_2_004043B5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004104732_2_00410473
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E4732_2_0040E473
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416C102_2_00416C10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416C132_2_00416C13
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004024D02_2_004024D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E5C32_2_0040E5C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E5B82_2_0040E5B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027402_2_00402740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342D34C2_2_0342D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA3522_2_034FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F132D2_2_034F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F02_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035003E62_2_035003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0348739A2_2_0348739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E02742_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B2C02_2_0345B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E12ED2_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034452A02_2_034452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347516C2_2_0347516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F1722_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350B16B2_2_0350B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034301002_2_03430100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA1182_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F81CC2_2_034F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344B1B02_2_0344B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035001AA2_2_035001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EF0CC2_2_034EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470C02_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F70E92_2_034F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF0E02_2_034FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034647502_2_03464750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034407702_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343C7C02_2_0343C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034317EC2_2_034317EC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF7B02_2_034FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F16CC2_2_034F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345C6E02_2_0345C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F75712_2_034F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034405352_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035005912_2_03500591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DD5B02_2_034DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F24462_2_034F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034314602_2_03431460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF43F2_2_034FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EE4F62_2_034EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFB762_2_034FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F6BD72_2_034F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345FB802_2_0345FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFA492_2_034FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F7A462_2_034F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B3A6C2_2_034B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EDAC62_2_034EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA802_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DDAAC2_2_034DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03485AA02_2_03485AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034499502_2_03449950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B9502_2_0345B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034569622_2_03456962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A02_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350A9A62_2_0350A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344A8402_2_0344A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034438E02_2_034438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E8F02_2_0346E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034268B82_2_034268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4F402_2_034B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFF092_2_034FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460F302_2_03460F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432FC82_2_03432FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344CFE02_2_0344CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03441F922_2_03441F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFFB12_2_034FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440E592_2_03440E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FEE262_2_034FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FEEDB2_2_034FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452E902_2_03452E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FCE932_2_034FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03449EB02_2_03449EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03443D402_2_03443D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F1D5A2_2_034F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F7D732_2_034F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344AD002_2_0344AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345FDC02_2_0345FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343ADE02_2_0343ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03458DBF2_2_03458DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440C002_2_03440C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B9C322_2_034B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430CF22_2_03430CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0CB52_2_034E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034BF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034AEA12 appears 84 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0342B970 appears 269 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03475130 appears 36 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03487E54 appears 86 times
          Source: 3HnH4uJtE7.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: classification engineClassification label: mal80.troj.evad.winEXE@3/2@0/0
          Source: C:\Users\user\Desktop\3HnH4uJtE7.exeFile created: C:\Users\user\AppData\Local\Temp\aut955D.tmpJump to behavior
          Source: 3HnH4uJtE7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\3HnH4uJtE7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: 3HnH4uJtE7.exeVirustotal: Detection: 69%
          Source: 3HnH4uJtE7.exeReversingLabs: Detection: 78%
          Source: unknownProcess created: C:\Users\user\Desktop\3HnH4uJtE7.exe "C:\Users\user\Desktop\3HnH4uJtE7.exe"
          Source: C:\Users\user\Desktop\3HnH4uJtE7.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\3HnH4uJtE7.exe"
          Source: C:\Users\user\Desktop\3HnH4uJtE7.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\3HnH4uJtE7.exe"Jump to behavior
          Source: C:\Users\user\Desktop\3HnH4uJtE7.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\3HnH4uJtE7.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\3HnH4uJtE7.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\3HnH4uJtE7.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\3HnH4uJtE7.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\3HnH4uJtE7.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\3HnH4uJtE7.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\3HnH4uJtE7.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\3HnH4uJtE7.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\3HnH4uJtE7.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\3HnH4uJtE7.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\3HnH4uJtE7.exeSection loaded: ntmarta.dllJump to behavior
          Source: 3HnH4uJtE7.exeStatic file information: File size 1401344 > 1048576
          Source: 3HnH4uJtE7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: 3HnH4uJtE7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: 3HnH4uJtE7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: 3HnH4uJtE7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: 3HnH4uJtE7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: 3HnH4uJtE7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: 3HnH4uJtE7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: svchost.exe, 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1545708440.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1601029420.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1549567579.0000000003200000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1545708440.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1601029420.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1549567579.0000000003200000.00000004.00000020.00020000.00000000.sdmp
          Source: 3HnH4uJtE7.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: 3HnH4uJtE7.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: 3HnH4uJtE7.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: 3HnH4uJtE7.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: 3HnH4uJtE7.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A07C push ecx; iretd 2_2_0041A07D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00407174 push ss; ret 2_2_00407192
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041F128 pushad ; ret 2_2_0041F13E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00405133 pushfd ; retf 2_2_00405135
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A9EE push edi; retf 2_2_0041A9FE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A9F3 push edi; retf 2_2_0041A9FE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041BAC4 push esi; retf 2_2_0041BACB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AAE5 push es; ret 2_2_0040AAE8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403290 push eax; ret 2_2_00403292
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D3B2 pushad ; retf 2_2_0040D3B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417609 push eax; retf 2_2_0041760A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004127CA push ebx; iretd 2_2_004127CB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034309AD push ecx; mov dword ptr [esp], ecx2_2_034309B6
          Source: C:\Users\user\Desktop\3HnH4uJtE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3HnH4uJtE7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\3HnH4uJtE7.exeAPI/Special instruction interceptor: Address: 167398C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041BAC4 rdtsc 2_2_0041BAC4
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 8112Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041BAC4 rdtsc 2_2_0041BAC4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417BA3 LdrLoadDll,2_2_00417BA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342D34C mov eax, dword ptr fs:[00000030h]2_2_0342D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342D34C mov eax, dword ptr fs:[00000030h]2_2_0342D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03505341 mov eax, dword ptr fs:[00000030h]2_2_03505341
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03429353 mov eax, dword ptr fs:[00000030h]2_2_03429353
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03429353 mov eax, dword ptr fs:[00000030h]2_2_03429353
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov ecx, dword ptr fs:[00000030h]2_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA352 mov eax, dword ptr fs:[00000030h]2_2_034FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EF367 mov eax, dword ptr fs:[00000030h]2_2_034EF367
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D437C mov eax, dword ptr fs:[00000030h]2_2_034D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03437370 mov eax, dword ptr fs:[00000030h]2_2_03437370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03437370 mov eax, dword ptr fs:[00000030h]2_2_03437370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03437370 mov eax, dword ptr fs:[00000030h]2_2_03437370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B930B mov eax, dword ptr fs:[00000030h]2_2_034B930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B930B mov eax, dword ptr fs:[00000030h]2_2_034B930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B930B mov eax, dword ptr fs:[00000030h]2_2_034B930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C310 mov ecx, dword ptr fs:[00000030h]2_2_0342C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450310 mov ecx, dword ptr fs:[00000030h]2_2_03450310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F132D mov eax, dword ptr fs:[00000030h]2_2_034F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F132D mov eax, dword ptr fs:[00000030h]2_2_034F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345F32A mov eax, dword ptr fs:[00000030h]2_2_0345F32A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03427330 mov eax, dword ptr fs:[00000030h]2_2_03427330
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC3CD mov eax, dword ptr fs:[00000030h]2_2_034EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EB3D0 mov ecx, dword ptr fs:[00000030h]2_2_034EB3D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EF3E6 mov eax, dword ptr fs:[00000030h]2_2_034EF3E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035053FC mov eax, dword ptr fs:[00000030h]2_2_035053FC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034663FF mov eax, dword ptr fs:[00000030h]2_2_034663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]2_2_0345438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]2_2_0345438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350539D mov eax, dword ptr fs:[00000030h]2_2_0350539D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0348739A mov eax, dword ptr fs:[00000030h]2_2_0348739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0348739A mov eax, dword ptr fs:[00000030h]2_2_0348739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034533A5 mov eax, dword ptr fs:[00000030h]2_2_034533A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034633A0 mov eax, dword ptr fs:[00000030h]2_2_034633A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034633A0 mov eax, dword ptr fs:[00000030h]2_2_034633A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03429240 mov eax, dword ptr fs:[00000030h]2_2_03429240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03429240 mov eax, dword ptr fs:[00000030h]2_2_03429240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346724D mov eax, dword ptr fs:[00000030h]2_2_0346724D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A250 mov eax, dword ptr fs:[00000030h]2_2_0342A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EB256 mov eax, dword ptr fs:[00000030h]2_2_034EB256
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EB256 mov eax, dword ptr fs:[00000030h]2_2_034EB256
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436259 mov eax, dword ptr fs:[00000030h]2_2_03436259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FD26B mov eax, dword ptr fs:[00000030h]2_2_034FD26B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FD26B mov eax, dword ptr fs:[00000030h]2_2_034FD26B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342826B mov eax, dword ptr fs:[00000030h]2_2_0342826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03459274 mov eax, dword ptr fs:[00000030h]2_2_03459274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03471270 mov eax, dword ptr fs:[00000030h]2_2_03471270
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03471270 mov eax, dword ptr fs:[00000030h]2_2_03471270
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03467208 mov eax, dword ptr fs:[00000030h]2_2_03467208
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03467208 mov eax, dword ptr fs:[00000030h]2_2_03467208
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03505227 mov eax, dword ptr fs:[00000030h]2_2_03505227
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342823B mov eax, dword ptr fs:[00000030h]2_2_0342823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B2C0 mov eax, dword ptr fs:[00000030h]2_2_0345B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B2C0 mov eax, dword ptr fs:[00000030h]2_2_0345B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B2C0 mov eax, dword ptr fs:[00000030h]2_2_0345B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B2C0 mov eax, dword ptr fs:[00000030h]2_2_0345B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B2C0 mov eax, dword ptr fs:[00000030h]2_2_0345B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B2C0 mov eax, dword ptr fs:[00000030h]2_2_0345B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B2C0 mov eax, dword ptr fs:[00000030h]2_2_0345B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034392C5 mov eax, dword ptr fs:[00000030h]2_2_034392C5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034392C5 mov eax, dword ptr fs:[00000030h]2_2_034392C5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342B2D3 mov eax, dword ptr fs:[00000030h]2_2_0342B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342B2D3 mov eax, dword ptr fs:[00000030h]2_2_0342B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342B2D3 mov eax, dword ptr fs:[00000030h]2_2_0342B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345F2D0 mov eax, dword ptr fs:[00000030h]2_2_0345F2D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345F2D0 mov eax, dword ptr fs:[00000030h]2_2_0345F2D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E12ED mov eax, dword ptr fs:[00000030h]2_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E12ED mov eax, dword ptr fs:[00000030h]2_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E12ED mov eax, dword ptr fs:[00000030h]2_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E12ED mov eax, dword ptr fs:[00000030h]2_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E12ED mov eax, dword ptr fs:[00000030h]2_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E12ED mov eax, dword ptr fs:[00000030h]2_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E12ED mov eax, dword ptr fs:[00000030h]2_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E12ED mov eax, dword ptr fs:[00000030h]2_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E12ED mov eax, dword ptr fs:[00000030h]2_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E12ED mov eax, dword ptr fs:[00000030h]2_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E12ED mov eax, dword ptr fs:[00000030h]2_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E12ED mov eax, dword ptr fs:[00000030h]2_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E12ED mov eax, dword ptr fs:[00000030h]2_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E12ED mov eax, dword ptr fs:[00000030h]2_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035052E2 mov eax, dword ptr fs:[00000030h]2_2_035052E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EF2F8 mov eax, dword ptr fs:[00000030h]2_2_034EF2F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034292FF mov eax, dword ptr fs:[00000030h]2_2_034292FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]2_2_0346E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]2_2_0346E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03505283 mov eax, dword ptr fs:[00000030h]2_2_03505283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346329E mov eax, dword ptr fs:[00000030h]2_2_0346329E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346329E mov eax, dword ptr fs:[00000030h]2_2_0346329E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]2_2_034402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]2_2_034402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034452A0 mov eax, dword ptr fs:[00000030h]2_2_034452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034452A0 mov eax, dword ptr fs:[00000030h]2_2_034452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034452A0 mov eax, dword ptr fs:[00000030h]2_2_034452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034452A0 mov eax, dword ptr fs:[00000030h]2_2_034452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F92A6 mov eax, dword ptr fs:[00000030h]2_2_034F92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F92A6 mov eax, dword ptr fs:[00000030h]2_2_034F92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F92A6 mov eax, dword ptr fs:[00000030h]2_2_034F92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F92A6 mov eax, dword ptr fs:[00000030h]2_2_034F92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov ecx, dword ptr fs:[00000030h]2_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C72A0 mov eax, dword ptr fs:[00000030h]2_2_034C72A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C72A0 mov eax, dword ptr fs:[00000030h]2_2_034C72A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B92BC mov eax, dword ptr fs:[00000030h]2_2_034B92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B92BC mov eax, dword ptr fs:[00000030h]2_2_034B92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B92BC mov ecx, dword ptr fs:[00000030h]2_2_034B92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B92BC mov ecx, dword ptr fs:[00000030h]2_2_034B92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03505152 mov eax, dword ptr fs:[00000030h]2_2_03505152
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov ecx, dword ptr fs:[00000030h]2_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03429148 mov eax, dword ptr fs:[00000030h]2_2_03429148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03429148 mov eax, dword ptr fs:[00000030h]2_2_03429148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03429148 mov eax, dword ptr fs:[00000030h]2_2_03429148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03429148 mov eax, dword ptr fs:[00000030h]2_2_03429148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03437152 mov eax, dword ptr fs:[00000030h]2_2_03437152
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C156 mov eax, dword ptr fs:[00000030h]2_2_0342C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]2_2_03436154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]2_2_03436154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]2_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]2_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]2_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]2_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]2_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]2_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]2_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]2_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]2_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]2_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]2_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]2_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]2_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]2_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]2_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]2_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]2_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]2_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]2_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]2_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F172 mov eax, dword ptr fs:[00000030h]2_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C9179 mov eax, dword ptr fs:[00000030h]2_2_034C9179
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov ecx, dword ptr fs:[00000030h]2_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F0115 mov eax, dword ptr fs:[00000030h]2_2_034F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460124 mov eax, dword ptr fs:[00000030h]2_2_03460124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03431131 mov eax, dword ptr fs:[00000030h]2_2_03431131
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03431131 mov eax, dword ptr fs:[00000030h]2_2_03431131
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342B136 mov eax, dword ptr fs:[00000030h]2_2_0342B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342B136 mov eax, dword ptr fs:[00000030h]2_2_0342B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342B136 mov eax, dword ptr fs:[00000030h]2_2_0342B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342B136 mov eax, dword ptr fs:[00000030h]2_2_0342B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]2_2_034F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]2_2_034F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346D1D0 mov eax, dword ptr fs:[00000030h]2_2_0346D1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346D1D0 mov ecx, dword ptr fs:[00000030h]2_2_0346D1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035051CB mov eax, dword ptr fs:[00000030h]2_2_035051CB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034551EF mov eax, dword ptr fs:[00000030h]2_2_034551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034551EF mov eax, dword ptr fs:[00000030h]2_2_034551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034551EF mov eax, dword ptr fs:[00000030h]2_2_034551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034551EF mov eax, dword ptr fs:[00000030h]2_2_034551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034551EF mov eax, dword ptr fs:[00000030h]2_2_034551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034551EF mov eax, dword ptr fs:[00000030h]2_2_034551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034551EF mov eax, dword ptr fs:[00000030h]2_2_034551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034551EF mov eax, dword ptr fs:[00000030h]2_2_034551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034551EF mov eax, dword ptr fs:[00000030h]2_2_034551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034551EF mov eax, dword ptr fs:[00000030h]2_2_034551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034551EF mov eax, dword ptr fs:[00000030h]2_2_034551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034551EF mov eax, dword ptr fs:[00000030h]2_2_034551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034551EF mov eax, dword ptr fs:[00000030h]2_2_034551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034351ED mov eax, dword ptr fs:[00000030h]2_2_034351ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035061E5 mov eax, dword ptr fs:[00000030h]2_2_035061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034601F8 mov eax, dword ptr fs:[00000030h]2_2_034601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03470185 mov eax, dword ptr fs:[00000030h]2_2_03470185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]2_2_034EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]2_2_034EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E11A4 mov eax, dword ptr fs:[00000030h]2_2_034E11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E11A4 mov eax, dword ptr fs:[00000030h]2_2_034E11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E11A4 mov eax, dword ptr fs:[00000030h]2_2_034E11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E11A4 mov eax, dword ptr fs:[00000030h]2_2_034E11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344B1B0 mov eax, dword ptr fs:[00000030h]2_2_0344B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432050 mov eax, dword ptr fs:[00000030h]2_2_03432050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D705E mov ebx, dword ptr fs:[00000030h]2_2_034D705E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D705E mov eax, dword ptr fs:[00000030h]2_2_034D705E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B052 mov eax, dword ptr fs:[00000030h]2_2_0345B052
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03505060 mov eax, dword ptr fs:[00000030h]2_2_03505060
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03441070 mov eax, dword ptr fs:[00000030h]2_2_03441070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03441070 mov ecx, dword ptr fs:[00000030h]2_2_03441070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03441070 mov eax, dword ptr fs:[00000030h]2_2_03441070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03441070 mov eax, dword ptr fs:[00000030h]2_2_03441070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03441070 mov eax, dword ptr fs:[00000030h]2_2_03441070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03441070 mov eax, dword ptr fs:[00000030h]2_2_03441070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03441070 mov eax, dword ptr fs:[00000030h]2_2_03441070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03441070 mov eax, dword ptr fs:[00000030h]2_2_03441070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03441070 mov eax, dword ptr fs:[00000030h]2_2_03441070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03441070 mov eax, dword ptr fs:[00000030h]2_2_03441070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03441070 mov eax, dword ptr fs:[00000030h]2_2_03441070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03441070 mov eax, dword ptr fs:[00000030h]2_2_03441070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03441070 mov eax, dword ptr fs:[00000030h]2_2_03441070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345C073 mov eax, dword ptr fs:[00000030h]2_2_0345C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A020 mov eax, dword ptr fs:[00000030h]2_2_0342A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C020 mov eax, dword ptr fs:[00000030h]2_2_0342C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F903E mov eax, dword ptr fs:[00000030h]2_2_034F903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F903E mov eax, dword ptr fs:[00000030h]2_2_034F903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F903E mov eax, dword ptr fs:[00000030h]2_2_034F903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F903E mov eax, dword ptr fs:[00000030h]2_2_034F903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470C0 mov eax, dword ptr fs:[00000030h]2_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470C0 mov ecx, dword ptr fs:[00000030h]2_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470C0 mov ecx, dword ptr fs:[00000030h]2_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470C0 mov eax, dword ptr fs:[00000030h]2_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470C0 mov ecx, dword ptr fs:[00000030h]2_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470C0 mov ecx, dword ptr fs:[00000030h]2_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470C0 mov eax, dword ptr fs:[00000030h]2_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470C0 mov eax, dword ptr fs:[00000030h]2_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470C0 mov eax, dword ptr fs:[00000030h]2_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470C0 mov eax, dword ptr fs:[00000030h]2_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470C0 mov eax, dword ptr fs:[00000030h]2_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470C0 mov eax, dword ptr fs:[00000030h]2_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470C0 mov eax, dword ptr fs:[00000030h]2_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470C0 mov eax, dword ptr fs:[00000030h]2_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470C0 mov eax, dword ptr fs:[00000030h]2_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470C0 mov eax, dword ptr fs:[00000030h]2_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470C0 mov eax, dword ptr fs:[00000030h]2_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470C0 mov eax, dword ptr fs:[00000030h]2_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035050D9 mov eax, dword ptr fs:[00000030h]2_2_035050D9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B20DE mov eax, dword ptr fs:[00000030h]2_2_034B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034590DB mov eax, dword ptr fs:[00000030h]2_2_034590DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034550E4 mov eax, dword ptr fs:[00000030h]2_2_034550E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034550E4 mov ecx, dword ptr fs:[00000030h]2_2_034550E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0342A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034380E9 mov eax, dword ptr fs:[00000030h]2_2_034380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C0F0 mov eax, dword ptr fs:[00000030h]2_2_0342C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034720F0 mov ecx, dword ptr fs:[00000030h]2_2_034720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343208A mov eax, dword ptr fs:[00000030h]2_2_0343208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342D08D mov eax, dword ptr fs:[00000030h]2_2_0342D08D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03435096 mov eax, dword ptr fs:[00000030h]2_2_03435096
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345D090 mov eax, dword ptr fs:[00000030h]2_2_0345D090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345D090 mov eax, dword ptr fs:[00000030h]2_2_0345D090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346909C mov eax, dword ptr fs:[00000030h]2_2_0346909C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F60B8 mov eax, dword ptr fs:[00000030h]2_2_034F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F60B8 mov ecx, dword ptr fs:[00000030h]2_2_034F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03443740 mov eax, dword ptr fs:[00000030h]2_2_03443740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03443740 mov eax, dword ptr fs:[00000030h]2_2_03443740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03443740 mov eax, dword ptr fs:[00000030h]2_2_03443740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov esi, dword ptr fs:[00000030h]2_2_0346674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]2_2_0346674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]2_2_0346674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430750 mov eax, dword ptr fs:[00000030h]2_2_03430750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]2_2_03472750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]2_2_03472750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03503749 mov eax, dword ptr fs:[00000030h]2_2_03503749
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4755 mov eax, dword ptr fs:[00000030h]2_2_034B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342B765 mov eax, dword ptr fs:[00000030h]2_2_0342B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342B765 mov eax, dword ptr fs:[00000030h]2_2_0342B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342B765 mov eax, dword ptr fs:[00000030h]2_2_0342B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342B765 mov eax, dword ptr fs:[00000030h]2_2_0342B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438770 mov eax, dword ptr fs:[00000030h]2_2_03438770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03437703 mov eax, dword ptr fs:[00000030h]2_2_03437703
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03435702 mov eax, dword ptr fs:[00000030h]2_2_03435702
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03435702 mov eax, dword ptr fs:[00000030h]2_2_03435702
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C700 mov eax, dword ptr fs:[00000030h]2_2_0346C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430710 mov eax, dword ptr fs:[00000030h]2_2_03430710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460710 mov eax, dword ptr fs:[00000030h]2_2_03460710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346F71F mov eax, dword ptr fs:[00000030h]2_2_0346F71F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346F71F mov eax, dword ptr fs:[00000030h]2_2_0346F71F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EF72E mov eax, dword ptr fs:[00000030h]2_2_034EF72E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03433720 mov eax, dword ptr fs:[00000030h]2_2_03433720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344F720 mov eax, dword ptr fs:[00000030h]2_2_0344F720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344F720 mov eax, dword ptr fs:[00000030h]2_2_0344F720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344F720 mov eax, dword ptr fs:[00000030h]2_2_0344F720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F972B mov eax, dword ptr fs:[00000030h]2_2_034F972B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]2_2_0346C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]2_2_0346C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350B73C mov eax, dword ptr fs:[00000030h]2_2_0350B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350B73C mov eax, dword ptr fs:[00000030h]2_2_0350B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350B73C mov eax, dword ptr fs:[00000030h]2_2_0350B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350B73C mov eax, dword ptr fs:[00000030h]2_2_0350B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03429730 mov eax, dword ptr fs:[00000030h]2_2_03429730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03429730 mov eax, dword ptr fs:[00000030h]2_2_03429730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03465734 mov eax, dword ptr fs:[00000030h]2_2_03465734
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343973A mov eax, dword ptr fs:[00000030h]2_2_0343973A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343973A mov eax, dword ptr fs:[00000030h]2_2_0343973A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]2_2_0346273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov ecx, dword ptr fs:[00000030h]2_2_0346273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]2_2_0346273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AC730 mov eax, dword ptr fs:[00000030h]2_2_034AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343C7C0 mov eax, dword ptr fs:[00000030h]2_2_0343C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034357C0 mov eax, dword ptr fs:[00000030h]2_2_034357C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034357C0 mov eax, dword ptr fs:[00000030h]2_2_034357C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034357C0 mov eax, dword ptr fs:[00000030h]2_2_034357C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343D7E0 mov ecx, dword ptr fs:[00000030h]2_2_0343D7E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034317EC mov eax, dword ptr fs:[00000030h]2_2_034317EC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034317EC mov eax, dword ptr fs:[00000030h]2_2_034317EC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034317EC mov eax, dword ptr fs:[00000030h]2_2_034317EC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]2_2_034347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]2_2_034347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EF78A mov eax, dword ptr fs:[00000030h]2_2_034EF78A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B97A9 mov eax, dword ptr fs:[00000030h]2_2_034B97A9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BF7AF mov eax, dword ptr fs:[00000030h]2_2_034BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BF7AF mov eax, dword ptr fs:[00000030h]2_2_034BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BF7AF mov eax, dword ptr fs:[00000030h]2_2_034BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BF7AF mov eax, dword ptr fs:[00000030h]2_2_034BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BF7AF mov eax, dword ptr fs:[00000030h]2_2_034BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035037B6 mov eax, dword ptr fs:[00000030h]2_2_035037B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034307AF mov eax, dword ptr fs:[00000030h]2_2_034307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345D7B0 mov eax, dword ptr fs:[00000030h]2_2_0345D7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F7BA mov eax, dword ptr fs:[00000030h]2_2_0342F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F7BA mov eax, dword ptr fs:[00000030h]2_2_0342F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F7BA mov eax, dword ptr fs:[00000030h]2_2_0342F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F7BA mov eax, dword ptr fs:[00000030h]2_2_0342F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F7BA mov eax, dword ptr fs:[00000030h]2_2_0342F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F7BA mov eax, dword ptr fs:[00000030h]2_2_0342F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F7BA mov eax, dword ptr fs:[00000030h]2_2_0342F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F7BA mov eax, dword ptr fs:[00000030h]2_2_0342F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F7BA mov eax, dword ptr fs:[00000030h]2_2_0342F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344C640 mov eax, dword ptr fs:[00000030h]2_2_0344C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]2_2_034F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]2_2_034F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]2_2_0346A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]2_2_0346A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03469660 mov eax, dword ptr fs:[00000030h]2_2_03469660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03469660 mov eax, dword ptr fs:[00000030h]2_2_03469660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03462674 mov eax, dword ptr fs:[00000030h]2_2_03462674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03461607 mov eax, dword ptr fs:[00000030h]2_2_03461607
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE609 mov eax, dword ptr fs:[00000030h]2_2_034AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346F603 mov eax, dword ptr fs:[00000030h]2_2_0346F603
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03433616 mov eax, dword ptr fs:[00000030h]2_2_03433616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03433616 mov eax, dword ptr fs:[00000030h]2_2_03433616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472619 mov eax, dword ptr fs:[00000030h]2_2_03472619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E627 mov eax, dword ptr fs:[00000030h]2_2_0344E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F626 mov eax, dword ptr fs:[00000030h]2_2_0342F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F626 mov eax, dword ptr fs:[00000030h]2_2_0342F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F626 mov eax, dword ptr fs:[00000030h]2_2_0342F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F626 mov eax, dword ptr fs:[00000030h]2_2_0342F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F626 mov eax, dword ptr fs:[00000030h]2_2_0342F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F626 mov eax, dword ptr fs:[00000030h]2_2_0342F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F626 mov eax, dword ptr fs:[00000030h]2_2_0342F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F626 mov eax, dword ptr fs:[00000030h]2_2_0342F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F626 mov eax, dword ptr fs:[00000030h]2_2_0342F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03466620 mov eax, dword ptr fs:[00000030h]2_2_03466620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03505636 mov eax, dword ptr fs:[00000030h]2_2_03505636
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468620 mov eax, dword ptr fs:[00000030h]2_2_03468620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343262C mov eax, dword ptr fs:[00000030h]2_2_0343262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0346A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A6C7 mov eax, dword ptr fs:[00000030h]2_2_0346A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343B6C0 mov eax, dword ptr fs:[00000030h]2_2_0343B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343B6C0 mov eax, dword ptr fs:[00000030h]2_2_0343B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343B6C0 mov eax, dword ptr fs:[00000030h]2_2_0343B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343B6C0 mov eax, dword ptr fs:[00000030h]2_2_0343B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343B6C0 mov eax, dword ptr fs:[00000030h]2_2_0343B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343B6C0 mov eax, dword ptr fs:[00000030h]2_2_0343B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F16CC mov eax, dword ptr fs:[00000030h]2_2_034F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F16CC mov eax, dword ptr fs:[00000030h]2_2_034F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F16CC mov eax, dword ptr fs:[00000030h]2_2_034F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F16CC mov eax, dword ptr fs:[00000030h]2_2_034F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EF6C7 mov eax, dword ptr fs:[00000030h]2_2_034EF6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034616CF mov eax, dword ptr fs:[00000030h]2_2_034616CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C36EE mov eax, dword ptr fs:[00000030h]2_2_034C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C36EE mov eax, dword ptr fs:[00000030h]2_2_034C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C36EE mov eax, dword ptr fs:[00000030h]2_2_034C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C36EE mov eax, dword ptr fs:[00000030h]2_2_034C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C36EE mov eax, dword ptr fs:[00000030h]2_2_034C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C36EE mov eax, dword ptr fs:[00000030h]2_2_034C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345D6E0 mov eax, dword ptr fs:[00000030h]2_2_0345D6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345D6E0 mov eax, dword ptr fs:[00000030h]2_2_0345D6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034636EF mov eax, dword ptr fs:[00000030h]2_2_034636EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]2_2_034B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]2_2_034B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034ED6F0 mov eax, dword ptr fs:[00000030h]2_2_034ED6F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B368C mov eax, dword ptr fs:[00000030h]2_2_034B368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B368C mov eax, dword ptr fs:[00000030h]2_2_034B368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B368C mov eax, dword ptr fs:[00000030h]2_2_034B368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B368C mov eax, dword ptr fs:[00000030h]2_2_034B368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]2_2_03434690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]2_2_03434690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C6A6 mov eax, dword ptr fs:[00000030h]2_2_0346C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342D6AA mov eax, dword ptr fs:[00000030h]2_2_0342D6AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342D6AA mov eax, dword ptr fs:[00000030h]2_2_0342D6AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034276B2 mov eax, dword ptr fs:[00000030h]2_2_034276B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034276B2 mov eax, dword ptr fs:[00000030h]2_2_034276B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034276B2 mov eax, dword ptr fs:[00000030h]2_2_034276B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034666B0 mov eax, dword ptr fs:[00000030h]2_2_034666B0

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\3HnH4uJtE7.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\3HnH4uJtE7.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 977008Jump to behavior
          Source: C:\Users\user\Desktop\3HnH4uJtE7.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\3HnH4uJtE7.exe"Jump to behavior
          Source: 3HnH4uJtE7.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1600546418.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1600838338.0000000002D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1600546418.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1600838338.0000000002D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          DLL Side-Loading          		212
          Process Injection          		2
          Virtualization/Sandbox Evasion          		OS Credential Dumping12
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		212
          Process Injection          		LSASS Memory2
          Virtualization/Sandbox Evasion          		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
          Deobfuscate/Decode Files or Information          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          DLL Side-Loading          		NTDS11
          System Information Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
          Obfuscated Files or Information          		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          3HnH4uJtE7.exe69%VirustotalBrowse
          3HnH4uJtE7.exe79%ReversingLabsWin32.Trojan.AutoitInject
          3HnH4uJtE7.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          s-part-0017.t-0009.t-msedge.net
          		13.107.246.45
          		truefalse
            		high

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:42.0.0 Malachite
            Analysis ID:1587863
            Start date and time:2025-01-10 18:42:55 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 5m 58s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:9
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:3HnH4uJtE7.exe
            renamed because original name is a hash value
            Original Sample Name:cb8928597d08e9bb6c3c7ee9df7eb836df1f85a9668054765dd6eb75a33516a3.exe
            Detection:MAL
            Classification:mal80.troj.evad.winEXE@3/2@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 92%
            • Number of executed functions: 9
            • Number of non-executed functions: 313
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
            • Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information

            Simulations

            Behavior and APIs

            TimeTypeDescription
            12:44:17API Interceptor3x Sleep call for process: svchost.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            s-part-0017.t-0009.t-msedge.netEncrypted_Archive_2025_LHC1W64SMW.htmlGet hashmaliciousHTMLPhisherBrowse
            • 13.107.246.45
            GcA5z6ZWRK.exeGet hashmaliciousUnknownBrowse
            • 13.107.246.45
            Unconfirmed 287374.emlGet hashmaliciousUnknownBrowse
            • 13.107.246.45
            https://www.depoqq.win/genoGet hashmaliciousUnknownBrowse
            • 13.107.246.45
            17048156412338914445.jsGet hashmaliciousStrela DownloaderBrowse
            • 13.107.246.45
            251443863021115246.jsGet hashmaliciousStrela DownloaderBrowse
            • 13.107.246.45
            12662108703247616042.jsGet hashmaliciousStrela DownloaderBrowse
            • 13.107.246.45
            wN7EPNiHSM.exeGet hashmaliciousFormBookBrowse
            • 13.107.246.45
            334130052300215064.jsGet hashmaliciousStrela DownloaderBrowse
            • 13.107.246.45
            http://infarmbureau.comGet hashmaliciousUnknownBrowse
            • 13.107.246.45

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Temp\aut955D.tmp

            Download File
            Process:C:\Users\user\Desktop\3HnH4uJtE7.exe
            File Type:data
            Category:dropped
            Size (bytes):289280
            Entropy (8bit):7.994518592457586
            Encrypted:true
            SSDEEP:6144:0WBAoEs4XpTTQ0MeUcfTIAvXst919f2lnJotSgZm89:/BfGubcfTIAPsnwKogZN9
            MD5:74432259BF5893C866138E3F6F4A795E
            SHA1:9C604E15501E462FBB3DFA482CE21F35C20D32E8
            SHA-256:0619895F80E34FFFA96BC3A207F7AF32433DFFD277FCB91CE071BEC1A41499B3
            SHA-512:ED2F9876C8E7412F95129AEBF3A4CF564A7D201B2D31A832AAE169126CE7714ED385EF9EC005D59CE3CF97D99963FDD178FE4B75497537CCFAD8E187E02CD470
            Malicious:false
            Reputation:low
            Preview:...7BPUKJ2M8.6O.DJ7APUK.2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M8.O6OZ[.9A.\.o.Lt.nb'=7jG3?29/_m[Q!X d(Ra" %n[#.t.eo9+.Ro]XAj2M80O6O-EC.|02.sR*../Q.N...{02.T..../Q.N...}02..[.P./Q.TDJ7APUK.wM8|N7O>KcoAPUKN2M8.O4N_EA7A.QKN2M80O6O.PJ7A@UKNBI80OvOTTJ7ARUKH2M80O6ORDJ7APUKNBI80M6OTDJ7CP..N2]80_6OTDZ7A@UKN2M8 O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6Oz0/O5PUK.dI80_6OT.N7A@UKN2M80O6OTDJ7aPU+N2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUK

            C:\Users\user\AppData\Local\Temp\chiffons

            Download File
            Process:C:\Users\user\Desktop\3HnH4uJtE7.exe
            File Type:data
            Category:dropped
            Size (bytes):289280
            Entropy (8bit):7.994518592457586
            Encrypted:true
            SSDEEP:6144:0WBAoEs4XpTTQ0MeUcfTIAvXst919f2lnJotSgZm89:/BfGubcfTIAPsnwKogZN9
            MD5:74432259BF5893C866138E3F6F4A795E
            SHA1:9C604E15501E462FBB3DFA482CE21F35C20D32E8
            SHA-256:0619895F80E34FFFA96BC3A207F7AF32433DFFD277FCB91CE071BEC1A41499B3
            SHA-512:ED2F9876C8E7412F95129AEBF3A4CF564A7D201B2D31A832AAE169126CE7714ED385EF9EC005D59CE3CF97D99963FDD178FE4B75497537CCFAD8E187E02CD470
            Malicious:false
            Reputation:low
            Preview:...7BPUKJ2M8.6O.DJ7APUK.2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M8.O6OZ[.9A.\.o.Lt.nb'=7jG3?29/_m[Q!X d(Ra" %n[#.t.eo9+.Ro]XAj2M80O6O-EC.|02.sR*../Q.N...{02.T..../Q.N...}02..[.P./Q.TDJ7APUK.wM8|N7O>KcoAPUKN2M8.O4N_EA7A.QKN2M80O6O.PJ7A@UKNBI80OvOTTJ7ARUKH2M80O6ORDJ7APUKNBI80M6OTDJ7CP..N2]80_6OTDZ7A@UKN2M8 O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6Oz0/O5PUK.dI80_6OT.N7A@UKN2M80O6OTDJ7aPU+N2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUKN2M80O6OTDJ7APUK

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):7.103986593999411
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:3HnH4uJtE7.exe
            File size:1'401'344 bytes
            MD5:b88bab75a48b9fefcd3395afa9891d69
            SHA1:d35d41a4330b17b8518204a483b8f4800012718a
            SHA256:cb8928597d08e9bb6c3c7ee9df7eb836df1f85a9668054765dd6eb75a33516a3
            SHA512:f33af8ebb3ec7e82bb901637656cc0f17d326fa343b4df62631cc8a5cc37f9b1f8c45db7b9d55da8f5f007999fc38232f262cebc04799e93300f462bd4405764
            SSDEEP:24576:ZqDEvCTbMWu7rQYlBQcBiT6rprG8aVFfrXBnHVzuvz/CecYHYbi3:ZTvC/MTQYxsWR7aVVXxFGLCGHj
            TLSH:2C55C00277818062FFAB9B320B56E611467D7E262933F51F17983879BB721F1063E663
            File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

            File Icon

            Icon Hash:0d61030111110104

            Static PE Info

            General

            Entrypoint:0x420577
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
            Time Stamp:0x67622C3C [Wed Dec 18 01:58:20 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:1
            File Version Major:5
            File Version Minor:1
            Subsystem Version Major:5
            Subsystem Version Minor:1
            Import Hash:948cc502fe9226992dce9417f952fce3

            Entrypoint Preview

            Instruction
            call 00007F8630C090E3h
            jmp 00007F8630C089EFh
            push ebp
            mov ebp, esp
            push esi
            push dword ptr [ebp+08h]
            mov esi, ecx
            call 00007F8630C08BCDh
            mov dword ptr [esi], 0049FDF0h
            mov eax, esi
            pop esi
            pop ebp
            retn 0004h
            and dword ptr [ecx+04h], 00000000h
            mov eax, ecx
            and dword ptr [ecx+08h], 00000000h
            mov dword ptr [ecx+04h], 0049FDF8h
            mov dword ptr [ecx], 0049FDF0h
            ret
            push ebp
            mov ebp, esp
            push esi
            push dword ptr [ebp+08h]
            mov esi, ecx
            call 00007F8630C08B9Ah
            mov dword ptr [esi], 0049FE0Ch
            mov eax, esi
            pop esi
            pop ebp
            retn 0004h
            and dword ptr [ecx+04h], 00000000h
            mov eax, ecx
            and dword ptr [ecx+08h], 00000000h
            mov dword ptr [ecx+04h], 0049FE14h
            mov dword ptr [ecx], 0049FE0Ch
            ret
            push ebp
            mov ebp, esp
            push esi
            mov esi, ecx
            lea eax, dword ptr [esi+04h]
            mov dword ptr [esi], 0049FDD0h
            and dword ptr [eax], 00000000h
            and dword ptr [eax+04h], 00000000h
            push eax
            mov eax, dword ptr [ebp+08h]
            add eax, 04h
            push eax
            call 00007F8630C0B78Dh
            pop ecx
            pop ecx
            mov eax, esi
            pop esi
            pop ebp
            retn 0004h
            lea eax, dword ptr [ecx+04h]
            mov dword ptr [ecx], 0049FDD0h
            push eax
            call 00007F8630C0B7D8h
            pop ecx
            ret
            push ebp
            mov ebp, esp
            push esi
            mov esi, ecx
            lea eax, dword ptr [esi+04h]
            mov dword ptr [esi], 0049FDD0h
            push eax
            call 00007F8630C0B7C1h
            test byte ptr [ebp+08h], 00000001h
            pop ecx

            Rich Headers

            Programming Language:
            • [ C ] VS2008 SP1 build 30729
            • [IMP] VS2008 SP1 build 30729

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x7f760.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1540000x7594.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0xd40000x7f7600x7f800ecd0b03589162f724f2159a3f3617b9dFalse0.8442861519607843data7.460678008960258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x1540000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0xd45480x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
            RT_ICON0xd46700x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
            RT_ICON0xd47980x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
            RT_ICON0xd48c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 5905 x 5905 px/mEnglishGreat Britain0.4397163120567376
            RT_ICON0xd4d280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 5905 x 5905 px/mEnglishGreat Britain0.3449812382739212
            RT_ICON0xd5dd00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 5905 x 5905 px/mEnglishGreat Britain0.3120331950207469
            RT_ICON0xd83780x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 5905 x 5905 px/mEnglishGreat Britain0.2896197449220595
            RT_ICON0xdc5a00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 5905 x 5905 px/mEnglishGreat Britain0.24670235419377737
            RT_ICON0xecdc80xe41ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.000188362615158
            RT_MENU0xfb1e80x50dataEnglishGreat Britain0.9
            RT_STRING0xfb2380x594dataEnglishGreat Britain0.3333333333333333
            RT_STRING0xfb7cc0x68adataEnglishGreat Britain0.2735961768219833
            RT_STRING0xfbe580x490dataEnglishGreat Britain0.3715753424657534
            RT_STRING0xfc2e80x5fcdataEnglishGreat Britain0.3087467362924282
            RT_STRING0xfc8e40x65cdataEnglishGreat Britain0.34336609336609336
            RT_STRING0xfcf400x466dataEnglishGreat Britain0.3605683836589698
            RT_STRING0xfd3a80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
            RT_RCDATA0xfd5000x55cf9data1.000330032064322
            RT_GROUP_ICON0x1531fc0x5adataEnglishGreat Britain0.7888888888888889
            RT_GROUP_ICON0x1532580x14dataEnglishGreat Britain1.25
            RT_GROUP_ICON0x15326c0x14dataEnglishGreat Britain1.15
            RT_GROUP_ICON0x1532800x14dataEnglishGreat Britain1.25
            RT_VERSION0x1532940xdcdataEnglishGreat Britain0.6181818181818182
            RT_MANIFEST0x1533700x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

            Imports

            DLLImport
            WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
            VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
            COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
            MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
            WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
            PSAPI.DLLGetProcessMemoryInfo
            IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
            USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
            UxTheme.dllIsThemeActive
            KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
            USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
            GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
            COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
            ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
            SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
            OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishGreat Britain

            Network Behavior

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jan 10, 2025 18:44:14.968761921 CET5512953192.168.2.101.1.1.1
            Jan 10, 2025 18:44:14.973562956 CET53551291.1.1.1192.168.2.10
            Jan 10, 2025 18:44:14.974225998 CET5512953192.168.2.101.1.1.1
            Jan 10, 2025 18:44:14.979573011 CET53551291.1.1.1192.168.2.10
            Jan 10, 2025 18:44:15.456657887 CET5512953192.168.2.101.1.1.1
            Jan 10, 2025 18:44:15.461683989 CET53551291.1.1.1192.168.2.10
            Jan 10, 2025 18:44:15.461759090 CET5512953192.168.2.101.1.1.1

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jan 10, 2025 18:44:14.968344927 CET53644741.1.1.1192.168.2.10

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Jan 10, 2025 18:43:51.147953033 CET1.1.1.1192.168.2.100x81bNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
            Jan 10, 2025 18:43:51.147953033 CET1.1.1.1192.168.2.100x81bNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:12:43:54
            Start date:10/01/2025
            Path:C:\Users\user\Desktop\3HnH4uJtE7.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\3HnH4uJtE7.exe"
            Imagebase:0xb50000
            File size:1'401'344 bytes
            MD5 hash:B88BAB75A48B9FEFCD3395AFA9891D69
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:2
            Start time:12:43:59
            Start date:10/01/2025
            Path:C:\Windows\SysWOW64\svchost.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\3HnH4uJtE7.exe"
            Imagebase:0xc40000
            File size:46'504 bytes
            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1600546418.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1600838338.0000000002D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:0.9%
              Dynamic/Decrypted Code Coverage:6.5%
              Signature Coverage:6.5%
              Total number of Nodes:92
              Total number of Limit Nodes:8
              execution_graph 72132 401a80 72134 401a1e 72132->72134 72133 401a6a 72134->72133 72137 430183 72134->72137 72140 42e7c3 72137->72140 72141 42e7e9 72140->72141 72150 4072b3 72141->72150 72143 42e7ff 72144 401afc 72143->72144 72153 41b4f3 72143->72153 72146 42e81e 72147 42e833 72146->72147 72148 42cf13 ExitProcess 72146->72148 72164 42cf13 72147->72164 72148->72147 72167 416863 72150->72167 72152 4072c0 72152->72143 72154 41b51f 72153->72154 72191 41b3e3 72154->72191 72157 41b54c 72158 41b557 72157->72158 72197 42cb43 72157->72197 72158->72146 72159 41b580 72159->72146 72160 41b564 72160->72159 72162 42cb43 NtClose 72160->72162 72163 41b576 72162->72163 72163->72146 72165 42cf2d 72164->72165 72166 42cf3e ExitProcess 72165->72166 72166->72144 72168 416880 72167->72168 72170 416899 72168->72170 72171 42d5a3 72168->72171 72170->72152 72172 42d5bd 72171->72172 72173 42d5ec 72172->72173 72178 42c183 72172->72178 72173->72170 72179 42c1a0 72178->72179 72185 3472c0a 72179->72185 72180 42c1cc 72182 42ec13 72180->72182 72188 42cec3 72182->72188 72184 42d662 72184->72170 72186 3472c11 72185->72186 72187 3472c1f LdrInitializeThunk 72185->72187 72186->72180 72187->72180 72189 42cedd 72188->72189 72190 42ceee RtlFreeHeap 72189->72190 72190->72184 72192 41b4d9 72191->72192 72193 41b3fd 72191->72193 72192->72157 72192->72160 72200 42c223 72193->72200 72196 42cb43 NtClose 72196->72192 72198 42cb5d 72197->72198 72199 42cb6e NtClose 72198->72199 72199->72158 72201 42c23d 72200->72201 72204 34735c0 LdrInitializeThunk 72201->72204 72202 41b4cd 72202->72196 72204->72202 72205 424e03 72206 424e1f 72205->72206 72207 424e47 72206->72207 72208 424e5b 72206->72208 72209 42cb43 NtClose 72207->72209 72210 42cb43 NtClose 72208->72210 72211 424e50 72209->72211 72212 424e64 72210->72212 72215 42ed33 RtlAllocateHeap 72212->72215 72214 424e6f 72215->72214 72222 42fd13 72223 42ec13 RtlFreeHeap 72222->72223 72224 42fd28 72223->72224 72225 425193 72226 4251ac 72225->72226 72227 4251f7 72226->72227 72230 42523a 72226->72230 72232 42523f 72226->72232 72228 42ec13 RtlFreeHeap 72227->72228 72229 425207 72228->72229 72231 42ec13 RtlFreeHeap 72230->72231 72231->72232 72238 42ecf3 72241 42ce73 72238->72241 72240 42ed0e 72242 42ce8d 72241->72242 72243 42ce9e RtlAllocateHeap 72242->72243 72243->72240 72244 42c133 72245 42c150 72244->72245 72248 3472df0 LdrInitializeThunk 72245->72248 72246 42c178 72248->72246 72216 414083 72220 4140a3 72216->72220 72218 41410c 72219 414102 72220->72218 72221 41b803 RtlFreeHeap LdrInitializeThunk 72220->72221 72221->72219 72233 417ba7 72234 417bc7 72233->72234 72235 417bce 72234->72235 72236 417c03 LdrLoadDll 72234->72236 72236->72235 72237 3472b60 LdrInitializeThunk

              Executed Functions

              Function 00417BA3 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 48 417ba3-417bcc call 42f7f3 51 417bd2-417be0 call 42fdf3 48->51 52 417bce-417bd1 48->52 55 417bf0-417c01 call 42e293 51->55 56 417be2-417bed call 430093 51->56 61 417c03-417c17 LdrLoadDll 55->61 62 417c1a-417c1d 55->62 56->55 61->62
              APIs
              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417C15
              Memory Dump Source
              • Source File: 00000002.00000002.1600546418.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID: Load
              • String ID:
              • API String ID: 2234796835-0
              • Opcode ID: 44dff7828ac800889b2e2d27295a4c190e3a725e32000d653351a22f4bab9c37
              • Instruction ID: 1a0b9d70c97cc34e9484b06eb29d722b0d391b61d0745f80b2b633bb2f27a457
              • Opcode Fuzzy Hash: 44dff7828ac800889b2e2d27295a4c190e3a725e32000d653351a22f4bab9c37
              • Instruction Fuzzy Hash: 950148B5E0410DB7DF10DBE5DC42FDEB778AB54308F1041A6E90897240F675EB588B95
              Function 0042CB43 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 68 42cb43-42cb7c call 404733 call 42dd83 NtClose
              APIs
              • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CB77
              Memory Dump Source
              • Source File: 00000002.00000002.1600546418.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: c80c276de09b98725976cbc0f8e68c3decb7880c33813e68e1653b09fd387ad4
              • Instruction ID: 20b83d0799f5af39441a247934291f8752febf0e6f4966bf297093e838895010
              • Opcode Fuzzy Hash: c80c276de09b98725976cbc0f8e68c3decb7880c33813e68e1653b09fd387ad4
              • Instruction Fuzzy Hash: 62E04F316006147BD220BA5ADC41F9B775CDFC5714F004429FA08BB241C67479018BF4
              Function 034735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 84 34735c0-34735cc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: b9825105942e779f8b352d68d82bda0f9eae152e97186c4aee66648c490b0f21
              • Instruction ID: 4bca997d960333c53abf703bb35b18ff92955c10a8950eac8f555f58a6710de8
              • Opcode Fuzzy Hash: b9825105942e779f8b352d68d82bda0f9eae152e97186c4aee66648c490b0f21
              • Instruction Fuzzy Hash: 2690023160550802D100B258455474A1006C7E0301FA5C412A042496CD87958A5165A6
              Function 03472B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 82 3472b60-3472b6c LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 95e15aa7820ea37cae0e72f35633bf8c4abfdef1cd67152372a387abca9edb48
              • Instruction ID: 7696a08e5a0c48e97cb664b4b09091bd128144885373470c9bf44bae4d9bad19
              • Opcode Fuzzy Hash: 95e15aa7820ea37cae0e72f35633bf8c4abfdef1cd67152372a387abca9edb48
              • Instruction Fuzzy Hash: 86900261202404034105B258445465A400BC7F0301B95C022E1014994DC72589916129
              Function 03472DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 83 3472df0-3472dfc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 46977b51b773d13d9b7de835fdf2022ba2715e9f56745a477666e3357d74669c
              • Instruction ID: a81098e5722d36f428ef954467ae2455a47630f9ac59229d58944769b4d7c5f7
              • Opcode Fuzzy Hash: 46977b51b773d13d9b7de835fdf2022ba2715e9f56745a477666e3357d74669c
              • Instruction Fuzzy Hash: A890023120140813D111B258454474B000AC7E0341FD5C413A042495CD97568A52A125
              Function 0042CEC3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 42cec3-42cf04 call 404733 call 42dd83 RtlFreeHeap
              APIs
              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042CEFF
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1600546418.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID: FreeHeap
              • String ID: hA
              • API String ID: 3298025750-1221461045
              • Opcode ID: 1c58b2d1ca32eaaef0993599e443f01ced3a3e8a9c6088d2c7b13ba1d1026be9
              • Instruction ID: 59007610a81a17d5328ac509089d6b84e9389f42ded09b61b51949d60cc0f4da
              • Opcode Fuzzy Hash: 1c58b2d1ca32eaaef0993599e443f01ced3a3e8a9c6088d2c7b13ba1d1026be9
              • Instruction Fuzzy Hash: 5DE06D756042087BD614EE59EC41FDB33ADEFC9710F004019F908A7242D670BA108BF4
              Function 0042CE73 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 63 42ce73-42ceb4 call 404733 call 42dd83 RtlAllocateHeap
              APIs
              • RtlAllocateHeap.NTDLL(?,0041E99E,?,?,00000000,?,0041E99E,?,?,?), ref: 0042CEAF
              Memory Dump Source
              • Source File: 00000002.00000002.1600546418.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: c263728c45b5859ac4b06c0b1f2e3f6a5f0316d8e2e9d285d80163a58c0fc764
              • Instruction ID: 82f53b3ac65c12f22450d1edb98ba830921598f35ae6f9ba364f13ceca14a26a
              • Opcode Fuzzy Hash: c263728c45b5859ac4b06c0b1f2e3f6a5f0316d8e2e9d285d80163a58c0fc764
              • Instruction Fuzzy Hash: B2E06D716042087BD610EE99DC41E9B37ACEFC5710F404019FA08A7241C670B9118BB4
              Function 0042CF13 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 73 42cf13-42cf4c call 404733 call 42dd83 ExitProcess
              APIs
              Memory Dump Source
              • Source File: 00000002.00000002.1600546418.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID: ExitProcess
              • String ID:
              • API String ID: 621844428-0
              • Opcode ID: b3810e20769eb1391e63f68a5edfd32974ec72d7fa7ecc39190c505b16afe35b
              • Instruction ID: 3b94315fdb47ff758e7a4f5f273fa824850d1fb389d7ad1acd44a865b98da77f
              • Opcode Fuzzy Hash: b3810e20769eb1391e63f68a5edfd32974ec72d7fa7ecc39190c505b16afe35b
              • Instruction Fuzzy Hash: 0BE086712006147BD620FB5ADC41F97775DDFC5714F10802AFA08A7181C771B91187F4
              Function 03472C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 78 3472c0a-3472c0f 79 3472c11-3472c18 78->79 80 3472c1f-3472c26 LdrInitializeThunk 78->80
              APIs
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 361699771760aa7245790f27e8a9b46a8e6ad34475901b572e98c609debcbedf
              • Instruction ID: 8f8620567cc94c6ef084f93af80d3e55f75ec2df566e58a965bfb607d0785538
              • Opcode Fuzzy Hash: 361699771760aa7245790f27e8a9b46a8e6ad34475901b572e98c609debcbedf
              • Instruction Fuzzy Hash: 91B09B719015C5C9DA11F760460875B7905A7E0701F59C463D3030A55E4779C1D1E179

              Non-executed Functions

              Function 034B2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2160512332
              • Opcode ID: 904abda1931b20ce6482e1bc31a2c16ac8de1755c60dd4c7170784955dc8acc8
              • Instruction ID: 6d49643731085dff88d55b34d2d257a5c262f96c3b3fcd0c09875bb952449cc8
              • Opcode Fuzzy Hash: 904abda1931b20ce6482e1bc31a2c16ac8de1755c60dd4c7170784955dc8acc8
              • Instruction Fuzzy Hash: 7C925C75604741AFD720DE25C880BABB7F8BB84750F144D2EFA949F250D7B0E845CB6A
              Function 034268B8 Relevance: 19.0, Strings: 15, Instructions: 249COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim engine DLL$LdrpGetShimEngineInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_InitializeEngine$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$apphelp.dll$minkernel\ntdll\ldrinit.c
              • API String ID: 0-3089669407
              • Opcode ID: 237ea7aa131b191abd8767d0a26495d6140b92e5057cc3815df30a9e7e40a582
              • Instruction ID: 499db2f6c81346b22c79182c2c51ec5e81168529dafa106bc467a71c2cdf98aa
              • Opcode Fuzzy Hash: 237ea7aa131b191abd8767d0a26495d6140b92e5057cc3815df30a9e7e40a582
              • Instruction Fuzzy Hash: 008122B2D016186F8B11FB99DDC0DEEB7BDAB15610B150867B910FF114E730EE099BA4
              Function 03468620 Relevance: 19.0, Strings: 15, Instructions: 223COMMON
              Download Yara Rule
              Strings
              • Critical section address., xrefs: 034A5502
              • double initialized or corrupted critical section, xrefs: 034A5508
              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 034A54E2
              • corrupted critical section, xrefs: 034A54C2
              • Critical section debug info address, xrefs: 034A541F, 034A552E
              • IrwIrw@4rw@4rw, xrefs: 034A5341, 034A534D
              • Invalid debug info address of this critical section, xrefs: 034A54B6
              • Critical section address, xrefs: 034A5425, 034A54BC, 034A5534
              • 8, xrefs: 034A52E3
              • Address of the debug info found in the active list., xrefs: 034A54AE, 034A54FA
              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 034A54CE
              • undeleted critical section in freed memory, xrefs: 034A542B
              • Thread is in a state in which it cannot own a critical section, xrefs: 034A5543
              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 034A540A, 034A5496, 034A5519
              • Thread identifier, xrefs: 034A553A
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory$IrwIrw@4rw@4rw
              • API String ID: 0-3353328696
              • Opcode ID: 98cb35ddcd8f15614c294b7f325e4fcf91588a0cdf18043cfb09e91b5e29a4a0
              • Instruction ID: 15de0230ce7a1537af1e4f9859bd316f6f7614358bf7158002275784461abdb9
              • Opcode Fuzzy Hash: 98cb35ddcd8f15614c294b7f325e4fcf91588a0cdf18043cfb09e91b5e29a4a0
              • Instruction Fuzzy Hash: 8281BEB1A00B58EFDB20CF99C940BAEBBB5FB19700F24415AF518BF241D371A945CB68
              Function 03460F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
              • API String ID: 0-360209818
              • Opcode ID: 0215c252cf524a7cbce01e4fe855529326adffdd78a903178bc7b9a012f3cd8a
              • Instruction ID: 8a79a273a0b4f2c4d87d3fbdac31dc6fcda57a2dda30525a5a3692b2d27f5379
              • Opcode Fuzzy Hash: 0215c252cf524a7cbce01e4fe855529326adffdd78a903178bc7b9a012f3cd8a
              • Instruction Fuzzy Hash: 1D6290B5E006298FDB24CF18C8417AAB7B6AFA5310F5882DBD449AF340D7325AD1CF49
              Function 034E12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
              • API String ID: 0-3591852110
              • Opcode ID: 8121ae0256373ef86f5b100b1a11fab926531e6e68e9329e20434c30ed5edf93
              • Instruction ID: c67eb5b30f35a198ed420fedb4ff112d2d123dcb4eb52633acb8f3874eafcfac
              • Opcode Fuzzy Hash: 8121ae0256373ef86f5b100b1a11fab926531e6e68e9329e20434c30ed5edf93
              • Instruction Fuzzy Hash: 8912BA746406429FD725CF29C440BBABBE1FF09706F18849EE4A68F782D734E881CB58
              Function 0344AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
              • API String ID: 0-3197712848
              • Opcode ID: c707e9ba33b336cdf8e7a6f6f2a61b34dccbf8b0b6925c2157399ff90f97cb18
              • Instruction ID: 6e6e1b48dddfc656793f8951ab57c82a5cef9b78f434b881e904194ed44c76d0
              • Opcode Fuzzy Hash: c707e9ba33b336cdf8e7a6f6f2a61b34dccbf8b0b6925c2157399ff90f97cb18
              • Instruction Fuzzy Hash: 5E12BA71A083418FE724DF28C840BABB7E4EF85704F08096FE9958F291E774D945CB9A
              Function 0342D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
              • API String ID: 0-3532704233
              • Opcode ID: f9af6e65f4f183343f42f62cd200e6778af01037fea24292d99c48602481cfe4
              • Instruction ID: 3c7b8c2b35a95d93dad58e4b4d5979ec1388248ad66ce7d218d946346b5d7666
              • Opcode Fuzzy Hash: f9af6e65f4f183343f42f62cd200e6778af01037fea24292d99c48602481cfe4
              • Instruction Fuzzy Hash: 59B19A719083619FC711EF24C440A6FBBE8AB89744F45092FF8A8EF350D7B0D9458B9A
              Function 034E0CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
              • API String ID: 0-1357697941
              • Opcode ID: b5fb2d93d0264e0ec26dd4d15b4fa3955f582e5fd37f5bc1833961a7b21e4464
              • Instruction ID: df326f79e4ba5446b4529ce3199e0818a7bc389c462d2bf210598765557f77fb
              • Opcode Fuzzy Hash: b5fb2d93d0264e0ec26dd4d15b4fa3955f582e5fd37f5bc1833961a7b21e4464
              • Instruction Fuzzy Hash: 8FF1DE35A00255EFCB25CF6AC440BAAFBF5FF09705F48809AE4A19F642C7B4A945CF58
              Function 034C9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
              • API String ID: 0-3063724069
              • Opcode ID: fdb73c106b18d97fdda2f1c08effb367dc1cb2979bbc7440e480ef4c895d9b44
              • Instruction ID: d2eb3a99821972a2ef8aa10e861c988505022a02fcc594f5479361af8b082ec6
              • Opcode Fuzzy Hash: fdb73c106b18d97fdda2f1c08effb367dc1cb2979bbc7440e480ef4c895d9b44
              • Instruction Fuzzy Hash: 4ED1E376918391BFD761DB64C840BAFB7E8AF84714F04492FFA949F260D770C9048B9A
              Function 034E0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
              • API String ID: 0-1700792311
              • Opcode ID: b5defac8c1aae467a4a0a5718dcc4342c8ea8f964e75e8edfb50389839bad91f
              • Instruction ID: d23c1727d13ccec169274de3667fa5720f4b8dd0c693dd007ec67bceaeccb9ef
              • Opcode Fuzzy Hash: b5defac8c1aae467a4a0a5718dcc4342c8ea8f964e75e8edfb50389839bad91f
              • Instruction Fuzzy Hash: 84D1CE75600685DFCB21DF6AC440AAEFBF1FF46611F08809AE465AF362C7749942CF18
              Function 0342D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
              Download Yara Rule
              Strings
              • @, xrefs: 0342D313
              • @, xrefs: 0342D2AF
              • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0342D146
              • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0342D0CF
              • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0342D262
              • Control Panel\Desktop\LanguageConfiguration, xrefs: 0342D196
              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0342D2C3
              • @, xrefs: 0342D0FD
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
              • API String ID: 0-1356375266
              • Opcode ID: 6b5309b55c0c48a737d7d5153248c54eb170b29eca9a37d08d1ddc3a0dd5d247
              • Instruction ID: 4b69a293ccdad02b407d3b8ac09260a1d71beea77780606d2c1763d1a5efacc9
              • Opcode Fuzzy Hash: 6b5309b55c0c48a737d7d5153248c54eb170b29eca9a37d08d1ddc3a0dd5d247
              • Instruction Fuzzy Hash: 36A17A719083559FD320DF25C444BAFFBE8BB85715F40492FE5A8AE240D7B4D908CBAA
              Function 03449EB0 Relevance: 9.2, Strings: 7, Instructions: 499COMMON
              Download Yara Rule
              Strings
              • @, xrefs: 03449EE7
              • Status != STATUS_NOT_FOUND, xrefs: 0349789A
              • [%x.%x] SXS: %s - Relative redirection plus env var expansion., xrefs: 034976EE
              • minkernel\ntdll\sxsisol.cpp, xrefs: 03497713, 034978A4
              • Internal error check failed, xrefs: 03497718, 034978A9
              • sxsisol_SearchActCtxForDllName, xrefs: 034976DD
              • !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT), xrefs: 03497709
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)$@$Internal error check failed$Status != STATUS_NOT_FOUND$[%x.%x] SXS: %s - Relative redirection plus env var expansion.$minkernel\ntdll\sxsisol.cpp$sxsisol_SearchActCtxForDllName
              • API String ID: 0-761764676
              • Opcode ID: 64d8723a6fa1d853750d0dc4b4206e9549141dd730d472fdc507a211470cba95
              • Instruction ID: 7c1b73f21cecfb4b5d377466e7bdf7536b2549a10ce69f5443f3b435e2d73168
              • Opcode Fuzzy Hash: 64d8723a6fa1d853750d0dc4b4206e9549141dd730d472fdc507a211470cba95
              • Instruction Fuzzy Hash: 53127E749102159FEF14CFA8C881AAEBBB4FF48714F1880ABE855EF351E7349841CB69
              Function 0343EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
              • API String ID: 0-1109411897
              • Opcode ID: ac5e19e74e4b0e43824b64a0a4e4574fc5fb55db9c53631f89e8e7f28d6d0912
              • Instruction ID: 0ed53c6dc7a038573379b357162e6d251e8b9c3c6fb859fe0e04d6c8f9791754
              • Opcode Fuzzy Hash: ac5e19e74e4b0e43824b64a0a4e4574fc5fb55db9c53631f89e8e7f28d6d0912
              • Instruction Fuzzy Hash: 85A22B75E056298FDF64CF19C8887AABBB5AF49304F1442DBD419AB350DB349E86CF08
              Function 0342F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-523794902
              • Opcode ID: accab0620e7ab1ac2480eb9270aaaa645e9030fc856f761a5610618cac9334fa
              • Instruction ID: def582e9bc45274ff4dfefbca0672cd4271fc8d69d0311b398d0dce635bd3517
              • Opcode Fuzzy Hash: accab0620e7ab1ac2480eb9270aaaa645e9030fc856f761a5610618cac9334fa
              • Instruction Fuzzy Hash: AD420F356083918FD714EF29C480A2BFBE5FF85204F88496EE8959F351D730D88ACB5A
              Function 0343ADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
              • API String ID: 0-4098886588
              • Opcode ID: e36e005fc489be51b133fcd584b56b57b272acc80958a8d27aa6295685e36c6a
              • Instruction ID: cf81ecdcec24e23c61d580d3c9ca1680cef6b8797d815ac871405f38867deefc
              • Opcode Fuzzy Hash: e36e005fc489be51b133fcd584b56b57b272acc80958a8d27aa6295685e36c6a
              • Instruction Fuzzy Hash: 01328E75A442698BEF21CF14C858BEEB7B9EB4A340F1441EBD859AF350D7319E818F48
              Function 0344B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
              • API String ID: 0-122214566
              • Opcode ID: 6e1761a69dd6934e2a18616b58ee344397d05b8bb552fb7179d5c7613ac8786c
              • Instruction ID: 4bc488deb819c2603e0f3a8c2adcd9964c58be60202a2b82f4739082271a1503
              • Opcode Fuzzy Hash: 6e1761a69dd6934e2a18616b58ee344397d05b8bb552fb7179d5c7613ac8786c
              • Instruction Fuzzy Hash: 4DC11931A00215ABEF24DB69C881BBFBB65EF46300F18407BE8959F391E7B4D945C399
              Function 034663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
              • API String ID: 0-792281065
              • Opcode ID: c04d91b265853cfa093eb008dee1ea166e47283803bf8b49d897c00c23240b7c
              • Instruction ID: c5690d66ffa543c7d8f8f687fa338890311a65d9e50e63af36b20ca4d1fde58a
              • Opcode Fuzzy Hash: c04d91b265853cfa093eb008dee1ea166e47283803bf8b49d897c00c23240b7c
              • Instruction Fuzzy Hash: B3913531A00B149FDB24EF1AE844BAEB7A4FB22714F19052BD4206F391D7B85802D79D
              Function 03462674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
              Download Yara Rule
              Strings
              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 034A219F
              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 034A2180
              • SXS: %s() passed the empty activation context, xrefs: 034A2165
              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 034A2178
              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 034A21BF
              • RtlGetAssemblyStorageRoot, xrefs: 034A2160, 034A219A, 034A21BA
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
              • API String ID: 0-861424205
              • Opcode ID: d52e5ac201dca7cf45a1ea6733de6605e1cb20256bda686e124efa6778e6fc62
              • Instruction ID: 842ca6dcca6ebf11a655d0360970a0d77e22dad27831a203027802a92c5185bc
              • Opcode Fuzzy Hash: d52e5ac201dca7cf45a1ea6733de6605e1cb20256bda686e124efa6778e6fc62
              • Instruction Fuzzy Hash: B0313736F406147BE720CE998C41F5FBA78DBA4A41F09446BFA146F241D2F0DA01D7AA
              Function 0346C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
              Download Yara Rule
              Strings
              • LdrpInitializeImportRedirection, xrefs: 034A8177, 034A81EB
              • minkernel\ntdll\ldrredirect.c, xrefs: 034A8181, 034A81F5
              • Unable to build import redirection Table, Status = 0x%x, xrefs: 034A81E5
              • Loading import redirection DLL: '%wZ', xrefs: 034A8170
              • minkernel\ntdll\ldrinit.c, xrefs: 0346C6C3
              • LdrpInitializeProcess, xrefs: 0346C6C4
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
              • API String ID: 0-475462383
              • Opcode ID: 7787dbbf8a9dfcda1934330727d59f5e3c47fb55b1e0370df5cc7552ef090315
              • Instruction ID: 6793155cc980f9483cdffd79bbc2603a1b21c778b28406db5bc0fbb273c8faa7
              • Opcode Fuzzy Hash: 7787dbbf8a9dfcda1934330727d59f5e3c47fb55b1e0370df5cc7552ef090315
              • Instruction Fuzzy Hash: D43117757447019FC220EF29DD45E2BBBA5EF90B10F04095EF8806F3A2D660ED05C7AA
              Function 034B9C32 Relevance: 6.8, Strings: 5, Instructions: 542COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$AVRF: Verifier .dlls must not have thread locals$KnownDllPath$L$\KnownDlls32
              • API String ID: 0-3127649145
              • Opcode ID: a712ac237bed12ec75bfd83d27e19108b74b821216486a3781dffce69cecb903
              • Instruction ID: ef4e0528d90871c4125f1f7da42efef92d0f098c4af0aae7529caaccb4132dbe
              • Opcode Fuzzy Hash: a712ac237bed12ec75bfd83d27e19108b74b821216486a3781dffce69cecb903
              • Instruction Fuzzy Hash: 84323575A007199FDB61DF25CC88BDAB7F8EF48304F1045EAE509AB250DB70AA85CF58
              Function 03449950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
              • API String ID: 0-3393094623
              • Opcode ID: 5720584ce54dc5db203c3fc7543796203956c7cdadeedc593632fd1d9ca97629
              • Instruction ID: 530007342c2baac6c3516214c6ee05bdba10dc0920b5103f1dc3e7d94c4d396b
              • Opcode Fuzzy Hash: 5720584ce54dc5db203c3fc7543796203956c7cdadeedc593632fd1d9ca97629
              • Instruction Fuzzy Hash: 4D0257715083818FE760CF24C184B6BBBE4BF89714F58896FE9988F350D770D8459B9A
              Function 034551EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
              Download Yara Rule
              Strings
              • WindowsExcludedProcs, xrefs: 0345522A
              • Kernel-MUI-Language-Allowed, xrefs: 0345527B
              • Kernel-MUI-Language-SKU, xrefs: 0345542B
              • Kernel-MUI-Language-Disallowed, xrefs: 03455352
              • Kernel-MUI-Number-Allowed, xrefs: 03455247
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
              • API String ID: 0-258546922
              • Opcode ID: 9df93206d1654d07a2b0f010e65e159cff1c1f874ddff2f813dd33dec662ea08
              • Instruction ID: 7a3186dc777dd45395eaa7d3e5d22d66d162affe3d94614e8d9191aef5891166
              • Opcode Fuzzy Hash: 9df93206d1654d07a2b0f010e65e159cff1c1f874ddff2f813dd33dec662ea08
              • Instruction Fuzzy Hash: 7CF14C76D00218EFDF11DF95C980AEEBBB9EF49650F1540ABE902AF251D7709E01CB98
              Function 034B4F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
              • API String ID: 0-2518169356
              • Opcode ID: 80b111605aebd1a00ca663c787b8b1a0dd6cd8bc021b92c4f6d82b16f5fd328c
              • Instruction ID: d6f95d42cc8f6379100b4806bae1ebd9d6aa20abe6ffcf6b448143340997055c
              • Opcode Fuzzy Hash: 80b111605aebd1a00ca663c787b8b1a0dd6cd8bc021b92c4f6d82b16f5fd328c
              • Instruction Fuzzy Hash: 8B91AE76D006199BCB21CF69C881AEEF7B5EF4A310F5941AAE811EB350D735D901CBA8
              Function 0345D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1975516107
              • Opcode ID: 7fc4c2257810302a56cecbc8f791b167c847cd5e120fe41228b64054e2dce19c
              • Instruction ID: 33018de20ec85835bb5f58b57187232d49f2a4dfa74cb127bfb5380a7a687670
              • Opcode Fuzzy Hash: 7fc4c2257810302a56cecbc8f791b167c847cd5e120fe41228b64054e2dce19c
              • Instruction Fuzzy Hash: 6D51F375E003459FDB24EF65C484B9EBBB1BF4A314F18405AE8216F3A2D774994ACB88
              Function 034276B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
              • API String ID: 0-3061284088
              • Opcode ID: 816b942997c244870cfcad291256ffd575fb5778106c8abb1bce47e13f9af577
              • Instruction ID: afc7c73e469d90b4ba52f8e8c8e393a4fb0d6b79daac4ebab664b06115322c64
              • Opcode Fuzzy Hash: 816b942997c244870cfcad291256ffd575fb5778106c8abb1bce47e13f9af577
              • Instruction Fuzzy Hash: 43012876208260DED225F31A9409F5ABFD4DF43A70F28409FE4205F6A2CAE4A885D92D
              Function 034470C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
              • API String ID: 0-3178619729
              • Opcode ID: eab77feb37ff9d1c8a52140546d432c12f90e657e7952faeea301a786cd46deb
              • Instruction ID: 9610d9aebfb6682e4ae529f98add7fa4e26409c66e3bd508fb1b4ee60ab34f18
              • Opcode Fuzzy Hash: eab77feb37ff9d1c8a52140546d432c12f90e657e7952faeea301a786cd46deb
              • Instruction Fuzzy Hash: E2139F70A006558FEB25CF69C4807AAFBF1FF49304F1881AAD855AF381D735A946CF98
              Function 034429A0 Relevance: 6.0, Strings: 4, Instructions: 966COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
              • API String ID: 0-3126994380
              • Opcode ID: cc9723cce0b7e7c2b32c03e88263874b7240e1614e47ea4672602353bd112d34
              • Instruction ID: e332a1c399284c73c22b8a63708b54f940fd31f151f85735eda64107b1c92ea9
              • Opcode Fuzzy Hash: cc9723cce0b7e7c2b32c03e88263874b7240e1614e47ea4672602353bd112d34
              • Instruction Fuzzy Hash: FA92BC74A042489FEB25CF69C4407AEBBF1FF08700F1884AAE859AF391D775A946CF54
              Function 03441070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
              • API String ID: 0-3570731704
              • Opcode ID: 71e0e00abfaaadf51200b5016e793741d14fa99c4ace79729ea85c857de0d8e3
              • Instruction ID: 616b8a811ffca3edd168ed508eab9449378f1fffc92335e6a570c82d3e8ca6a1
              • Opcode Fuzzy Hash: 71e0e00abfaaadf51200b5016e793741d14fa99c4ace79729ea85c857de0d8e3
              • Instruction Fuzzy Hash: DA926875A00228CFEB25CF19C840BAAB7B5BF45314F1981EBD959AB390D7309E81CF59
              Function 03431460 Relevance: 5.4, Strings: 4, Instructions: 385COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
              • API String ID: 0-2084224854
              • Opcode ID: 4b6265ccde3305658767e81b17c375144f09da1c4c49ab19759a205574fc6ffa
              • Instruction ID: a3a82a7b6b4222e4681270a07134b1a6a00ac9333182da54274c722ecb7ca33b
              • Opcode Fuzzy Hash: 4b6265ccde3305658767e81b17c375144f09da1c4c49ab19759a205574fc6ffa
              • Instruction Fuzzy Hash: E4E1E070A046419FDB25EF68C491A7ABBF5EF4A300F18849FE4A68F345D734E845CB58
              Function 034D705E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID: kLsE$|Mg
              • API String ID: 3446177414-18095499
              • Opcode ID: b503fe5c8f6c881318cc2259ade033fdb54de7d8ba5379aeab3533aa7a1e7875
              • Instruction ID: 4081398e7f80bf8cdd8a4d8fbe5dc1454b7af597f6e2d8ac832ec5f704b8973e
              • Opcode Fuzzy Hash: b503fe5c8f6c881318cc2259ade033fdb54de7d8ba5379aeab3533aa7a1e7875
              • Instruction Fuzzy Hash: D64186715013504EE731FF66E894F6A7FA0AB12724F18021EED604F2E9CBB0548BD799
              Function 0344A840 Relevance: 5.4, Strings: 4, Instructions: 358COMMON
              Download Yara Rule
              Strings
              • SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 03497D56
              • RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 03497D03
              • SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 03497D39
              • SsHd, xrefs: 0344A885
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
              • API String ID: 0-2905229100
              • Opcode ID: c86c005a8bee0f754deddd2103bb8cc4a7d74f4758a605c717a9abdee979b978
              • Instruction ID: f9c6838038c0426aec181e4a0b5a629735bf246c60adb367fc452583aadd834c
              • Opcode Fuzzy Hash: c86c005a8bee0f754deddd2103bb8cc4a7d74f4758a605c717a9abdee979b978
              • Instruction Fuzzy Hash: 21D15975A402199BEB24CF98C880AAEFBB5EF48310F19416BE845AF351D371D985CB98
              Function 03443D40 Relevance: 5.4, Strings: 3, Instructions: 1603COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
              • API String ID: 0-3178619729
              • Opcode ID: cb725d2344c500853abab4569a37ee0b3e925ce4439e2660bc6a7ef31f47cd3d
              • Instruction ID: 4d91fb5e37437b46efc7ddccc7c7c726acb5c396f03a4a67095f819291459521
              • Opcode Fuzzy Hash: cb725d2344c500853abab4569a37ee0b3e925ce4439e2660bc6a7ef31f47cd3d
              • Instruction Fuzzy Hash: 62E2B374A006558FEB24CF5AC490BAAF7F1FF49304F1881AAD855AF385D734A846CF98
              Function 0343A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
              • API String ID: 0-379654539
              • Opcode ID: 9ebd3715ebe00e7f5f3f600ce7d8fc64c39620c4a705654247d4d452c8ab3401
              • Instruction ID: 48ebc854dd1a985aa21fb57029a3a80c908956aeb1b017b8dfaef4da36521e4b
              • Opcode Fuzzy Hash: 9ebd3715ebe00e7f5f3f600ce7d8fc64c39620c4a705654247d4d452c8ab3401
              • Instruction Fuzzy Hash: FBC187742483869FDB10CF18C144B6AB7E4AF8A704F04496BF8E68F350E374C94ACB5A
              Function 03440C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
              Download Yara Rule
              Strings
              • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 034954ED
              • HEAP[%wZ]: , xrefs: 034954D1, 03495592
              • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 034955AE
              • HEAP: , xrefs: 034954E0, 034955A1
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
              • API String ID: 0-1657114761
              • Opcode ID: 50b6cb21f5863f521da1d032d2cedd4302ce2707576771853593d2452c5e7dc0
              • Instruction ID: 85a97bd457df5d7c636db68b430330be3bd856686830a50cd4afeaf4783778aa
              • Opcode Fuzzy Hash: 50b6cb21f5863f521da1d032d2cedd4302ce2707576771853593d2452c5e7dc0
              • Instruction Fuzzy Hash: BFA1D070604605DFEB28DF25C840B6AFBA5AF45300F2885BFD5968F782D730A855CB98
              Function 0346273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
              Download Yara Rule
              Strings
              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 034A22B6
              • SXS: %s() passed the empty activation context, xrefs: 034A21DE
              • .Local, xrefs: 034628D8
              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 034A21D9, 034A22B1
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
              • API String ID: 0-1239276146
              • Opcode ID: 9ff1d861334f100773043af3374a3e0ab98e8461d9c8c957d104b5b243a939fa
              • Instruction ID: 97ba20dcc9315d07106f2f7d4f60778b9ade40bc39c5c48113ec238da891fcad
              • Opcode Fuzzy Hash: 9ff1d861334f100773043af3374a3e0ab98e8461d9c8c957d104b5b243a939fa
              • Instruction Fuzzy Hash: C1A19235A002299FDB24CF54D884B9AB3B4BF58314F1849EBD818AF351D7709E85CF99
              Function 0342F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
              • API String ID: 0-2586055223
              • Opcode ID: 352558d418c32e17ee1c3556085543eca9d0f0a630d6819e1372129316d62b8b
              • Instruction ID: 4b558c6bd27376beac093991cde108266def5ac8a76d27b465933bef3b3621ba
              • Opcode Fuzzy Hash: 352558d418c32e17ee1c3556085543eca9d0f0a630d6819e1372129316d62b8b
              • Instruction Fuzzy Hash: 806114762047409FE711EB69C844F6BBBE8EF80B10F08046AE9659F3A1C734D846CB69
              Function 034E11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
              • API String ID: 0-336120773
              • Opcode ID: e2cd1ba51e4cab2111d17de5c9adda99122c8d3829194fcd5a57b918b0713d1c
              • Instruction ID: 2032562c5818e2528e2f81f2ecd2c00ed195a1f725a610a73f0aa24b01becdeb
              • Opcode Fuzzy Hash: e2cd1ba51e4cab2111d17de5c9adda99122c8d3829194fcd5a57b918b0713d1c
              • Instruction Fuzzy Hash: C731DE39254250EFC711DB99CC86F6AB7E8EF09625F28019BF811EF291D670EC40DA6D
              Function 03429148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
              • API String ID: 0-1391187441
              • Opcode ID: 345ec135c0dfb39fc736f4638bc9abca9af40c9db688d77592d87bd4c824f41b
              • Instruction ID: b8e4945c76a78335aed377dbffaa042d7fb827f660c29a776a9e60a0dd8bc4b7
              • Opcode Fuzzy Hash: 345ec135c0dfb39fc736f4638bc9abca9af40c9db688d77592d87bd4c824f41b
              • Instruction Fuzzy Hash: CE318436600214AFDB11DB56C885FEEBBB9EF45620F5440A7E824BF291D770DD40CE69
              Function 03441F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
              • API String ID: 0-3178619729
              • Opcode ID: 406c33fa83626edea67583803a32ff31c298c03965eb219829ff0dc2e2b172c0
              • Instruction ID: d28e013a3e8ba83e3a8bc75c162431b48704edaea745b1dd081dfccbe2f07e51
              • Opcode Fuzzy Hash: 406c33fa83626edea67583803a32ff31c298c03965eb219829ff0dc2e2b172c0
              • Instruction Fuzzy Hash: 6322EC706006019FEB16DF29C494B7BFBA5EF06704F2884ABE9558F382D775D882CB58
              Function 034317EC Relevance: 4.3, Strings: 3, Instructions: 520COMMON
              Download Yara Rule
              Strings
              • HEAP[%wZ]: , xrefs: 0348F8AA
              • HEAP: , xrefs: 0348F8B7
              • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 0348F8CC
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
              • API String ID: 0-3178619729
              • Opcode ID: c72a09582dbdc78052ba537aff49ad3f829678b2c988b85c2fe65e64b3bb44a1
              • Instruction ID: f5eb53941d8a565dc9802b19d06d4cf15597a89aedf94d98bb04d8c0ab9ccd51
              • Opcode Fuzzy Hash: c72a09582dbdc78052ba537aff49ad3f829678b2c988b85c2fe65e64b3bb44a1
              • Instruction Fuzzy Hash: A4129030604755AFDB18EF25C080B7AB7A1FF4A714F18859ED4968F381D774E846CB98
              Function 03440770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-4253913091
              • Opcode ID: e0acf76d092a869a861dae0ed90478442981ea26ce4d15d127f897c7313f6159
              • Instruction ID: c5c2da4d684bb37822fd65ee4c75c6d083d31aac2994b3748c9f8a0b4da2b597
              • Opcode Fuzzy Hash: e0acf76d092a869a861dae0ed90478442981ea26ce4d15d127f897c7313f6159
              • Instruction Fuzzy Hash: 5EF1BB34A00605DFEB15CF69C980B6AFBB5FB45300F2841AAE5169F391D734E992CF98
              Function 0343B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
              • API String ID: 0-1145731471
              • Opcode ID: 47447d6d4882c8badf7e12099db197f7a0815197ea92289a382ac82e30f81b63
              • Instruction ID: 4423df1ea3ef1bddfc55e122ca56f70948c42a05b2dedff07a3b3786b01c5b1c
              • Opcode Fuzzy Hash: 47447d6d4882c8badf7e12099db197f7a0815197ea92289a382ac82e30f81b63
              • Instruction Fuzzy Hash: A0B16C79A046049FEF25CF59C980BAEBBB6EF4A714F18456BE451EF380D730A841CB58
              Function 034B368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$DelegatedNtdll$\SystemRoot\system32\
              • API String ID: 0-2391371766
              • Opcode ID: 761b1e73e6fc2a740bcae9d75dd97d58c373c3cf4f198ec3bce229d29e6a6eb7
              • Instruction ID: 82568bf10bde3806f4c42dd8f6171118401647f35430621d1df8c21e44bcc34b
              • Opcode Fuzzy Hash: 761b1e73e6fc2a740bcae9d75dd97d58c373c3cf4f198ec3bce229d29e6a6eb7
              • Instruction Fuzzy Hash: 97B17D79604341AFD321DF56C880FABB7F8EB49710F15492BF9509F250D7B4E8058BAA
              Function 03456962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $@
              • API String ID: 0-1077428164
              • Opcode ID: f44568396bb8fc9e87e936001b7445f4c5b4b075618c0bb59cfea1bc598c8f11
              • Instruction ID: 9525803f52f15d8898f9316426a154067d64b783113f4801fbea0010547e1597
              • Opcode Fuzzy Hash: f44568396bb8fc9e87e936001b7445f4c5b4b075618c0bb59cfea1bc598c8f11
              • Instruction Fuzzy Hash: 32C28371A083419FEB25CF25C480BABBBE5AF88714F08896EF999CB351D734D805CB56
              Function 0342A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: FilterFullPath$UseFilter$\??\
              • API String ID: 0-2779062949
              • Opcode ID: ac6dc4345de337be4c6d3cf0dcc81cc1233818f773fef15de07254481da7328d
              • Instruction ID: ac00196f2b61f0f09e181aabf7d197841891c7fd29f380c1462df5069cdce94d
              • Opcode Fuzzy Hash: ac6dc4345de337be4c6d3cf0dcc81cc1233818f773fef15de07254481da7328d
              • Instruction Fuzzy Hash: 75A15E759016299BDB21EF24CC88BEEF7B8EF44700F1405EAD909AB250D7359E85CF68
              Function 034C36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
              • API String ID: 0-318774311
              • Opcode ID: 9510a991229610e4ecfd9a2a7d9dc0928e05dfe0156ec286c71ae373773e0e63
              • Instruction ID: 80a795d569f03cb169b335f0661fa7a09d718d7d6eda1ce999d474851781af52
              • Opcode Fuzzy Hash: 9510a991229610e4ecfd9a2a7d9dc0928e05dfe0156ec286c71ae373773e0e63
              • Instruction Fuzzy Hash: 93819B7D619380AFE351DF15C844B6BB7E8FB84B50F04892EB9909F390D778D9048B6A
              Function 00401220 Relevance: 4.0, Strings: 3, Instructions: 214COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1600546418.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: R@$gfff$vMB
              • API String ID: 0-3804419812
              • Opcode ID: 519e029a855044b00b936dffaa6b22d769e66826345123e741086b7320fffeb5
              • Instruction ID: 9a09a0e49282d06d74818b76c87beaf44b41725a36128b03a4c8cd2f4bd77506
              • Opcode Fuzzy Hash: 519e029a855044b00b936dffaa6b22d769e66826345123e741086b7320fffeb5
              • Instruction Fuzzy Hash: 3F71D871E1060987DF08CEA9C8511EEB771EBD4314F24926BE815BF7E1E7389942CB94
              Function 0346909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: %$&$@
              • API String ID: 0-1537733988
              • Opcode ID: 7a8aa1e72c628007adf144046a73e596970759257c31c7ed146a89babcb3dea6
              • Instruction ID: cb5a829656ece80b15242ebfcafb7afacdd4d88ab304fd2270a7b384ce08a2c5
              • Opcode Fuzzy Hash: 7a8aa1e72c628007adf144046a73e596970759257c31c7ed146a89babcb3dea6
              • Instruction Fuzzy Hash: 3D71D0746087019FD710DF25C580A6BBBE9BF85618F14895FE4AA8F390C770D806CB9B
              Function 0350B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
              Download Yara Rule
              Strings
              • GlobalizationUserSettings, xrefs: 0350B834
              • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 0350B82A
              • TargetNtPath, xrefs: 0350B82F
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
              • API String ID: 0-505981995
              • Opcode ID: 40796cd893b05958f1b7809a373c46a6dc15f7e36ff09a0f5f159f1ac9e00226
              • Instruction ID: a5f5aa92077b25c56775fa47bc184a206145739be4d82a40cfa8ed46b7d50ea2
              • Opcode Fuzzy Hash: 40796cd893b05958f1b7809a373c46a6dc15f7e36ff09a0f5f159f1ac9e00226
              • Instruction Fuzzy Hash: 16618F72D41229AFDB21DF54DC88BDAB7B8BF14710F0105EAA508AB2A0C775DE84CF94
              Function 0342F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
              Download Yara Rule
              Strings
              • HEAP[%wZ]: , xrefs: 0348E6A6
              • HEAP: , xrefs: 0348E6B3
              • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0348E6C6
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
              • API String ID: 0-1340214556
              • Opcode ID: e48211a9891826920f637a20e44182868110b57128f41cf37d578b2cf0c19fb6
              • Instruction ID: c9776b34cd80c2863c70cc0f07841285601d452c4c16ceb2084db20f58aeadc2
              • Opcode Fuzzy Hash: e48211a9891826920f637a20e44182868110b57128f41cf37d578b2cf0c19fb6
              • Instruction Fuzzy Hash: 92511435200754EFE712EBA9C844B6AFBF8EF05700F4800A6E951AF792D374E955CB18
              Function 034DDAAC Relevance: 3.9, Strings: 3, Instructions: 163COMMON
              Download Yara Rule
              Strings
              • HEAP[%wZ]: , xrefs: 034DDC12
              • HEAP: , xrefs: 034DDC1F
              • Heap block at %p modified at %p past requested size of %Ix, xrefs: 034DDC32
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
              • API String ID: 0-3815128232
              • Opcode ID: f7e37a4675b7cc50347d6fe67cc10b3596c73000e94ac36930ed02b293df5314
              • Instruction ID: 1dea257a184dfec5f158bbec3e769f6ea475850902e70435fe5e1927fff407f9
              • Opcode Fuzzy Hash: f7e37a4675b7cc50347d6fe67cc10b3596c73000e94ac36930ed02b293df5314
              • Instruction Fuzzy Hash: 3D513435A002508EE374DE2AC864773B7E1DF47648F18889BE4E28F285D275E807DB29
              Function 00402B80 Relevance: 3.9, Strings: 3, Instructions: 154COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1600546418.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: gfff$gfff$_
              • API String ID: 0-1772634698
              • Opcode ID: 7d4251c85223fb1b75632bdd1abc0e040d60cf6cb0056526259a711eed4ccfe2
              • Instruction ID: 004376aca4476138a6de9415a8fe53e65e85b5bc648b3c84359783edf32670d3
              • Opcode Fuzzy Hash: 7d4251c85223fb1b75632bdd1abc0e040d60cf6cb0056526259a711eed4ccfe2
              • Instruction Fuzzy Hash: EB512771E0421A4BDB19CE9EDD843DDBA65AB98304F18827ADD48FF3D1D1B49E018BC4
              Function 0346C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrinit.c, xrefs: 034A82E8
              • Failed to reallocate the system dirs string !, xrefs: 034A82D7
              • LdrpInitializePerUserWindowsDirectory, xrefs: 034A82DE
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1783798831
              • Opcode ID: d6244c0eb63a09fd009d1c552602298d5a36463afad7624c7e0b6dfa910f6eba
              • Instruction ID: b882ff560d9ea942ca02b5e3db0f08e2be73e2c76baa17bba7e0112b359c0a08
              • Opcode Fuzzy Hash: d6244c0eb63a09fd009d1c552602298d5a36463afad7624c7e0b6dfa910f6eba
              • Instruction Fuzzy Hash: 1B41F3B5540310AFC720EF65D880F5BB7E8EB59650F04482BF998DF2A0E770E8059B9A
              Function 034616CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
              Download Yara Rule
              Strings
              • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 034A1B39
              • LdrpAllocateTls, xrefs: 034A1B40
              • minkernel\ntdll\ldrtls.c, xrefs: 034A1B4A
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
              • API String ID: 0-4274184382
              • Opcode ID: 1fd5a2ef08d5fba5367a55336bb623cf73dddeadd229d9eb274cfe010c7df577
              • Instruction ID: 2a7c60a6f8e353b38c70c1686618dc0470bcdf6b65be018490c7ca7946597bbe
              • Opcode Fuzzy Hash: 1fd5a2ef08d5fba5367a55336bb623cf73dddeadd229d9eb274cfe010c7df577
              • Instruction Fuzzy Hash: 1941ACB9A00604AFDB15DFA9D841BAEFBF5FF59710F14812AE405AF350E774A801CB98
              Function 034EC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
              Download Yara Rule
              Strings
              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 034EC1C5
              • PreferredUILanguages, xrefs: 034EC212
              • @, xrefs: 034EC1F1
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
              • API String ID: 0-2968386058
              • Opcode ID: 4037529b6465c1a0dc2df770f94e3b93f281aef05a9972b744ace62e06298643
              • Instruction ID: 27af0c22aad7b4e287e3cf6dfbe78feb6767478a5f7b590720bef51100d44c5d
              • Opcode Fuzzy Hash: 4037529b6465c1a0dc2df770f94e3b93f281aef05a9972b744ace62e06298643
              • Instruction Fuzzy Hash: 61417C76E00219EFDB11DED5C881FEEB7B8AB04701F14406BE915BF2A0D7B49E448B98
              Function 034C4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
              • API String ID: 0-1373925480
              • Opcode ID: 40265693b8bdbf3c929d9593e593e822b41058f0d91dab4d89d567858d4c3f2e
              • Instruction ID: 69ac438ce4cdd284fcc8129bd1e70e783346e05c867b39dbb4d0ecc5351e867f
              • Opcode Fuzzy Hash: 40265693b8bdbf3c929d9593e593e822b41058f0d91dab4d89d567858d4c3f2e
              • Instruction Fuzzy Hash: 3641E3799107888FEB22DBD6C954BADBBB8EF55340F18046FD851AF381DA348901CB18
              Function 034B4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrredirect.c, xrefs: 034B4899
              • LdrpCheckRedirection, xrefs: 034B488F
              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 034B4888
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
              • API String ID: 0-3154609507
              • Opcode ID: 1f80e711c4bf6585e7a2d081bf2964b7cd4f9f9b4c72e96bde63d9312b481172
              • Instruction ID: fce7dd44f39a53cfcf89f9864465a8f22186ad1abf41b265308fc1d13be54445
              • Opcode Fuzzy Hash: 1f80e711c4bf6585e7a2d081bf2964b7cd4f9f9b4c72e96bde63d9312b481172
              • Instruction Fuzzy Hash: A541C436A007509FCB21CE6AD840AA7BBF8AF49650B09056FEC589F353D730D801CBA9
              Function 034633A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
              Download Yara Rule
              Strings
              • SXS: %s() passed the empty activation context data, xrefs: 034A29FE
              • RtlCreateActivationContext, xrefs: 034A29F9
              • Actx , xrefs: 034633AC
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
              • API String ID: 0-859632880
              • Opcode ID: c7b127f256a94dd57c8f04abfdea8e9807e0afe2419d3703eb1d0ab680c6169b
              • Instruction ID: 21c146bd9b4690c70b266ae23227e75db4e12f7cad0ff2ce9e499122651c6200
              • Opcode Fuzzy Hash: c7b127f256a94dd57c8f04abfdea8e9807e0afe2419d3703eb1d0ab680c6169b
              • Instruction Fuzzy Hash: F33142362007419FDB26DF58C880B9AB3A4FB44714F18886BEC049F3A1CB70E842CB98
              Function 03461607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
              Download Yara Rule
              Strings
              • LdrpInitializeTls, xrefs: 034A1A47
              • minkernel\ntdll\ldrtls.c, xrefs: 034A1A51
              • DLL "%wZ" has TLS information at %p, xrefs: 034A1A40
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
              • API String ID: 0-931879808
              • Opcode ID: 4fd145c8b6554437a18e3155a627d5ae42594733539b42ee14cf6409d3f2974d
              • Instruction ID: 54e725a8a7ad3db33fbfb1d3a5e5e82324e3cf9c2f78d2aa896928c5ef8c7937
              • Opcode Fuzzy Hash: 4fd145c8b6554437a18e3155a627d5ae42594733539b42ee14cf6409d3f2974d
              • Instruction Fuzzy Hash: E331F535A00200AFDB20DF59C885F7AB6A8FB56754F05045FE505BF2A0E770AE058799
              Function 03471270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
              Download Yara Rule
              Strings
              • BuildLabEx, xrefs: 0347130F
              • @, xrefs: 034712A5
              • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0347127B
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
              • API String ID: 0-3051831665
              • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
              • Instruction ID: cd5ebd13e0268f28db32a7c14a3179fdf27735f4f56d904dcddd73a3fce64e06
              • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
              • Instruction Fuzzy Hash: 3A318176900618AFEB11EF96CC44EEEBBBDEB84750F004467E914AF260D730DA058B98
              Function 034B20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrinit.c, xrefs: 034B2104
              • Process initialization failed with status 0x%08lx, xrefs: 034B20F3
              • LdrpInitializationFailure, xrefs: 034B20FA
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2986994758
              • Opcode ID: 4ef57c7defa9a026b6b1a52f1f327d692a0728426001ec683e055c953723a007
              • Instruction ID: 0205cd16cb0d847c0d255619adb0da82cc9855336d6bb14dd520166f7fad771d
              • Opcode Fuzzy Hash: 4ef57c7defa9a026b6b1a52f1f327d692a0728426001ec683e055c953723a007
              • Instruction Fuzzy Hash: 33F02835640708AFD720E60DDC42FDA7768EB41B44F14085BF6007F292D2F0A510CA58
              Function 034403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: #%u
              • API String ID: 48624451-232158463
              • Opcode ID: 13d9ae2e95d3b9c9111b0d018449da4b01527bafef0a27ef2f767b0bea82a04a
              • Instruction ID: f05360cd471c22fe53beb089d9d3695529d86e1889b4c573a2f40e774bf90607
              • Opcode Fuzzy Hash: 13d9ae2e95d3b9c9111b0d018449da4b01527bafef0a27ef2f767b0bea82a04a
              • Instruction Fuzzy Hash: DA714C75A002499FEB01DF99D990FAEB7F8BF08704F15406AE905AF351E734E911CB68
              Function 034452A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$@
              • API String ID: 0-149943524
              • Opcode ID: 4770132635d0e9c59a32eb0d3d843d17911669016f18eda0cc5067b81660ed86
              • Instruction ID: 39b28c3f51df25211247d18610c1ff8f018512eee8ae2979d0f241d13acf0e7b
              • Opcode Fuzzy Hash: 4770132635d0e9c59a32eb0d3d843d17911669016f18eda0cc5067b81660ed86
              • Instruction Fuzzy Hash: 273299745083118BEB24CF19C580B3BB7E1AF86650F1949AFF8999F3A0E734C845CB5A
              Function 03432FC8 Relevance: 2.9, Strings: 2, Instructions: 410COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @4rw@4rw$PATH
              • API String ID: 0-2366389529
              • Opcode ID: eec731c5433a9ad15ed32ff7731119d42f5b49d3078f6c00a52865d5857ed05e
              • Instruction ID: 5da5ad2ac8ef17233e1791394ffe795b13ef6592d99565698e7103acfb26da9c
              • Opcode Fuzzy Hash: eec731c5433a9ad15ed32ff7731119d42f5b49d3078f6c00a52865d5857ed05e
              • Instruction Fuzzy Hash: 76F1B179E00218DFCB25DF99D881ABEB7B5FF4A700F58402AE441AF350D774A842CB99
              Function 034FA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: `$`
              • API String ID: 0-197956300
              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction ID: c4c36bf48715a4a4a0233e9f43f47fda546831d72160453ddc4a9f7a70b632f2
              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction Fuzzy Hash: 41C1AD312043469FE724CE29C845B6BFBE5AF84318F0C4A2EF6998E290D775D509CF5A
              Function 03430CF2 Relevance: 2.8, Strings: 2, Instructions: 317COMMON
              Download Yara Rule
              Strings
              • Failed to retrieve service checksum., xrefs: 0348EE56
              • ResIdCount less than 2., xrefs: 0348EEC9
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Failed to retrieve service checksum.$ResIdCount less than 2.
              • API String ID: 0-863616075
              • Opcode ID: ff13c8b40ac30913be3268a1a5fef4964a4c8d2cff01a0c6aaf902c878bb8599
              • Instruction ID: 2e4dbe39501a2ca385c00a74603b1294d58d8daa142ac86e7fee9e6a3ea17639
              • Opcode Fuzzy Hash: ff13c8b40ac30913be3268a1a5fef4964a4c8d2cff01a0c6aaf902c878bb8599
              • Instruction Fuzzy Hash: ADE102B19087449FE324CF16C440BABBBE4FB89314F408A2FE5999B390DB719549CF5A
              Function 004024D0 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1600546418.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: gfff$_
              • API String ID: 0-547633520
              • Opcode ID: cdc3b08cd15ff8dab6b67a7f2a7948e079e34dcf18b3bf1f4404e0f5fc6bd2aa
              • Instruction ID: 8be732b55859af216fdfe807cbd646444901edeaab77e1697ca52589047ede23
              • Opcode Fuzzy Hash: cdc3b08cd15ff8dab6b67a7f2a7948e079e34dcf18b3bf1f4404e0f5fc6bd2aa
              • Instruction Fuzzy Hash: FD51E771B0050A9BCB18CE5DDE942AAB3A2FBD4305F18817BE904DB3C1EA75ED558B84
              Function 034AE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: Legacy$UEFI
              • API String ID: 2994545307-634100481
              • Opcode ID: a95d5583542a5797d18b152cf55aeef08febe9fc7a038e9a0fe5cf5a64c0c319
              • Instruction ID: aac09f02e668721a0cf8760385e3d4670f7f879abaeb0cb1ba8d8f23f0ef9490
              • Opcode Fuzzy Hash: a95d5583542a5797d18b152cf55aeef08febe9fc7a038e9a0fe5cf5a64c0c319
              • Instruction Fuzzy Hash: E2615D75E007089FDB24DFA98880BAEBBB5FB54700F14406EE669EF251D731E940CB58
              Function 0344F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $$$
              • API String ID: 0-233714265
              • Opcode ID: b29923a865a09425d4ea51cf7702f539aed2e749f18ad1e4b8c4ae78982d5a9e
              • Instruction ID: df7012dfc2caaefe01f03b938d59d4e9527eaf6549270f5f24550a957aab1b8c
              • Opcode Fuzzy Hash: b29923a865a09425d4ea51cf7702f539aed2e749f18ad1e4b8c4ae78982d5a9e
              • Instruction Fuzzy Hash: BD61BA75A00749DFEB20DFA5C580BAEBBB1FF48304F08446ED515AF690DB74A949CB88
              Function 0343A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
              Download Yara Rule
              Strings
              • RtlpResUltimateFallbackInfo Exit, xrefs: 0343A309
              • RtlpResUltimateFallbackInfo Enter, xrefs: 0343A2FB
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
              • API String ID: 0-2876891731
              • Opcode ID: 31e071b01e8291a2ef99faba09729b45f606cbc0244b9fb343ef05986ed3a587
              • Instruction ID: 10a029776ac6376d95eedd7fa2db1d5fc0f66b478b17a2f5235ee68e83f9a6e4
              • Opcode Fuzzy Hash: 31e071b01e8291a2ef99faba09729b45f606cbc0244b9fb343ef05986ed3a587
              • Instruction Fuzzy Hash: B741BB34A44649DBEB11CF69C840B6ABBB4EF8A710F1844ABEC54DF3A1E275C901CB59
              Function 0346329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: .Local\$@
              • API String ID: 0-380025441
              • Opcode ID: 04061eaefe92383d2c20fd7887cc65ff589cd28c9990631af2d252d28c4ed54e
              • Instruction ID: d5837a7166401a75b28e2f8c792d42ee47105dcf9770b5379660dc701e18ab9a
              • Opcode Fuzzy Hash: 04061eaefe92383d2c20fd7887cc65ff589cd28c9990631af2d252d28c4ed54e
              • Instruction Fuzzy Hash: 1231B37A6083449FD320DF29C880A6BBBE8FBC5654F48092FF5958B260DA30DD45CB97
              Function 0343C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: MUI
              • API String ID: 0-1339004836
              • Opcode ID: 213d3a1cd13058be44e41003a53d4bebcf0d59bbd676b81e9eafcdbd521d8020
              • Instruction ID: 7995c7478648fc77ecfb0fd331cbbaf64bcd9f2fd3615bfb2c14d1b2cba84c22
              • Opcode Fuzzy Hash: 213d3a1cd13058be44e41003a53d4bebcf0d59bbd676b81e9eafcdbd521d8020
              • Instruction Fuzzy Hash: D7821975E002189FDB24CFA9C980BAEF7B5BF4A710F18816AD859AF394D7309D41CB58
              Function 034DA118 Relevance: 1.8, Strings: 1, Instructions: 591COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @
              • API String ID: 0-2766056989
              • Opcode ID: 64a5025c7d5a9c8245863379606be1aa89387edcab828bd374a5efcf5701dd54
              • Instruction ID: db4b6d57c49e036a4556835fdfe7a69c0d01a9e15df876160917d9a23bb985f8
              • Opcode Fuzzy Hash: 64a5025c7d5a9c8245863379606be1aa89387edcab828bd374a5efcf5701dd54
              • Instruction Fuzzy Hash: 2922CC742046618BDB24CF29C0A4777B7F1AF45304F0C889BE8A68F796E735E452CB69
              Function 0345FB80 Relevance: 1.8, Strings: 1, Instructions: 559COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: IrwIrw@4rw@4rw
              • API String ID: 0-3882697584
              • Opcode ID: 0f8a859f2d58c54f92f578f05c878e5e2276277932e6fe9bfda5760a3b760b49
              • Instruction ID: a678b1a61ed55111aa18296e7b09635c201fc593fb4374a5fec4438194b8af3d
              • Opcode Fuzzy Hash: 0f8a859f2d58c54f92f578f05c878e5e2276277932e6fe9bfda5760a3b760b49
              • Instruction Fuzzy Hash: A6229E759006099FDB14DFA8C880BAFB7B5FF54310F1885AAE8149F385E770EA45CB98
              Function 03437370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 990cbf9fa050c07f397bb9108ebfb6e08971c2d0e25e9a42ea161d8c404be9a3
              • Instruction ID: 59cbeae94ff0f602ced543ddb812e27d5df893e0c58a5a6f6d100ea6bd09a366
              • Opcode Fuzzy Hash: 990cbf9fa050c07f397bb9108ebfb6e08971c2d0e25e9a42ea161d8c404be9a3
              • Instruction Fuzzy Hash: C0A167B5608342CFD724DF29C480A2BBBE9BF89314F14496EE5D58B350E730E945CB9A
              Function 03452E90 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: 0
              • API String ID: 0-4108050209
              • Opcode ID: 3879ace94afe817b90bbe46a23332a49a4d72a4644c19d40f29a02a3c7cf18dc
              • Instruction ID: 09e8124e4509debcb4bb985f3ae7ae0c40ed4804bf1f4e23bc39913d7e1d3a07
              • Opcode Fuzzy Hash: 3879ace94afe817b90bbe46a23332a49a4d72a4644c19d40f29a02a3c7cf18dc
              • Instruction Fuzzy Hash: 65F18F79A087458FDB21CF25C480B6BBBE5AB88650F09486FFC999F342CB30D945CB59
              Function 00416C10 Relevance: 1.7, Strings: 1, Instructions: 423COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1600546418.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: (
              • API String ID: 0-3887548279
              • Opcode ID: 4dd1c891a23724eb88622a53e6210b8710e304a4e9b0b2f0a199a1af06113f8f
              • Instruction ID: f00547da6b71561f4d7244a2f184f6dc2a1ed8636f0915dc701a1be70c8abe47
              • Opcode Fuzzy Hash: 4dd1c891a23724eb88622a53e6210b8710e304a4e9b0b2f0a199a1af06113f8f
              • Instruction Fuzzy Hash: 06021E76E006189FDB14CF9AC4805DDFBF2FF88314F1AC1AAD859A7315D6746A418F80
              Function 00416C13 Relevance: 1.7, Strings: 1, Instructions: 423COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1600546418.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: (
              • API String ID: 0-3887548279
              • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
              • Instruction ID: 64d128b68919b331b5b83ad656077705ab997659b72a2a3c2cdd88d4fe0fbe2c
              • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
              • Instruction Fuzzy Hash: 97021EB6E006189FDB14CF9AD4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80
              Function 0345FDC0 Relevance: 1.6, Strings: 1, Instructions: 390COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: IrwIrw@4rw@4rw
              • API String ID: 0-3882697584
              • Opcode ID: 257ab352cceeb22eddedd78860f0d20d704a2e41929ae39536ddadf8c571d382
              • Instruction ID: c4623bf1e39b7f0b0f5d25064fc792f78307fb8b2416a42af43c713db0c07ba6
              • Opcode Fuzzy Hash: 257ab352cceeb22eddedd78860f0d20d704a2e41929ae39536ddadf8c571d382
              • Instruction Fuzzy Hash: EEF1AE74A00609DFDB14DFA8C880BAEB7B5FF58304F1885AAE815AF345E734DA45CB94
              Function 0346F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 46bc668a30a793771ffdd25fdb4a608aef87d4e18d8ef8eb884577559055f96b
              • Instruction ID: 8dfdacb1ce167c288fd004cea4aeaecef25992ac224c6b06862535b9d0b5fa85
              • Opcode Fuzzy Hash: 46bc668a30a793771ffdd25fdb4a608aef87d4e18d8ef8eb884577559055f96b
              • Instruction Fuzzy Hash: AC414B74D00688EFDB20DFA9D480AAEFBF4FB49300F54416ED899AB221D7309905DF64
              Function 03430100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: c0047d08748991a07c08f296687c3a790a16eceb5d13efe9e2354dc3fa11306c
              • Instruction ID: b83091799d4a52a129cba6edd5d9ae7801c60578234c7d7cedb8f4061ca1a3bb
              • Opcode Fuzzy Hash: c0047d08748991a07c08f296687c3a790a16eceb5d13efe9e2354dc3fa11306c
              • Instruction Fuzzy Hash: 47A10A31A043686ADF24DB598840BFFA7A95F4A304F0842DBED976F381C674CD858B5D
              Function 0346A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: GlobalTags
              • API String ID: 0-1106856819
              • Opcode ID: ea049d22bd80c3ff29964befb9df97090d1064b8291757abcb12e5abb2cf868b
              • Instruction ID: 62e1466adc810ac9a9e89d53412e2de295475434b79cf05dd81f0352b071f0f7
              • Opcode Fuzzy Hash: ea049d22bd80c3ff29964befb9df97090d1064b8291757abcb12e5abb2cf868b
              • Instruction Fuzzy Hash: 97715C79E0160A8FDB28DF9DD5906AEBBB5BF58700F19816FE805AF350D7348801CB58
              Function 0343973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @
              • API String ID: 0-2766056989
              • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
              • Instruction ID: a13ddf2fbd0cf5108a48de513ac79d649daffa1e88269cd2638d58035c301a9d
              • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
              • Instruction Fuzzy Hash: 3C614C75D00219AFDF25DF95C840BEEFBB8EF89714F14456BE820AB290D7B49A01CB54
              Function 0342B2D3 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: 04rw04rwIrwIrw@4rw@4rw
              • API String ID: 0-2844649184
              • Opcode ID: 063e9161c3c2bac278b24fc22cd04b535163e434c51032a8589414cf0265f4a2
              • Instruction ID: 1415bf1e300cd2f6ac39aba251518ef6904be72a3d3231c043feb927837740db
              • Opcode Fuzzy Hash: 063e9161c3c2bac278b24fc22cd04b535163e434c51032a8589414cf0265f4a2
              • Instruction Fuzzy Hash: 844134356007109FD726EF2AD880F2ABBA8EF45750F55846FE519AF3A0D770DC018B98
              Function 034BF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @
              • API String ID: 0-2766056989
              • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
              • Instruction ID: 251f5064371e1cfbb4fb1102883778aef5d1ea49974000058aca57c75401a188
              • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
              • Instruction Fuzzy Hash: ED516A72604705AFE721DF55CC40FABB7B8EB84750F04092EB5889E290D7B4E9188BA9
              Function 0344E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: EXT-
              • API String ID: 0-1948896318
              • Opcode ID: c1c978d8c763fbcdbbb74c7bbc05b968b825c5fca01c17a9d974c51f240398bf
              • Instruction ID: 3d8eb3a0f9e22413f8f43462a7f06e93a64ae5999340aa7a7fb4ba3c000a2509
              • Opcode Fuzzy Hash: c1c978d8c763fbcdbbb74c7bbc05b968b825c5fca01c17a9d974c51f240398bf
              • Instruction Fuzzy Hash: BE417D766083119FE710DB658A80B6BB7E8BF88714F44093FF994DF280E674D944879A
              Function 034EB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: PreferredUILanguages
              • API String ID: 0-1884656846
              • Opcode ID: bc03fdd48dca9a3ce8b8910da1b836c682b6b38da908a921154311538cc59c61
              • Instruction ID: 66be4d48e2731513f5c2920a2b2e3a2607757a79a860f3350f6823437173c08c
              • Opcode Fuzzy Hash: bc03fdd48dca9a3ce8b8910da1b836c682b6b38da908a921154311538cc59c61
              • Instruction Fuzzy Hash: E741D136D04219ABCB11DA95C841BEFF7B9EF44711F05016BE951AF354D6B0DE40C7A8
              Function 034AC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: BinaryHash
              • API String ID: 0-2202222882
              • Opcode ID: 9533ad98e007e7c93302b8c1cd274ae9b752cc1314bb9f13117048b5a5f87fd9
              • Instruction ID: 85c039417e1dadd2035b6619d4fd26cb63fd424d4c352fa1412e328ceb2232db
              • Opcode Fuzzy Hash: 9533ad98e007e7c93302b8c1cd274ae9b752cc1314bb9f13117048b5a5f87fd9
              • Instruction Fuzzy Hash: 404144B5D0062CAEDB61DB55CC84FDEB77CAB45714F0045AAE608AF140DB709E498FA8
              Function 034B97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: verifier.dll
              • API String ID: 0-3265496382
              • Opcode ID: bc8039e2400dfaaab3b2f985465e01f503a463098320dbeac67fdd6b7ce690b7
              • Instruction ID: 497605a79a930d1697404efafd8803687230d822fc49d34ab265b85928045ca7
              • Opcode Fuzzy Hash: bc8039e2400dfaaab3b2f985465e01f503a463098320dbeac67fdd6b7ce690b7
              • Instruction Fuzzy Hash: A9318F75B103019FDB25DF69A850AB6B7F5EB4A310F58847FE6089F390E731888197A8
              Function 034636EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Flst
              • API String ID: 0-2374792617
              • Opcode ID: 4a9ab4e6eeb85a6768cc21ca02421f3e98583a1c5084c814224b0b25b21ad96b
              • Instruction ID: 62b50447e87813899b09301d1f550a7e6aca7f5eb74d845ae9bcef08288b52e3
              • Opcode Fuzzy Hash: 4a9ab4e6eeb85a6768cc21ca02421f3e98583a1c5084c814224b0b25b21ad96b
              • Instruction Fuzzy Hash: 154198B56053019FC314CF19C080A26FBE4EB99711F1885AEE45A8F391DB71D942CB9A
              Function 03429730 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: L4rwL4rw
              • API String ID: 0-1810648253
              • Opcode ID: c8829691fcc26e9e9ff3f6b5cdda20c3a7a177689c6101b75c412d76214551a0
              • Instruction ID: b71f6a2abe6bbb2b5b9b4fd4d186e0bc59fa95664e4299eb484183ae72829032
              • Opcode Fuzzy Hash: c8829691fcc26e9e9ff3f6b5cdda20c3a7a177689c6101b75c412d76214551a0
              • Instruction Fuzzy Hash: 3721D33AA00B20AFD322EF598400B1ABFB4FB84B50F15046FE965AF350D770E811CB98
              Function 004043B5 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1600546418.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: 1
              • API String ID: 0-2212294583
              • Opcode ID: 244d2770baa3664edfb760c082f47067951ba787497dad10369a88cf32556f9a
              • Instruction ID: a5bb284df4fb888165ccb396f49a2800f45825ece005ad37e932bfb9cf284df3
              • Opcode Fuzzy Hash: 244d2770baa3664edfb760c082f47067951ba787497dad10369a88cf32556f9a
              • Instruction Fuzzy Hash: 60215171D1021D9FCB54CFB998025EFBFB0AB45310F10866AD96AE7291E7388705CF96
              Function 03435096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Actx
              • API String ID: 0-89312691
              • Opcode ID: 14f42f66a77c068273c898f04f76f489a1ef0c413305e351e5c554d9b9f8f794
              • Instruction ID: a6e0cdc34d7dc36e092ffb742f483b55def58011b3a19172f8178e7d04559454
              • Opcode Fuzzy Hash: 14f42f66a77c068273c898f04f76f489a1ef0c413305e351e5c554d9b9f8f794
              • Instruction Fuzzy Hash: 981154307055128BEB24C91D98506B7B6E5EB9F264F3885ABD4A1CF391D672D8428788
              Function 0346E8F0 Relevance: 1.0, Instructions: 985COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f94fc2c06aead4c42c46ce32e4ae53c57a21512011b41cc29ae779415a0b00ef
              • Instruction ID: 361a1b03acf8e4ca0796afd0ac15fc5fa7eb0abe6519a5f8b2f62e9a43108d42
              • Opcode Fuzzy Hash: f94fc2c06aead4c42c46ce32e4ae53c57a21512011b41cc29ae779415a0b00ef
              • Instruction Fuzzy Hash: 1E822472F102188BCB58CFADDC916DDB7F2EF88314B19812DE416EB345DA34AC568B45
              Function 0347516C Relevance: .8, Instructions: 785COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8bed42d9ea82a47ab628577b264d17e4e89b9289721389e66fbec754a20d1c3f
              • Instruction ID: 5b33029e9a0f2847953fd732bd61bd4134af70cbc59890f319a166e6f007bfb4
              • Opcode Fuzzy Hash: 8bed42d9ea82a47ab628577b264d17e4e89b9289721389e66fbec754a20d1c3f
              • Instruction Fuzzy Hash: 87628F3280464AABCF24CF48D4905EEFB62FA56314B49C5DEC89A6F704D331B955CBD8
              Function 0348739A Relevance: .7, Instructions: 705COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b96890ead0b73511fa2e457145390f2a7b69de6a4cbbf606bc828de036887b1d
              • Instruction ID: e858232ca6f6d79dc2d6b9de88600374b0a4612588a370bd47a2dccee2ca4cc5
              • Opcode Fuzzy Hash: b96890ead0b73511fa2e457145390f2a7b69de6a4cbbf606bc828de036887b1d
              • Instruction Fuzzy Hash: 9342E334A006168FDB14DF59C4A0ABEFBB6FF88314B28856ED452AF350D734E842CB94
              Function 03485AA0 Relevance: .7, Instructions: 652COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
              • Instruction ID: eb35deafee5a148e98e8bfd7d17763f272ec6adeb0cd97324e3dbf259a8d3c2a
              • Opcode Fuzzy Hash: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
              • Instruction Fuzzy Hash: 89128273B716180BC344CD7DCC852C27293ABD452875FCA3CAD68CB706F66AED1A6684
              Function 0345B2C0 Relevance: .6, Instructions: 629COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3774727c0f4193600fd1fe83a2a19eae3fa19a223fd05c2057e63251b38c2ed0
              • Instruction ID: 8b03808e26b0dd9689ce572a206057886a6ece5143cf5d771a0a942ba2399576
              • Opcode Fuzzy Hash: 3774727c0f4193600fd1fe83a2a19eae3fa19a223fd05c2057e63251b38c2ed0
              • Instruction Fuzzy Hash: 77329E75E012199FCF24DFA8C880BAEBBB1FF54714F18002AE815AF392E7759941CB95
              Function 034F16CC Relevance: .6, Instructions: 571COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0301393f6fe521ba23267ee5dc93748acb36cf613fd51c473f78d2eaa72dff03
              • Instruction ID: b69902c5ed8379cb0ece42eea50828f1742e953226698ea9d5f73c70acac99f9
              • Opcode Fuzzy Hash: 0301393f6fe521ba23267ee5dc93748acb36cf613fd51c473f78d2eaa72dff03
              • Instruction Fuzzy Hash: F722A035A00216CFDB19CF59C490AAAF7B6FF88314B1C456EDA569F344DB30E942CB94
              Function 034F1D5A Relevance: .6, Instructions: 559COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1544b16c87ed4035b12daec871c7fa51435d1f148529cebca231b3e1c7735535
              • Instruction ID: 3eaa6ef258dceb8ee77aa6199473519725193f71a6bc255112ae445e8e9859d2
              • Opcode Fuzzy Hash: 1544b16c87ed4035b12daec871c7fa51435d1f148529cebca231b3e1c7735535
              • Instruction Fuzzy Hash: C3229E396047128FC718CF29C490A2AF3E5FF89314B184A6EEA96CF351D770E842CB95
              Function 03458DBF Relevance: .6, Instructions: 554COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ab3fe7b6fa202fed1968ba22c2dc7f164023212dd22c310eabdfab992a58e75d
              • Instruction ID: 73747ee5d2cb2a7a11f42b60271ed094c70cd6cb3c453ee5bb30a5aa56d2a3df
              • Opcode Fuzzy Hash: ab3fe7b6fa202fed1968ba22c2dc7f164023212dd22c310eabdfab992a58e75d
              • Instruction Fuzzy Hash: 9A221A71E0021ADBDF14CF95C5809BEFBB6AF49704B58809BE855AF342E734D942CB68
              Function 034F2446 Relevance: .5, Instructions: 485COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 51d4eecbee6b1c72a141b5c374b1aa79b28837d717883cc4b048e696a669cafb
              • Instruction ID: 982e85ba1b33f3e9bb6b01d256f21f6b1fb6fe6048d4d58f94499d396742889e
              • Opcode Fuzzy Hash: 51d4eecbee6b1c72a141b5c374b1aa79b28837d717883cc4b048e696a669cafb
              • Instruction Fuzzy Hash: 7602F1386006518FDB64CF2AC450276F7F1AF45300B1C899BDAA6DF391D7B4D842DB68
              Function 0350B16B Relevance: .4, Instructions: 450COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7180d1ce6e10c3095fb6e27ac9c0df3cf853fa20175eef49a8f36fcbf5c0acb9
              • Instruction ID: 7e958c79e8aa6a8a762c746ee6c69108dfea0db480f9188ea4a594654adb3dc3
              • Opcode Fuzzy Hash: 7180d1ce6e10c3095fb6e27ac9c0df3cf853fa20175eef49a8f36fcbf5c0acb9
              • Instruction Fuzzy Hash: 41F1E572E006118BCB18CFA9D9E067EFBF6BF8821071941ADD456DB3D0E635EA41CB90
              Function 00410473 Relevance: .4, Instructions: 435COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1600546418.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
              • Instruction ID: 88d23651ec162f8cabfa6e94da8f30bb01e559e0e651c4143a2d5ae2e0e11b0c
              • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
              • Instruction Fuzzy Hash: 30026F73E547164FE720DE4ACDC4765B3A3EFC8301F5B81B8CA142B613CA79BA525A90
              Function 0350A9A6 Relevance: .4, Instructions: 425COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 572a458045cf36bdc235742308327d79e948f65bc516bae58cdd0fc53f7d83ef
              • Instruction ID: b7425a27ff4634d1233ff6d7c686547a250a9b1c078ee47e66a104c920e1d335
              • Opcode Fuzzy Hash: 572a458045cf36bdc235742308327d79e948f65bc516bae58cdd0fc53f7d83ef
              • Instruction Fuzzy Hash: 57F1E573E006269BCB18CE69D5A05BDFBF5BF44200B1A426AD856EB3D0E735DE40CB90
              Function 03428397 Relevance: .4, Instructions: 380COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c871782be4bf2196e5950812303b9d2c703d6a5148413bcfa80baac0fadf2d4
              • Instruction ID: b2a65e7bf794a319d1721202e5291771cbf5e4bd273aa4fec5ba25519fad1fe9
              • Opcode Fuzzy Hash: 9c871782be4bf2196e5950812303b9d2c703d6a5148413bcfa80baac0fadf2d4
              • Instruction Fuzzy Hash: C8D1C175A006269FCB14DF65C890ABFBBA5FF44204F48466FE816EF290E734D941CB68
              Function 0345C6E0 Relevance: .4, Instructions: 367COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0abf65c6615c877719e7efde18b5957e4ff59fef27732925e58152334fb7cd5a
              • Instruction ID: 2b7b3a083df6fd18b734ec22a309d8ac0aa8974c94b2c884f3a1349742e97c8e
              • Opcode Fuzzy Hash: 0abf65c6615c877719e7efde18b5957e4ff59fef27732925e58152334fb7cd5a
              • Instruction Fuzzy Hash: 9BD14F71E043198BDF28CA98C5C47BEBBB5EB44305F18805BE852AF796D7748D82CB48
              Function 034438E0 Relevance: .3, Instructions: 349COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4c406320c255fe81fab5d08921be6b2787124d515868073131f274c3c80d3b5e
              • Instruction ID: 8e600d0beaf7d165cee5d9cd764d25c10d1b7d06313cb9802a5b760459c96beb
              • Opcode Fuzzy Hash: 4c406320c255fe81fab5d08921be6b2787124d515868073131f274c3c80d3b5e
              • Instruction Fuzzy Hash: 26E1AD75A00245CFDB18CF59C880AAAFBF1FF58710F1981AAE855AF391D734EA41CB94
              Function 0344CFE0 Relevance: .3, Instructions: 345COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 34c88952807a35594c71908740d068c2961b03044e942f69409f1500d5f717d2
              • Instruction ID: a3f83893b3cb5b1464e452be99e9d3ebd8bd88358133d3a6c17a44fbd1734baf
              • Opcode Fuzzy Hash: 34c88952807a35594c71908740d068c2961b03044e942f69409f1500d5f717d2
              • Instruction Fuzzy Hash: BAD19231E003298FFB24DB15C894BAAF7A5BB46304F0840FAD9099F356DB74AE85CB55
              Function 0343D7E0 Relevance: .3, Instructions: 342COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1e3b53098db3cc21546b7707b3563925e57589c505ac416229dbc0b8ff0165f4
              • Instruction ID: 58bcbc561d5e9bb9563dc6f7d969cbcf3925afef97caf9804d71d9bfb02ac6cc
              • Opcode Fuzzy Hash: 1e3b53098db3cc21546b7707b3563925e57589c505ac416229dbc0b8ff0165f4
              • Instruction Fuzzy Hash: 7BC18871E002159FEF18CF5AC945BAEFBB5EB56310F18825BD825AF390D770A942CB84
              Function 03440535 Relevance: .3, Instructions: 300COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction ID: fcf05a7f56e8286c3ceccec38c9f9188496f8df0c257b810bfcad16a6be7ea47
              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction Fuzzy Hash: DEB1F275600645AFEF21DB69C850BBFFBB6AF44200F1801ABD6529F391DB30E942CB58
              Function 034590DB Relevance: .3, Instructions: 287COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fb8c30abf6299318b7ee1ee2430773f6d8e0b471b958cd1522c9820f6629e81c
              • Instruction ID: 80241015efe3fed7678d3df84c297e07c9c827fbb48068e5c112d7e1ae45b143
              • Opcode Fuzzy Hash: fb8c30abf6299318b7ee1ee2430773f6d8e0b471b958cd1522c9820f6629e81c
              • Instruction Fuzzy Hash: A2A13A75900215AFEB22EF65CC41BAE7BB9AF46750F05046AF900AF2A0D7759D10CBA8
              Function 034383C0 Relevance: .3, Instructions: 281COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a4feded4ad647b8e02efbeabc59f82e3825893f9913ddab919bd373edcea7b66
              • Instruction ID: f61a87c94f0ca1be8e75b3c1b3dae14ff866f2fea6652007ccd100d020dfae57
              • Opcode Fuzzy Hash: a4feded4ad647b8e02efbeabc59f82e3825893f9913ddab919bd373edcea7b66
              • Instruction Fuzzy Hash: 98C126742083418FEB64CF15C484BABF7E5BF88304F48496EE9998B390D774E909CB96
              Function 03470185 Relevance: .3, Instructions: 276COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 528e3913c505bf6b1910bf51b16d37aa201818c8230faf2997592376d6f76433
              • Instruction ID: 223e00a623a60b468aa20027a773bd72a444b953b917222ba2e56a48378c7fe6
              • Opcode Fuzzy Hash: 528e3913c505bf6b1910bf51b16d37aa201818c8230faf2997592376d6f76433
              • Instruction Fuzzy Hash: 78A1D075A0171A9FDB24DF69C590BEAB3B5FF54304F04402AEA159F391DB34E812CB98
              Function 0344E3F0 Relevance: .3, Instructions: 261COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 77db694137ad1f918aeb8de47c57b4460288a4a64cecd0043189f72c45e9ed7b
              • Instruction ID: b258235172fb41feb25b777500bcf5a57f71ffd12d8cfab052f90d907abd8dd4
              • Opcode Fuzzy Hash: 77db694137ad1f918aeb8de47c57b4460288a4a64cecd0043189f72c45e9ed7b
              • Instruction Fuzzy Hash: 45910235A006218FFB24DB69D440B7ABBA5FB84710F0940BBE8159F391E7349982CB99
              Function 03431131 Relevance: .3, Instructions: 259COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 909b914a6c8e2f6685999a56abe2a7d35ae54eaaa5f6ee25d1e2c3a2bac43848
              • Instruction ID: 4012dca122d98c92be6c18aed3c668bffaa9dae7be19d26532d9803e5ad31490
              • Opcode Fuzzy Hash: 909b914a6c8e2f6685999a56abe2a7d35ae54eaaa5f6ee25d1e2c3a2bac43848
              • Instruction Fuzzy Hash: 8DB11175A093408FD364DF28C580A5AFBE1BB89704F184A6EF899DB352D370E945CB46
              Function 03464750 Relevance: .3, Instructions: 251COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
              • Instruction ID: 0461f3787e31e46c8ac757bdc60c831eb3fefa5ff034e46647c35c58176478d5
              • Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
              • Instruction Fuzzy Hash: 8F813B3AE047958FEF21CEADC8C026EBB55EF62200B1C467BD4529F341D264D986C79A
              Function 034FF7B0 Relevance: .2, Instructions: 242COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3cf5c8f8eab2e1764832a6ee8971314c4943b1632329f8d41118ec009824ff05
              • Instruction ID: d02031021431914013839ce884f6040e59daf38740d6bc43a8794835650c16dd
              • Opcode Fuzzy Hash: 3cf5c8f8eab2e1764832a6ee8971314c4943b1632329f8d41118ec009824ff05
              • Instruction Fuzzy Hash: 2C91BE72A00606AFDB14CF29C880BABB7E5EF44310F0C856AEA55DF391D774E919CB94
              Function 034FF43F Relevance: .2, Instructions: 241COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d2421a0244f7f5475e6e3a454940a19ccefaa1566172e05aad9328a5aa6b7e09
              • Instruction ID: f13c8d049861bfb23793a43516522ff43065f213dec2954f9000c2eb59598609
              • Opcode Fuzzy Hash: d2421a0244f7f5475e6e3a454940a19ccefaa1566172e05aad9328a5aa6b7e09
              • Instruction Fuzzy Hash: E3910172A001059FDB18CF69C891ABEBBF1FF88310F1982AAE915DF395D634D906CB54
              Function 034F81CC Relevance: .2, Instructions: 232COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ccd15d4c07b69ebd7a4ef49a4908f322803ac4f1161758ec31ed80a1ce1463f9
              • Instruction ID: 22307f75ced3a7b47510ac88cdf3916827953acb269ea3cb78d695fa1c05e37c
              • Opcode Fuzzy Hash: ccd15d4c07b69ebd7a4ef49a4908f322803ac4f1161758ec31ed80a1ce1463f9
              • Instruction Fuzzy Hash: F681A272E005299FCB14CF69C8805AEB7F5FB88210B1D426BD925EF390E774E952CB94
              Function 03440E59 Relevance: .2, Instructions: 231COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0f809f20eb2e02356c1df5c8b5bfdc25167683a32dc43c8a8d2fab99a1283517
              • Instruction ID: 44ae731e3e902229c420171606ae9806a2d86154806e76b23e40278b2792f317
              • Opcode Fuzzy Hash: 0f809f20eb2e02356c1df5c8b5bfdc25167683a32dc43c8a8d2fab99a1283517
              • Instruction Fuzzy Hash: 8081A531A00619DFEB14CE69C8809AFFBB2FF85210B2882B7E9149F345D770E951CB94
              Function 034EE4F6 Relevance: .2, Instructions: 224COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4157c57506cc1cb6767105a01b2648c9077f70f74f4a6a37280cc1421b54fa64
              • Instruction ID: dc3151647fa4b429aee8ee896e9aa937e9a4e487d4332be4cc8d4936321e85bb
              • Opcode Fuzzy Hash: 4157c57506cc1cb6767105a01b2648c9077f70f74f4a6a37280cc1421b54fa64
              • Instruction Fuzzy Hash: 6381A176E002159BCB18CFA9C580AAEFBF1EF88311F5981AAD815EF385D7309941CB94
              Function 0345D090 Relevance: .2, Instructions: 217COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
              • Instruction ID: 576d90d0b25a74f1e4ee2da6191383f27a3c17761031ec19c09fab2db8a8081a
              • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
              • Instruction Fuzzy Hash: 77818D76E001168FEF14CF59C9807AEFBB2FF85304F19816BD815AF341D6319A818B99
              Function 0346E284 Relevance: .2, Instructions: 212COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 43ec7eb1ee376f795ea4d08f60756f18b7f233e80a94c1fe787ab3d2b2d5547f
              • Instruction ID: 6b2112227ac30a753fb7a40d20b40e1fa4af22983fb5f45d4dcebe546c4a99b6
              • Opcode Fuzzy Hash: 43ec7eb1ee376f795ea4d08f60756f18b7f233e80a94c1fe787ab3d2b2d5547f
              • Instruction Fuzzy Hash: 72816E75A00709AFDB25CFA9C980AEEF7FAFB88340F14442AE555AB250D730AC85CB54
              Function 0345B950 Relevance: .2, Instructions: 209COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e6f365072322dad5a5c5602b3ada4deda133d8d67149f758c04133764a0c4ad8
              • Instruction ID: 47f290ccae03efd289da4722d4cd76ace1bde46494ba5f5fdc531c31c8c8eae9
              • Opcode Fuzzy Hash: e6f365072322dad5a5c5602b3ada4deda133d8d67149f758c04133764a0c4ad8
              • Instruction Fuzzy Hash: B671B234A046508EEB24CE2AC940737BBE1EB85704F58855FFC968F2D6D735AC46CB68
              Function 0344C640 Relevance: .2, Instructions: 206COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4b62761dfff48faf358aa2ff39df10e80c23005380e3eb578d4b8f7da6c1166d
              • Instruction ID: 70115595f2e0419deeac028074e2832eeeb2ee87de8c4a665bd56baeede3255b
              • Opcode Fuzzy Hash: 4b62761dfff48faf358aa2ff39df10e80c23005380e3eb578d4b8f7da6c1166d
              • Instruction Fuzzy Hash: B071CDB5C01225ABEB25CF59C590BBEBBB4FF5A700F18416BE851AB350D7309801CBA8
              Function 034EDAC6 Relevance: .2, Instructions: 202COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: abf1d9999ce9c730ce7cb13bcf33a5ce0f3d052af90e1ca31d466c43806855e5
              • Instruction ID: 442c3c8481b2fc3f15bf940dbc2e90945246f6aca34a35b451c7149bbc85def0
              • Opcode Fuzzy Hash: abf1d9999ce9c730ce7cb13bcf33a5ce0f3d052af90e1ca31d466c43806855e5
              • Instruction Fuzzy Hash: 53818B70D002959EDB24CF6AC444ABBBBF1EF4A741F04849AE4A5AF385D374D841DF58
              Function 00402740 Relevance: .2, Instructions: 201COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1600546418.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 49eff0d2a68723a4ce6d9c3312ed3357269fd8e43f7b37755cdef09605d5db48
              • Instruction ID: d45857cfb9d8c7105f7d0e5c5b1f15c076d75cdb61a62b93fb2ca206c2892c72
              • Opcode Fuzzy Hash: 49eff0d2a68723a4ce6d9c3312ed3357269fd8e43f7b37755cdef09605d5db48
              • Instruction Fuzzy Hash: EC512676B0010547DF18995DCE8926AB396EBA4315F68827FDD09EF3C1E6BCDD0182C4
              Function 034F70E9 Relevance: .2, Instructions: 201COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 510b564c1c33f38f9c6b9b67a0dc65e5b9009a0e25b3cabed7aa05606dda79eb
              • Instruction ID: 61536865ec3e2bbf5a6b50a976d9a4e13ccaf8ba9b2c1304f0c3827915fc3321
              • Opcode Fuzzy Hash: 510b564c1c33f38f9c6b9b67a0dc65e5b9009a0e25b3cabed7aa05606dda79eb
              • Instruction Fuzzy Hash: 3861B575E003169FDB10EEA6C8809BFBB69AF44250F1D447FEA11AF340DB78D9458B98
              Function 0344260B Relevance: .2, Instructions: 201COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 70044345ca6d4f29ed8234fa33532d8889d79d8d0c4bc38800f2d9abe2b3d45e
              • Instruction ID: 95d4514f0d3d197d1266c8d90830eb1fe8398aa11386f0f39d4246c49c482ab0
              • Opcode Fuzzy Hash: 70044345ca6d4f29ed8234fa33532d8889d79d8d0c4bc38800f2d9abe2b3d45e
              • Instruction Fuzzy Hash: 9471BF756046419FE711DF29C480B2AB7E5FF88210F0989BBF8948F361DB78D846CB99
              Function 034EF0CC Relevance: .2, Instructions: 199COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cb038c32a865fc6f5418d918f83b648f4bffc747d31af4c8147fbeeb5fbb2fcf
              • Instruction ID: f97fefe64f8a68b36b53b4f1f8e647112eb0d60e406f475a8237373767c4ba92
              • Opcode Fuzzy Hash: cb038c32a865fc6f5418d918f83b648f4bffc747d31af4c8147fbeeb5fbb2fcf
              • Instruction Fuzzy Hash: F371BD39A01626DBCB24CF5AC08053AF3F1BF45306B6A486FD8929B740D375ED49DB58
              Function 034B035C Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction ID: b926e80f51aa0c025c77bdefb32d6d52e77c8b71e9d0d59271516b4ae3c98764
              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction Fuzzy Hash: 2F716E75E00619AFDB10DFA9C984EDEBBB8FF48700F14456AE505AF250DB34EA01CBA4
              Function 034C62A0 Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 96b3568bcb20c4a335bf96fca3e9cc4e1b3686b82a529248d67e990c19254528
              • Instruction ID: 69323f243f7a604f4872f72a801972b43f252d4d7a584e7f2054f12e8d5afca4
              • Opcode Fuzzy Hash: 96b3568bcb20c4a335bf96fca3e9cc4e1b3686b82a529248d67e990c19254528
              • Instruction Fuzzy Hash: AF71023A210B40AFE731DF15C844FA6B7A5EF44720F1A892EE2558F2A0D778E944CB5C
              Function 034F7A46 Relevance: .2, Instructions: 193COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 860b3993f5d338a2cae24e48343b3a02eddc631360bf87b2e5a39cdd03609629
              • Instruction ID: 404113ecebc9af41ec69abd902181d1014c74e31d98b737e7834d6c70d1c9a21
              • Opcode Fuzzy Hash: 860b3993f5d338a2cae24e48343b3a02eddc631360bf87b2e5a39cdd03609629
              • Instruction Fuzzy Hash: 29513A75A002255FCB14DF69C8809BBBFE6EF88354B1D416EEA54DF384DA38C902C7A4
              Function 034F132D Relevance: .2, Instructions: 188COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 911ad33cf2e92ea1f8baef3cec648c96f4ee228d44fda85e563cee96299e5e45
              • Instruction ID: 4976033a855dbb3c8a704afd12cdc288e904fd9cc1b23a20e6c768136cffc3e2
              • Opcode Fuzzy Hash: 911ad33cf2e92ea1f8baef3cec648c96f4ee228d44fda85e563cee96299e5e45
              • Instruction Fuzzy Hash: 3F817E75A00245DFCB09CF99C490AAEB7F1FF88300F1981AAD859EB355D734EA41CB94
              Function 034F903E Relevance: .2, Instructions: 186COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9e18512b443aa2ac3eb5b216678c8e334046557988853464f7829158e841f0a4
              • Instruction ID: 7580d88a02bd688f11148244f0a99623c63bb383b5d9234e7f008178bdc8f2c4
              • Opcode Fuzzy Hash: 9e18512b443aa2ac3eb5b216678c8e334046557988853464f7829158e841f0a4
              • Instruction Fuzzy Hash: E161D075600715AFD315DF65C884BABBBA8FF84710F08461EFA688F240DB30E915CB99
              Function 03437703 Relevance: .2, Instructions: 179COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9850ba2704a8246bee4bc9524c672f17256216c372012c3a4fc82fa244e62244
              • Instruction ID: d9844eaf72e47a3566ac47bb3ac78a059ef7e030eb08cceac880926eeebf304e
              • Opcode Fuzzy Hash: 9850ba2704a8246bee4bc9524c672f17256216c372012c3a4fc82fa244e62244
              • Instruction Fuzzy Hash: DB6174B5A00606EFDB18DF69C480AAEFBB5FF49200F18856FD459AB350DB30A945CBD4
              Function 034F92A6 Relevance: .2, Instructions: 174COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 28f6f55d388fc5c5c108d88fb01c4b5b1e53e4f3c7965931108523c01a703934
              • Instruction ID: 22d847a39185b43030bfb3d51c3f163aab6ebee199b8253eb0d72d9c852ce5f7
              • Opcode Fuzzy Hash: 28f6f55d388fc5c5c108d88fb01c4b5b1e53e4f3c7965931108523c01a703934
              • Instruction Fuzzy Hash: 9B61AE356087828FD315CF65C494B6AB7E0BF94704F1C486EEA958F391D735E806CB89
              Function 034FCE93 Relevance: .2, Instructions: 172COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
              • Instruction ID: fd5e0b69d9f9a72ce218e65d4bb9387658b6d5a8176f993de13117627459c741
              • Opcode Fuzzy Hash: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
              • Instruction Fuzzy Hash: 61510932A047069FC714DE29889076BF7D6AFC1250F1D846FEA55CF389DA30DC0687A9
              Function 00410253 Relevance: .2, Instructions: 165COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1600546418.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
              • Instruction ID: ef8d4d7dbaac497d0699015afd9d0b6d845f196cbc7cbde7d2898ece31875e9d
              • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
              • Instruction Fuzzy Hash: A85183B3E14A214BD3188E09CC40632B792FFC8312B5F81BEDD199B357CE74E9529A90
              Function 0041024A Relevance: .2, Instructions: 161COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1600546418.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 581c4a8488d3d44e18c5fc69d006060dc1f2d50fee734460cf84ca4da62111ed
              • Instruction ID: 3641ad4d47e80102ecb91cc5aa20f134f2dcd2ecae88c38c7c520df8bfe4612f
              • Opcode Fuzzy Hash: 581c4a8488d3d44e18c5fc69d006060dc1f2d50fee734460cf84ca4da62111ed
              • Instruction Fuzzy Hash: 7D5181B3E14A214BD3188E09CC50632B792EFD8312B5F81BEDD199B357CE74A9529A90
              Function 034F7D73 Relevance: .2, Instructions: 160COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 281e9808931b5bd203160d0e1406da2652e979f549f6336e5604ec5387c25e3c
              • Instruction ID: eb63c37275be9798bfa90c08e12d9f7ef5716e234b189e666756cbd5c0d729b2
              • Opcode Fuzzy Hash: 281e9808931b5bd203160d0e1406da2652e979f549f6336e5604ec5387c25e3c
              • Instruction Fuzzy Hash: A551D236A1014A8FCB08CF78C480AAEBBF1EF98314F19827AD915DB355E734DA15CB94
              Function 03443740 Relevance: .2, Instructions: 159COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0f8dc1a99c685ed198038357e69c88b669c99e67cd8547bde8bc5920ee0faf95
              • Instruction ID: 40f5c57da9df6911497ac2a7c5a5b5cba08e38cc431c7b375fdb38b22e2fe2e9
              • Opcode Fuzzy Hash: 0f8dc1a99c685ed198038357e69c88b669c99e67cd8547bde8bc5920ee0faf95
              • Instruction Fuzzy Hash: C751E379A00615AFE711CF58C48066AF7B0FF44B10B0981BAE855DF740D734E9A6CBC8
              Function 03437152 Relevance: .2, Instructions: 158COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d11f6052f8dafe12c2bb68293a639b39df1adc31c8b0287b57644551394ddd6b
              • Instruction ID: 48d3c933157333340bad443370ad164583dff4cce747d8bb5161ebfcb2c877fa
              • Opcode Fuzzy Hash: d11f6052f8dafe12c2bb68293a639b39df1adc31c8b0287b57644551394ddd6b
              • Instruction Fuzzy Hash: CC51E1B5A00606EFEF15DF64C944BAEBFB4BF49311F1440ABE4529B390DB709912CB88
              Function 034B3A6C Relevance: .2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a5b11fa60b55935b2af0c65471e96c1508680af3e0b717d6dff9f4cf326db0cd
              • Instruction ID: 8f2fef4c402590367377a3999bc076bbca33c74e600f46d139dbd72c8e32010f
              • Opcode Fuzzy Hash: a5b11fa60b55935b2af0c65471e96c1508680af3e0b717d6dff9f4cf326db0cd
              • Instruction Fuzzy Hash: DB519936E4412D4BEF24CE58E461BEFF3F2AB85310F48081AE845BF3C5C2B66956D664
              Function 034FD26B Relevance: .2, Instructions: 153COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
              • Instruction ID: 5948e36b7f5a18469186b64de86f30d9441b669796f1b369b3bba25dcfb359b9
              • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
              • Instruction Fuzzy Hash: C8517D72A087429FD301CF28C880B5BB7E5FBC9244F08892EFA948B385D734E905CB56
              Function 034F7571 Relevance: .2, Instructions: 153COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4ba4b11747b80f4d83a02bbb5a6be7339928c5bbbab2edeca3fe04ea3394d641
              • Instruction ID: 4af23e0ebeb18be60777518509b2f568a6fdff7d123eb0b185f73448b05d444e
              • Opcode Fuzzy Hash: 4ba4b11747b80f4d83a02bbb5a6be7339928c5bbbab2edeca3fe04ea3394d641
              • Instruction Fuzzy Hash: 6951E331A00115AFDB14DB69C844A7EBBF9FF48390F0C416ADA11DB260DB74AD16CB84
              Function 034351ED Relevance: .1, Instructions: 149COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dceb2a5b859c7b3b52b9ba9a575f909cb411dfeb65d3f20581b870d8d2707976
              • Instruction ID: a193828204f0e6878ce44e99e08ac1888090bba5e9bcc9ca0c1e70dc0e6d64b4
              • Opcode Fuzzy Hash: dceb2a5b859c7b3b52b9ba9a575f909cb411dfeb65d3f20581b870d8d2707976
              • Instruction Fuzzy Hash: FF517C75A05215DFEF21DBAAC840BAEB7B8BB0F714F18009BD811EF250D7B499418B5A
              Function 0346F71F Relevance: .1, Instructions: 143COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: aafde7dcda45950ed623106e3c1ad972807572f3b5ded4a5574ad0a07bbd43dd
              • Instruction ID: 877841b7a405ad34bcd1461fb7796eff382c00c8df6dcf9af636f0000c8aa24a
              • Opcode Fuzzy Hash: aafde7dcda45950ed623106e3c1ad972807572f3b5ded4a5574ad0a07bbd43dd
              • Instruction Fuzzy Hash: B5417476D04229AFDF11DFA99884AAFF6BCAF05650F05016BE911EF300D634DE0587E9
              Function 034601F8 Relevance: .1, Instructions: 138COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8c583e59ed59b3b171f5ecdb0aacba307aebf2107573aed195ff202b7178495b
              • Instruction ID: 201d24fd48f748ebdc082c75655aad1d7d1676db9b685e2220588c4c12ed08f2
              • Opcode Fuzzy Hash: 8c583e59ed59b3b171f5ecdb0aacba307aebf2107573aed195ff202b7178495b
              • Instruction Fuzzy Hash: 8941AC36A042189BCB14DF98C440AEEF7B4BF88610F18816BE816EF350D7359C41CBAA
              Function 03472750 Relevance: .1, Instructions: 137COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
              • Instruction ID: f1a9340b4efcd860625917fb8365d614c3ef99e070ffe6244093137a13888f58
              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
              • Instruction Fuzzy Hash: 82515B75A00615DFDB14CF9CC580AAEF7B6FF94710F2881AAD815AB350D730AE42CB94
              Function 03436154 Relevance: .1, Instructions: 133COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 089fa968b89bb64e0b9c0b60d43bcfaf2d1e41005662a97a15408d08b838efd1
              • Instruction ID: 389ec6582958182a61f51d2badab8c8265fe15ea1d7e1779718e1b955a90a3fc
              • Opcode Fuzzy Hash: 089fa968b89bb64e0b9c0b60d43bcfaf2d1e41005662a97a15408d08b838efd1
              • Instruction Fuzzy Hash: 1951D670904216EFEB25DB64CC44BA9BBB5EB06314F1942ABD425AF3D0D7785981CF88
              Function 0342B136 Relevance: .1, Instructions: 131COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b29fcddecef804ca2bdcd7f9eb05d2f36a0baa846cd5067631d772750e229216
              • Instruction ID: cf6b0f706a59060c8a87e5f2980fb2a44919e421859016eed9689b20d7f9c103
              • Opcode Fuzzy Hash: b29fcddecef804ca2bdcd7f9eb05d2f36a0baa846cd5067631d772750e229216
              • Instruction Fuzzy Hash: DB418A75640711AFDB21EF66C884B2ABBA8EF10794F44846BE511AF260D770DC01CBA8
              Function 034FF0E0 Relevance: .1, Instructions: 129COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2c4294f1ca823b650130390ef81a9301ddb6791e6a742e15c72352a47e9f17e7
              • Instruction ID: 7a448994d7749a2abc82915f4f4715af0f81990884ad9909ea41a56aefb22702
              • Opcode Fuzzy Hash: 2c4294f1ca823b650130390ef81a9301ddb6791e6a742e15c72352a47e9f17e7
              • Instruction Fuzzy Hash: 8541DF712083419FD704CF25D8A587BBBE1FB84225F088A5EF9958F382C730D81ACBA5
              Function 034F866E Relevance: .1, Instructions: 129COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
              • Instruction ID: 9418d76a23b5a52fa893c4acfa190f4ca784b8952e4ea16ace50458937600734
              • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
              • Instruction Fuzzy Hash: 4C418675B00219AFEB15DF99CC95AAFBBBAAF84600F1C406AE6049F351D770DD01C764
              Function 034DD5B0 Relevance: .1, Instructions: 128COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9dfaf528aea09cd753a23989f7735b77306bb62de4a44e5aacd7b378766883de
              • Instruction ID: 7b0b279abc71fcac419cfefdbb962356b222c6f9e6e7c4171a91387299dbb07e
              • Opcode Fuzzy Hash: 9dfaf528aea09cd753a23989f7735b77306bb62de4a44e5aacd7b378766883de
              • Instruction Fuzzy Hash: 2A41F230E082959FCB14DF29C4A5ABAFBF1EF4A300F09849AE4C58F355C735A456DBA4
              Function 0345D6E0 Relevance: .1, Instructions: 126COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4e8ed7b5208ee7c06feffeb47c55b35b2a910418b695d798db1018068c60f79e
              • Instruction ID: a0ceaec4bb1a20e3d1bd0d35f9afdf176b8c71b0a891cdb439b8f5e2a441c466
              • Opcode Fuzzy Hash: 4e8ed7b5208ee7c06feffeb47c55b35b2a910418b695d798db1018068c60f79e
              • Instruction Fuzzy Hash: 2D41D5759047409FD724EF26C950F6BBBA8EF56320F04052FF8158F2A1DB30A84ADB99
              Function 0342A020 Relevance: .1, Instructions: 122COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction ID: 27763913da1eb13aa6489ac2fd52173c17fd73df8a86257c0a864bcc0074d336
              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction Fuzzy Hash: 1E41F631A00221DFDB21EF9584507BFBB62EB50754F99806BEE45EF340DA359D41CB98
              Function 03460710 Relevance: .1, Instructions: 121COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
              • Instruction ID: 61810ad3a62037bca9b738cb176ebb8f25de7985b5940e4bb6df3ecb96c84c90
              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
              • Instruction Fuzzy Hash: 4F413775A04705EFDB24CF99C980AAAB7F8FF08700B10496EE556DB290D330EA44CF99
              Function 0343262C Relevance: .1, Instructions: 119COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f83bffb8f518da605ed4c95588a49d11216cd120c90d6315c4a7e44b6800f9d5
              • Instruction ID: f14b675e746a3aa82f1abe90f5654fc1b64f5863bbe2e6b727c86b1e2cec88ff
              • Opcode Fuzzy Hash: f83bffb8f518da605ed4c95588a49d11216cd120c90d6315c4a7e44b6800f9d5
              • Instruction Fuzzy Hash: 3B41AB75501714CFCB21EF29D940A6AB7F5FF4A310F148AAFC8169F2A0DBB09942CB49
              Function 034FFFB1 Relevance: .1, Instructions: 117COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: becd24f9b575b86fafca8a56225493150a0a935f7eee82a46ec9204e6592ceaa
              • Instruction ID: 6cfdd2c66a8b45142abf0bd959238e11ad39d252143c199a101840d088e8b3fb
              • Opcode Fuzzy Hash: becd24f9b575b86fafca8a56225493150a0a935f7eee82a46ec9204e6592ceaa
              • Instruction Fuzzy Hash: 36415675A002599BC700CB2694B0ABABFF1FF85205F4CC1AAD8819B2C2D63AC55BC770
              Function 034FFA49 Relevance: .1, Instructions: 113COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 13c21dc29b12113a9d9761714a252444ccc7e5f55412a3d6daf049973e0767e5
              • Instruction ID: f22338a4dab3fdce1497f763cbb3d81a06aaf18c68e6a60c53cc985f403c4f91
              • Opcode Fuzzy Hash: 13c21dc29b12113a9d9761714a252444ccc7e5f55412a3d6daf049973e0767e5
              • Instruction Fuzzy Hash: B8311636B101069FC718CF29CC44AA7BB99EF85750F0C867AEA18CF384E674D949C798
              Function 034FEEDB Relevance: .1, Instructions: 113COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ced00b3b67be9c741da93fedadf7fc215f64ca99eef8df2027f91e9df010430e
              • Instruction ID: 553d6a44b1d4031d9b134ec1de5d9befc05b0992445e8d6e0200a36f45246f44
              • Opcode Fuzzy Hash: ced00b3b67be9c741da93fedadf7fc215f64ca99eef8df2027f91e9df010430e
              • Instruction Fuzzy Hash: C441B433E0002A9FCB18CF68D49197AF3F1FB4830579A41BED905AB294DB34AD45CB94
              Function 034FFB76 Relevance: .1, Instructions: 109COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 193b804cc91f41af1f174b2aa6e29c3aad5d3af5dec48ff9b8191839d49e7e5a
              • Instruction ID: 98b71bcf97cfeb146fcfb365b99abf67c3a9c1fac9a4b674a51e2f2df444680d
              • Opcode Fuzzy Hash: 193b804cc91f41af1f174b2aa6e29c3aad5d3af5dec48ff9b8191839d49e7e5a
              • Instruction Fuzzy Hash: 05313676600215AFD710DF29CC44EABBBE5FF88350F49842AFA08CF240D674E90AC798
              Function 0040E473 Relevance: .1, Instructions: 108COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1600546418.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
              • Instruction ID: 6080b431270ce43e814d0471708e7031c92e36a47b392485481c034cc62d132b
              • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
              • Instruction Fuzzy Hash: 063160116586F14ED31E836E08BD675AEC18E9720174EC2FEDADA6F2F3C4988418D3A5
              Function 034402E1 Relevance: .1, Instructions: 106COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction ID: e19f7196e1f1c850f5b3fedb23c85565ad37bf80fbd65ed772a3b4c8e329f433
              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction Fuzzy Hash: 9C31E632A04244AFEB21DB69CC40B9AFFA9FF05350F0845BBE455DF351D6749885CB98
              Function 03459274 Relevance: .1, Instructions: 105COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a0f5ab957db3093bafe96161c89258c986f53903972de7be78b25881997fa322
              • Instruction ID: 5746e5cbd6d016e6db78bf3e6d9f9cfece300adc5d6f7328cd9761cc94c50d57
              • Opcode Fuzzy Hash: a0f5ab957db3093bafe96161c89258c986f53903972de7be78b25881997fa322
              • Instruction Fuzzy Hash: 3B316475E00328EFDB21DB25CC40B9AB7B5AF8A710F1501EAB94CAF281D7309E45CB55
              Function 03435702 Relevance: .1, Instructions: 104COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2d905bd790d4058cef6462fa6b736e620f5a001f027e3164b2d32661345e66ac
              • Instruction ID: 5dc63004f5bbd7635baa5919d1c03457380e94834b1269412eae17900d174d79
              • Opcode Fuzzy Hash: 2d905bd790d4058cef6462fa6b736e620f5a001f027e3164b2d32661345e66ac
              • Instruction Fuzzy Hash: F231C039601A02EFDB51DF21C980A9AFBA9BF4A754F0410ABE9518FB50D770E821CBD4
              Function 03434260 Relevance: .1, Instructions: 102COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5f4320ca21c3db3bd8c056b4de771b02c8205c6a6282f5042491b3de1c6e3e7a
              • Instruction ID: 788dec62cfda3a2e0f4fed2101d24e5001f911b14de4a9a43bf106ae49176c92
              • Opcode Fuzzy Hash: 5f4320ca21c3db3bd8c056b4de771b02c8205c6a6282f5042491b3de1c6e3e7a
              • Instruction Fuzzy Hash: 03419E35200B459FDB22CF25C981BD6BBE9AB4A314F14842FE5A98F350C774E804CB98
              Function 034550E4 Relevance: .1, Instructions: 101COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
              • Instruction ID: 11b68e1602b70722a08700362f52c89965ba3849ca20d50f37ca1e67d8ac0f57
              • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
              • Instruction Fuzzy Hash: 8331E531E083419FEB21DA29C800777BA94AB86754F0C85AFFC968F786D274CC41C79A
              Function 034F61C3 Relevance: .1, Instructions: 97COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b596abad9374cace4a324606c8b5a68a6b7af962f34013c8cd1b9c870b8da671
              • Instruction ID: 79c74ede91e9004ca4a034654464919aa87d44a869bf0b2d45f1303745a96cbf
              • Opcode Fuzzy Hash: b596abad9374cace4a324606c8b5a68a6b7af962f34013c8cd1b9c870b8da671
              • Instruction Fuzzy Hash: F031A376A00255EFDB15EF99C840BAEB7B9EB44740F4A416AE500AF344D774ED01CB98
              Function 034F6BD7 Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ebac86d7bb2ee5a1140b3fc3aa3e748d3fd62eb58568be1a1f0fe5014bb0c73c
              • Instruction ID: 7587c4b863d2d5a274cbf7475552f36e08d608792589dd2239c781664bb2d8d5
              • Opcode Fuzzy Hash: ebac86d7bb2ee5a1140b3fc3aa3e748d3fd62eb58568be1a1f0fe5014bb0c73c
              • Instruction Fuzzy Hash: 97318E716002449FCB24DF2AD885A5B7BF4FF59300B86846AE908DF249D270E949CBA8
              Function 034F60B8 Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d4176dfb37ee20186969f0474fdec51d05c7be620f8c7178bdb5eb4a5e1c6144
              • Instruction ID: 2ebe9876c229f8c2bdbdc174224be938306caa2ddf9fbdc5106ab59cf8b49acf
              • Opcode Fuzzy Hash: d4176dfb37ee20186969f0474fdec51d05c7be620f8c7178bdb5eb4a5e1c6144
              • Instruction Fuzzy Hash: 4B310275700215AFDB12EFAAC940B6FBBB9AB44300F0900AEE641DF351DA34DC018B98
              Function 034307AF Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4a4600052c9713ea2ae2f3807cf900385c19f1d6e5c920c06d51e2ba5a9cb5fe
              • Instruction ID: a94149f0b8b1381d16e328fa320f6e973af973ada306b6ea9409885e9348992f
              • Opcode Fuzzy Hash: 4a4600052c9713ea2ae2f3807cf900385c19f1d6e5c920c06d51e2ba5a9cb5fe
              • Instruction Fuzzy Hash: 8331B636A04711DFC715EE258880A6BBBA5EF9A650F05462FFC66AF310DA30DC118BD9
              Function 0042F173 Relevance: .1, Instructions: 93COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1600546418.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cde501620fcfd878bf739c46c99770825d459bff78024b7bc25dfc3b943b213b
              • Instruction ID: 9765813607e1a649872b4a64f325e6495a476fa1d1b2eb48aa2f30ba27d17b3e
              • Opcode Fuzzy Hash: cde501620fcfd878bf739c46c99770825d459bff78024b7bc25dfc3b943b213b
              • Instruction Fuzzy Hash: 7131A272B10A269BD354CE3AD880666B7E1FB88310B948639D919C3740E774FD66C7D4
              Function 0342D6AA Relevance: .1, Instructions: 93COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
              • Instruction ID: d454e7b2ba0e30cd989507c44ce9f4a0f3c5dbf5c2a15e3afcb2f3a109878b91
              • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
              • Instruction Fuzzy Hash: 3531C036E00A24AFDB21DE54C880B6BBBB9DBC1750F5D846AED25AF310D278DD40CB58
              Function 00403010 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1600546418.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: eb14d922db460f0d99d605b79c0a2d15a541da8e001761fce3509c7351f8800c
              • Instruction ID: 85c3cb1cf1bf91da7eb177fc87dad7d16593b897dcd9ca65b8f0d0e34059ed95
              • Opcode Fuzzy Hash: eb14d922db460f0d99d605b79c0a2d15a541da8e001761fce3509c7351f8800c
              • Instruction Fuzzy Hash: 1E31D172A20A148FD368CE6DD845203B7E5EB9C340B01863EE95ED7780DA78ED01CBC4
              Function 034357C0 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 568f557d14343925fd0579b1166fc4799a771e8b4c0d2621e2541247a0569807
              • Instruction ID: a9dce266c4766655809225325cb00dc83d5b3d04f66fd314b95a8f38db6a43eb
              • Opcode Fuzzy Hash: 568f557d14343925fd0579b1166fc4799a771e8b4c0d2621e2541247a0569807
              • Instruction Fuzzy Hash: B231B039705A06FFEB15DB25DA40A5ABBA5FF49200F0450AAE9118FB50D731E831CB84
              Function 0346A6C7 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
              • Instruction ID: f1bcc627e831d582264bd1e6a1743dd05e4bceb70e024fe0be0fb978aba97483
              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
              • Instruction Fuzzy Hash: D43130B2B00B00AFD760CF69DD41B57B7F8BB18750F18052EA55ADB750E630E900CB69
              Function 0345438F Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5789972c2c25b2f2c2c9eaa2c1f0850b6907bdf29e921d93497d63a54f7707b7
              • Instruction ID: 3144367f973f4011a375238f07eff904b2d2eb59245f69c5c20612ee2c5ab55b
              • Opcode Fuzzy Hash: 5789972c2c25b2f2c2c9eaa2c1f0850b6907bdf29e921d93497d63a54f7707b7
              • Instruction Fuzzy Hash: 3F319031F002059FDB20EFAAC980A6BB7F9AB85705F00852BE845DF265D770E985CB55
              Function 034392C5 Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
              • Instruction ID: 2a7864ff71e01eda7474d36490f23bb5f51eeae41e8d3f6221e0d442591afacd
              • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
              • Instruction Fuzzy Hash: DC3189B56083099FDB01DF19D840A9ABBE9EF89710F04096BF8519F3A0D770DC15CBAA
              Function 034EC3CD Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction ID: beacb524d416f179c4bcf0bc8d9b4e1e530ec8a68bfb83c80e86fe0efd7ce135
              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction Fuzzy Hash: CE21F93F600655AECB24EBA68C80ABBF7B4EF40611F40801FF9668E651E634DD50C764
              Function 0342C156 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cfdfcd5449c098c6871904edb42667e9cda7c94828050d3dd6c3d1afd5ec2dbf
              • Instruction ID: 90aeffa4c596e22e188ca22fb20db53439f55d497edbde3718cf435200561473
              • Opcode Fuzzy Hash: cfdfcd5449c098c6871904edb42667e9cda7c94828050d3dd6c3d1afd5ec2dbf
              • Instruction Fuzzy Hash: E131E8759013108BD734FF14CC41BADB7B4AF46314F5881AED8469F3D1DA749986CB98
              Function 035003E6 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fbd2315a78bc2a3449d7e5ca5a26df4356dcd0de370782e109b8a81b963445b1
              • Instruction ID: 359ce885a30bd62797440896cfe266292880a0ee5501fe18e54859676869198b
              • Opcode Fuzzy Hash: fbd2315a78bc2a3449d7e5ca5a26df4356dcd0de370782e109b8a81b963445b1
              • Instruction Fuzzy Hash: 89316171A00119AFCF14DBA5D894F9FBBB9FB88214F414169E905E7290DB306D05CBA4
              Function 0342E388 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction ID: 648245121e17cd72b2d6ee5744904a7bf8186fb05f61a43ea2ba5c18cec037fe
              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction Fuzzy Hash: 7E31B831600614EFEB20CF69C884F6ABBB8EF85314F1444AAE5129F390E730EE42CB54
              Function 034AE609 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ddc5c7c51b915b2913c53d999c7ea8fe24109a0c328346fb9effaa2f2b01115d
              • Instruction ID: f8d2dde5250ae79e7fc96f54194f34058cc8b63cfe1ff81dc3c3abfdac1be1e7
              • Opcode Fuzzy Hash: ddc5c7c51b915b2913c53d999c7ea8fe24109a0c328346fb9effaa2f2b01115d
              • Instruction Fuzzy Hash: 9231D475A00605DFCB14CF1CC480DAEB7B5FF94300B55495AE8159F3A0E770EA81CB98
              Function 03433616 Relevance: .1, Instructions: 84COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b4b4407b38a4f556a32a8719b469abcbda729be59416b55ad777e2475570d251
              • Instruction ID: 4cc48eb07a4ebdbfe933f1b44b79511cd5001379a33f8c4acdecddd10281d9b9
              • Opcode Fuzzy Hash: b4b4407b38a4f556a32a8719b469abcbda729be59416b55ad777e2475570d251
              • Instruction Fuzzy Hash: CE21E1392457609FDB71EF05D944B2BBBA4FB8AA10F09486EE8410F761C7B0E844CB85
              Function 03500591 Relevance: .1, Instructions: 84COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 52995cc512526ba7b896df2f295ffff7bcd30ac4e16f79a8927e5def960abd7c
              • Instruction ID: aa236191f5101b95f4f4a1a7fb1ca84ac962d98d9387f8323f9ed0cb52c2a164
              • Opcode Fuzzy Hash: 52995cc512526ba7b896df2f295ffff7bcd30ac4e16f79a8927e5def960abd7c
              • Instruction Fuzzy Hash: 0A21F6326002058FD728CE29E880BBAB3A6FFD5310F594878D905CB1E5D732F846C790
              Function 0040E5B8 Relevance: .1, Instructions: 82COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1600546418.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e0aba63d87825dfab1db5b2d6a01c12bbefd84b6abe24b940f75bdca45ea45f1
              • Instruction ID: 5571cee8f743fbfa36a7fcc68f74483930e2820298acc025de65145b4b14be21
              • Opcode Fuzzy Hash: e0aba63d87825dfab1db5b2d6a01c12bbefd84b6abe24b940f75bdca45ea45f1
              • Instruction Fuzzy Hash: 70210231A002049FC718DFBBD881A6BB7F5BFD8300F568D6ED8569B781CA75A8028B44
              Function 0345F32A Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
              • Instruction ID: 0c45178ad5deb50a1dacbdd494e55e26ade496940c5b0ee068e9a803503f9e43
              • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
              • Instruction Fuzzy Hash: 6321BE72600300DFD719DF16C441B6ABBE9EF95361F15816EE90A8F3A1EB70E805CA99
              Function 034B06F1 Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7e47804471cd4e71bfc16f9d6499dfda3ad228738fad19b4aa2451898355a2a5
              • Instruction ID: 9e1e042875a2c536fd30faed8cdfda49c1b41efcc70b9c5aaf70141d36c4c79e
              • Opcode Fuzzy Hash: 7e47804471cd4e71bfc16f9d6499dfda3ad228738fad19b4aa2451898355a2a5
              • Instruction Fuzzy Hash: 64217C75A00629AFCF20DF59C881ABFF7F8FF48740B55006AE541AB250D778AD52CBA4
              Function 034B019F Relevance: .1, Instructions: 78COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e5d90aece192291bca46f193d8e89961d8d5849cd729682df1632da03f8988eb
              • Instruction ID: 7fc0e49fba35de5c7b20de84b70b2e976a4228d6785e5a312fbc12dd3726619c
              • Opcode Fuzzy Hash: e5d90aece192291bca46f193d8e89961d8d5849cd729682df1632da03f8988eb
              • Instruction Fuzzy Hash: 8D217775600644AFDB15DFA9C840AAAB7B8FF48740F18006AF944DB7A0E734ED50CBA8
              Function 03469660 Relevance: .1, Instructions: 78COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0deeceb250aec3f0dbb1b93aad1ea3d12b899d50ecc8d043233bcc85de2cd384
              • Instruction ID: bf6ae02ad4c30a54abb1910c7e7d49cf67b266366a306f72d145de8d02609404
              • Opcode Fuzzy Hash: 0deeceb250aec3f0dbb1b93aad1ea3d12b899d50ecc8d043233bcc85de2cd384
              • Instruction Fuzzy Hash: 5321E431204B01DFDB31EE25D900B2777E5BB51224F18465FE8928E6F0D7B1A8529A5E
              Function 0040E5C3 Relevance: .1, Instructions: 76COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1600546418.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 35581aa78da100a35200b8ac5b9f45998c5a31ded920ce229dd0bfe8ebc988d4
              • Instruction ID: f1a71b552d0e8560ffe6399e90c91c0b684a56603796bd417863ca96bc2de456
              • Opcode Fuzzy Hash: 35581aa78da100a35200b8ac5b9f45998c5a31ded920ce229dd0bfe8ebc988d4
              • Instruction Fuzzy Hash: 8E210631A003449FC718DFBBD881A6BB7F5BFD8300F568D6ED4969B781CA75A8128B44
              Function 034B0283 Relevance: .1, Instructions: 74COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9092aec3c1f64e3cfe8689f3cbf5d24081c2d56e0ece5ae4cfa9fad8bff73895
              • Instruction ID: 21c57187818ed48d3180e7a322d8a2b41fa9b0076b03d0acf31146fce2d0eb91
              • Opcode Fuzzy Hash: 9092aec3c1f64e3cfe8689f3cbf5d24081c2d56e0ece5ae4cfa9fad8bff73895
              • Instruction Fuzzy Hash: 77218C729043459FD711EFAAC848B9BF7ECAF81640F08446BB8908F251D734D949C6BA
              Function 035001AA Relevance: .1, Instructions: 71COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8c3253d35fbce06d2b622da13b83f2d8cc54825d9085ab6c5770fd5da1cdab40
              • Instruction ID: f9890f5d67de1cb6403c7c96297b1c945bf279904c7a293f9bff305f2599106a
              • Opcode Fuzzy Hash: 8c3253d35fbce06d2b622da13b83f2d8cc54825d9085ab6c5770fd5da1cdab40
              • Instruction Fuzzy Hash: 5B21E4613042505FD745CB1A98B54B6BFE5EFC6125B0982E6D884CF382C134D917C7A4
              Function 0346A30B Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 248f9474a2389e79c462f400aa154835ae3424ed402e2d9c7bc7231b20321bd9
              • Instruction ID: 1f72e2ba5e83e64f66b83b7beab7126303765bf985c95ea2b15f252b8588c8d6
              • Opcode Fuzzy Hash: 248f9474a2389e79c462f400aa154835ae3424ed402e2d9c7bc7231b20321bd9
              • Instruction Fuzzy Hash: CD21AC79200B10DFC724DF29C800B46B7F5AF58B04F2884ADA919CF761E331E842CB98
              Function 0342B765 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 50f868d4b4db34128a33a58977f460eb08145b9310d0d2c8ca687f26c83cd6e2
              • Instruction ID: d172a8cd635638de92016e82ab756115eb1de436065fa8b496666dddd6d5f3d0
              • Opcode Fuzzy Hash: 50f868d4b4db34128a33a58977f460eb08145b9310d0d2c8ca687f26c83cd6e2
              • Instruction Fuzzy Hash: B8215A36100710DFC721EF59C940F5ABBB5FF18704F14496EE00A9FAA1C774A815DB48
              Function 034FEE26 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5fb44f78c29a4ea8fe663b9463635dfc9255a9768fee091931c20caec9d3820a
              • Instruction ID: 6a237dba31ad227c908853693bf78292ef6065e57561fb77d485169a11d2eb1b
              • Opcode Fuzzy Hash: 5fb44f78c29a4ea8fe663b9463635dfc9255a9768fee091931c20caec9d3820a
              • Instruction Fuzzy Hash: 4021E433A104119FDB18CF3DD800866F7E6EFDD31436A427AD512DB268D770BD558A84
              Function 03460124 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction ID: 9cfaa1505f469a1c7f83dd83f9c88cf3507025d2e370fa251561bb0948b6ffa1
              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction Fuzzy Hash: B711DDB6604704AFE722DF85C840FAABBB8EB80754F14002AE6009F280D676ED44CB69
              Function 03438770 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d182b7dabff19ebb81c53b7b77f3f58baf8029470d7917e1bc875abba01d77ee
              • Instruction ID: e25c77d0b792de93f72dfba4403fdab39b9bb1cec0ec05d660943842f4ee77e5
              • Opcode Fuzzy Hash: d182b7dabff19ebb81c53b7b77f3f58baf8029470d7917e1bc875abba01d77ee
              • Instruction Fuzzy Hash: 64116D356016219FCB15CF59C980A6BF7EAAF4F750B1880AAFD08DF305D7B2E9068794
              Function 03433720 Relevance: .1, Instructions: 67COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fb30a396c61dbbe76568207d28c6932a20906a95d5520885d0b0f62b99762d80
              • Instruction ID: 988b84935ede345730890fe8f7addd00dafebfe7c43aa65d40f7131104685425
              • Opcode Fuzzy Hash: fb30a396c61dbbe76568207d28c6932a20906a95d5520885d0b0f62b99762d80
              • Instruction Fuzzy Hash: 0121B378A002098AE725DF5ED0487EEB7A4AB8E318F29C019D8115B3D0CBB89945CB59
              Function 034380E9 Relevance: .1, Instructions: 66COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6cfc5c4fd8a7392a26389508a6439bb3e1279042ee0f5c7fa02168dd0f63a176
              • Instruction ID: 06a8e6ff62a42ca52b6481f253d611c32c4fd5ca139ab1c9b0a6f1a683d88e82
              • Opcode Fuzzy Hash: 6cfc5c4fd8a7392a26389508a6439bb3e1279042ee0f5c7fa02168dd0f63a176
              • Instruction Fuzzy Hash: 5B215E75A00205DFCB14CF98C581A6EFBB5FB89314F24416EE105AB314C771AD0ACBD4
              Function 0346674D Relevance: .1, Instructions: 65COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2ba53b8d1d51879fed2cdb487809c3da2233984859a8286b3f9859c5102b2ffd
              • Instruction ID: fbf840a14b61576878f963b8cff689f2080dacd65c0adfc0cddbef3f6f37df72
              • Opcode Fuzzy Hash: 2ba53b8d1d51879fed2cdb487809c3da2233984859a8286b3f9859c5102b2ffd
              • Instruction Fuzzy Hash: 53218E75601B00EFD720DF69C841F66B3E8FF44250F45882EE4AACB250DA74BC51CBA9
              Function 03429240 Relevance: .1, Instructions: 64COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e75a1db94fd288c2a3ac7a0ba1be070038364b2b3cbbce0e673e181940b59abf
              • Instruction ID: a307281bfb2c031a6c4d1b52bb16a657f45a55a2a7e7f740eeb94e206a804fc4
              • Opcode Fuzzy Hash: e75a1db94fd288c2a3ac7a0ba1be070038364b2b3cbbce0e673e181940b59abf
              • Instruction Fuzzy Hash: C911E97E110240DED731EF56D841E6277A8EB76680F14402AE8009B764E338DD07DF68
              Function 034666B0 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1a0a564029b77ea5dacf0cc07f43679fe43d2b8520565dacc7665d041363208d
              • Instruction ID: af42d7de1569b29879bd8c89dd2c8f4078286f8cd862b15f448fd9eff604d65f
              • Opcode Fuzzy Hash: 1a0a564029b77ea5dacf0cc07f43679fe43d2b8520565dacc7665d041363208d
              • Instruction Fuzzy Hash: 6911C176A01244DFCB24DF99D580E5ABBE8EF94611F0A407FE8059F310D678DD01CB98
              Function 034FFF09 Relevance: .1, Instructions: 60COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a0a4bca1f21c6860ee9fd87bdec8d319403468f46c951973528c9735c6165b5b
              • Instruction ID: f8f6f91cc1acb3b5d8290d07d0af9e3ddad8054aa4b1b19d5f8d62d1c0adf61c
              • Opcode Fuzzy Hash: a0a4bca1f21c6860ee9fd87bdec8d319403468f46c951973528c9735c6165b5b
              • Instruction Fuzzy Hash: EA2186B16102059FD754DF2AE880B42BBE4FB5D210B8585BAE90CCF25AE370D888DF94
              Function 034527ED Relevance: .1, Instructions: 58COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 97747a3ea8cef0f65307d041595a076969cd097ae8a2bdc614a4f80da437f9a9
              • Instruction ID: e406a18e6c9c0452b7cc68758ba8daddd5a49b674a4315b1d49640557db01a56
              • Opcode Fuzzy Hash: 97747a3ea8cef0f65307d041595a076969cd097ae8a2bdc614a4f80da437f9a9
              • Instruction Fuzzy Hash: B2010475A05644AFF316E6AA9884F2BAA9DEF41754F09057BF8008F251DA54DC01C2A9
              Function 0345B052 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2e9d94aea4421c449a2f29cb9ecb89b11a98ec8dff41ada1f74c7879e08cb96d
              • Instruction ID: 7486d56b53ada5a0205dd74de525fe7c1daee13c7319330c683058e616e38979
              • Opcode Fuzzy Hash: 2e9d94aea4421c449a2f29cb9ecb89b11a98ec8dff41ada1f74c7879e08cb96d
              • Instruction Fuzzy Hash: 6C019B76F047406FD711DB6A9C41F6BB6E8DF84614F04042AFA15DF242D670E9018655
              Function 034ED6F0 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
              • Instruction ID: e8fbf3f9fc5b64447a68fb4bb7d9542af197f616779d7b1047690d564c4bc4de
              • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
              • Instruction Fuzzy Hash: 78015275B00209AF9B04EBA6CD44DAFBBBDEF85A44F05045AA9159B200E770EE01D765
              Function 03434690 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 589976c8365fb6781ce5a7ef47bbe642bd665d94f29bf0cedf5289d18db097c0
              • Instruction ID: 9e9faa9c29c0c0f6c98bc4ba8fd12cb7f114b087d4e7c6a6e2798d9676af317e
              • Opcode Fuzzy Hash: 589976c8365fb6781ce5a7ef47bbe642bd665d94f29bf0cedf5289d18db097c0
              • Instruction Fuzzy Hash: 80118F752406449FDB25CF9AD940B9677A8EB8A764F14411AF8148F750C370E800CF68
              Function 03466620 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 251fba92f207af7cbb291c950803e55fe4aadb64b0d166de4e915bfd7dca15e7
              • Instruction ID: 78670d7964f08bd1f6021ed9abcbad5e9e1bc9815593562f4df79de684b05835
              • Opcode Fuzzy Hash: 251fba92f207af7cbb291c950803e55fe4aadb64b0d166de4e915bfd7dca15e7
              • Instruction Fuzzy Hash: 16112536A00715AFCB21EF5AE980B5FF7B8EF48740F55005AD900AF310D734AD018B99
              Function 03427330 Relevance: .1, Instructions: 55COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f37c01d2de1639c95d8d4707273c7c20156f9b3c958008f1e41a8dbe2516e0f2
              • Instruction ID: 1a98e3e9c33212a7c70b7a373a21693f7586e69ddc51d7437ea0aa52ff95af03
              • Opcode Fuzzy Hash: f37c01d2de1639c95d8d4707273c7c20156f9b3c958008f1e41a8dbe2516e0f2
              • Instruction Fuzzy Hash: 86118C716006249FD721CF65C841FAB7FE8EF44304F05442AE9859B211D735E811CBA9
              Function 0345F2D0 Relevance: .1, Instructions: 54COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f03fdbe44cf218b80f0c498a22748edf3b9c52bfe10c9b47289d16dde6d9a34e
              • Instruction ID: e7c828e88e7cbe35e047aa7b79dc4119e0d69c9f811559756884e244e9bb18bb
              • Opcode Fuzzy Hash: f03fdbe44cf218b80f0c498a22748edf3b9c52bfe10c9b47289d16dde6d9a34e
              • Instruction Fuzzy Hash: 7711E075A00648DFD720DF69D844BAAB7A8AB54700F08007BE901AF341D638D905C758
              Function 034C72A0 Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
              • Instruction ID: a9ddf47c6dff552dea7a100bb180aef4a61f2f173f53b98bc4afa7fac8f70102
              • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
              • Instruction Fuzzy Hash: F801D27A240605BFE711EF16CC80EA3FB6DFF44790B04492AF2004E560C721ACA0CAA8
              Function 0342A250 Relevance: .1, Instructions: 52COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction ID: 70e8d53d71172cd4b6d0217bb4fe98b13a89b5d6a3005b7df24f937ff97e9747
              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction Fuzzy Hash: D60104754047219BCB30CF159840A23BFA9EF45760744896EFC95AF380CB31D421CB78
              Function 03436259 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5c15fecd20dffaa9336a983b9c70e08d6c59505f8de8a1199bb84ff70446818a
              • Instruction ID: c9fa08bbc403df043db3c4b2463fd08c71e27f7d4003370bc7834a7dc864c953
              • Opcode Fuzzy Hash: 5c15fecd20dffaa9336a983b9c70e08d6c59505f8de8a1199bb84ff70446818a
              • Instruction Fuzzy Hash: AF115E75541218AFEB25EF65CC41FE9B278EB08710F5045DAA314AE1E0DB749E91CF88
              Function 0343208A Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction ID: 9e9e6639c1d9fc9fcbda5648712390454cb6a3a621407ba9c01975ecc49b1f28
              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction Fuzzy Hash: D20128326002109BDF11EE19D880B97B77ABFC9710F1948ABEE118F345DAB1C885C794
              Function 0342C020 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction ID: f2e6bef4f4bd09461277527b591c61eba7329fe4d8385aea0a12287b700d5888
              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction Fuzzy Hash: 33012D325017449FDB22EB66D440E6BB7EDFFC6650F44441FA9568F640DE70E802C754
              Function 034720F0 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3fbc88acfc586515e252da2336411c44dec48f58ecf76b1a3ae718e23ff1f5fe
              • Instruction ID: 829822cc1972bb0e82cfa9bb2513a20c38c536ba9c2a193cf950de0bb8338112
              • Opcode Fuzzy Hash: 3fbc88acfc586515e252da2336411c44dec48f58ecf76b1a3ae718e23ff1f5fe
              • Instruction Fuzzy Hash: 88115775A00208AFDB15EFA5C850EAEBBB9EB44640F00409AE9119F390DA35EE12CB94
              Function 03429353 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
              • Instruction ID: 1eeaa6389852ea26b35730b4aff09738a4bc5f2f6a679e3b7d185f18524b9a97
              • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
              • Instruction Fuzzy Hash: A5118B32900B219FD721DF16C880F22BBE4FF48762F19886ED4995E6A5C374E891CB18
              Function 034533A5 Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
              • Instruction ID: d3e7d536dd202f4c57e0d194ebe16d5b0f08825a18939fa191cb12330062a396
              • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
              • Instruction Fuzzy Hash: 2301863AB00205ABCB12DF9BDD00F5FBA6C9F85681B15442BFD15DF262EA30D902C768
              Function 0346D1D0 Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
              • Instruction ID: 9aa680fabed36272fa009701237d971e91bd282ba1670b4edd38ef9d78d5bc74
              • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
              • Instruction Fuzzy Hash: 540147BAF006049BD710DE55E800F66B3A9EFC6A20F14855BFE228F380DB34D801C78A
              Function 0342826B Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cc52ff1210a0c80b09557b678b29473bb300da3de9e047b0e21e0c1f32ba62f0
              • Instruction ID: 66e297013aae5d33aa4a5509f828163e20fcddfe74980ca8d13089e7a1f26c94
              • Opcode Fuzzy Hash: cc52ff1210a0c80b09557b678b29473bb300da3de9e047b0e21e0c1f32ba62f0
              • Instruction Fuzzy Hash: 8E01AC35700614DFD714EB66D810EAFBBB9EF91610B59406F9901BF650EE30DD02C6B9
              Function 0344E016 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction ID: f3e01d610a50e2decf4e75a78365f23e2c1c5646beb81c46c9caddb85fbfce9a
              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction Fuzzy Hash: 12014872200A809FE322D719C948F2BB7E8EB49750F0D04B6A815CFA92D728D881C629
              Function 034EF367 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 92e563f708110629ede039a5f208e00e2b94901978c1ac1bcc6ab9957a15ca79
              • Instruction ID: 3e9027bc8e7a8166031494adaca12826527f74fbc1d920960a92c5f15f55342a
              • Opcode Fuzzy Hash: 92e563f708110629ede039a5f208e00e2b94901978c1ac1bcc6ab9957a15ca79
              • Instruction Fuzzy Hash: 02017175A10358AFDB14EFA6D805FAEB7B8EF44700F04406AA500EF380D674D905C798
              Function 034F972B Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
              • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
              • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
              • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
              Function 03505636 Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 176acd7322ed24a91e565d7811d53a8df544c30ad9be782dad5f4669ed03bfd1
              • Instruction ID: b704730af4a4f66cedd55867b770ef60dd311972c2e54dbcb7043b0f5453dcce
              • Opcode Fuzzy Hash: 176acd7322ed24a91e565d7811d53a8df544c30ad9be782dad5f4669ed03bfd1
              • Instruction Fuzzy Hash: 83116D78D10249EFDB04DFA9D440AAEB7B8FF18704F14845AA814EB390E634DA02CB95
              Function 0342C310 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction ID: ebb5804caa65620d2579101dae463ad429c58985ce6c0d432b477253d3b1b4fa
              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction Fuzzy Hash: A3F0FC372447329FD732DB9A48C0F6FAD958FC5AE4F5A043BE119BF244CA648C0256D8
              Function 03505152 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d9a6aee7cb95ae104297d03f0a8d7554e092bc7ab58112a19b15c0f073158e95
              • Instruction ID: 3a764805e534c52d9744304cc61a663fa9eeca1a738556deed183abec2e38e7b
              • Opcode Fuzzy Hash: d9a6aee7cb95ae104297d03f0a8d7554e092bc7ab58112a19b15c0f073158e95
              • Instruction Fuzzy Hash: CA012175A10349AFDB00DF69D9419EEB7B8FF49700F14445AE500EB390D6749A018BA5
              Function 03505060 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e4dcedf7e51cde0b56707a0f3400f42cbaf811c3504165fbf78253a40a0cde4a
              • Instruction ID: f3f0085365c474e9e6d4ec51e288e857a9da61c70e51d8bf577c1cd7d06fe761
              • Opcode Fuzzy Hash: e4dcedf7e51cde0b56707a0f3400f42cbaf811c3504165fbf78253a40a0cde4a
              • Instruction Fuzzy Hash: 7C017CB5A00309AFDB00DFA9D9419EEB7B8FF49300F10405AF900EB391D634AA018BA5
              Function 0345C073 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction ID: 7d3eb9db4c8088be369b8750762f5eb9149187b1dab0bfb7ea6aa4668a58ce08
              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction Fuzzy Hash: 65F0C2B3A00610AFD324CF8EDC40E57F7EADBC0A80F088129A905CB320EA31DD04CB94
              Function 035050D9 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 99e69b683131b467cb48abf6d6aebf13fda27e2ffcdb375c6b3c6f176ede88f0
              • Instruction ID: d8669a7dee8484ce3c72383778a4167113b11f457ed4239ee4b953c7bf644f80
              • Opcode Fuzzy Hash: 99e69b683131b467cb48abf6d6aebf13fda27e2ffcdb375c6b3c6f176ede88f0
              • Instruction Fuzzy Hash: C3012CB5A00349AFDB00DFA9E9419EEB7B8FF49700F50445AE500FB390E674A9018BA5
              Function 03465734 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
              • Instruction ID: 884bcdc1545cd5841677b322bc44875bd5b72604944f81cc5837c9ec7bafa4e4
              • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
              • Instruction Fuzzy Hash: 6AF0FF72A01214AFE719CF5CC840F6AF7EDEB46651F0940BAD500DF230E671DE04CA98
              Function 034EF78A Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5b8f6c126788fbe3bf4fc599febe9e5e6ba79d6935708d2f294de37c4e161da4
              • Instruction ID: 14fdc8d524188781b8e93e32c9b8fda5e9447d73776c4b26b7431b9f4b50121d
              • Opcode Fuzzy Hash: 5b8f6c126788fbe3bf4fc599febe9e5e6ba79d6935708d2f294de37c4e161da4
              • Instruction Fuzzy Hash: 48014CB8E00349AFDB04DFA9D441AAEBBF4EF08300F00806AA855EB340E674DA00DB95
              Function 034EF2F8 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: eb7884ad8d1f1dd4a4999b11c5eabedd71ec0d6e3c114a76ccfe2f6652549293
              • Instruction ID: 809e522a3c3fdfd38914612592212fd097b1b9631be4d1abf700bb7f4337490e
              • Opcode Fuzzy Hash: eb7884ad8d1f1dd4a4999b11c5eabedd71ec0d6e3c114a76ccfe2f6652549293
              • Instruction Fuzzy Hash: 40F0A476A10348AFDB14DFBAC805AEEB7B8EF44710F00806BE511EF290DA74D9058795
              Function 035061E5 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5f3afa62c0b5bc7bb3a7fee10f801080e0385da95f78b9f2d2e4c14db8ae86fd
              • Instruction ID: b586647bcaaf895bc9a8fc1f645a16cceeb47e4c9fc93e8fbcca1e43962348fc
              • Opcode Fuzzy Hash: 5f3afa62c0b5bc7bb3a7fee10f801080e0385da95f78b9f2d2e4c14db8ae86fd
              • Instruction Fuzzy Hash: 16018F71A00259DFDB10DFAAE841AEEB7F8FF48310F14005AE500AB390D774EA01CB99
              Function 0346724D Relevance: .0, Instructions: 40COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
              • Instruction ID: de0a9ea7aa9bf6476b053f30410a22e76d95489571144c6a135b8de9c3185b3c
              • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
              • Instruction Fuzzy Hash: 23F0F675A013556FEB10DFAA8940FEBBFA8AF84614F088597B9029F241DA30E940CB59
              Function 035053FC Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 977162f0d6587274677c7a78f345b5f0562110148065175e277afc7d517e68bd
              • Instruction ID: 69d585d19d21c31adaba8e1e3dc36064f65f894ced15fed5d3de64607b9d9f72
              • Opcode Fuzzy Hash: 977162f0d6587274677c7a78f345b5f0562110148065175e277afc7d517e68bd
              • Instruction Fuzzy Hash: E1015AB4A00209DFDB04DFAAD441B9EF7F4FF08300F04826AA519EB391EA749A008B95
              Function 0342C0F0 Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f2999233bc4788db6cb7069878cfef68dcb24e375bb8e10e562a21eb2d762772
              • Instruction ID: ed5e3e0875abe6b0eb044d1acd0f4d541b6084456f3947cdf9fd9a7abf7c7f64
              • Opcode Fuzzy Hash: f2999233bc4788db6cb7069878cfef68dcb24e375bb8e10e562a21eb2d762772
              • Instruction Fuzzy Hash: 69F0F6713042245FE250D6559C42B777A99DBC0650FA9806BE6059F7C1EA70DC01869D
              Function 03503749 Relevance: .0, Instructions: 38COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
              • Instruction ID: ca92635d8bf5e6da057f0013c55dcfb10e7785471cb195d1311b24c59f89513a
              • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
              • Instruction Fuzzy Hash: 2BF04FBA940304BFE711EBA4CD41FDA77BCEB04710F10056AA916DA1D0EA70EB44CB94
              Function 034D437C Relevance: .0, Instructions: 37COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction ID: 77f92c57d54b33af73efbbbea678ffa63f261870a6b1d18572ffb6503010770a
              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction Fuzzy Hash: AFF0BE3A341A124BDB35EA2F8430B2BE296AF80A00B49052F9811CFB80DF30D8218788
              Function 034EF3E6 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ea6e8bff5e54ebfee5eba7daea3d9a309abd8658c1e04c6a935146b389071a3f
              • Instruction ID: 9bfc103fb0c68eca0d466b5dc0838d27667cea486f0f678ae8169631093491d4
              • Opcode Fuzzy Hash: ea6e8bff5e54ebfee5eba7daea3d9a309abd8658c1e04c6a935146b389071a3f
              • Instruction Fuzzy Hash: 28F08C75A00248EFDB04EFA9D505AAEB7F4EF18300F40406AB945EF381D674DA01CB58
              Function 034292FF Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 730903b4992622277009d2d8618add7ab0f9df1a0122bc153780796fb7e6df07
              • Instruction ID: 1e29d44d2d0744f57245270c68da18d76f90cbbbc25f82b3698cbf223d93641e
              • Opcode Fuzzy Hash: 730903b4992622277009d2d8618add7ab0f9df1a0122bc153780796fb7e6df07
              • Instruction Fuzzy Hash: B0F0F032200340AFD731EB4ACC04F9BBBEDEF88B00F08012EA54297190C7A0A909C654
              Function 034347FB Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3628b14a8fe7c638453de3437cfcdc6327ccce1ea2f6e233e03d7b2c626f490c
              • Instruction ID: 2b88f73f4015990c90a8ebd303a4d3965335e444b1dac761c761d1747795fbad
              • Opcode Fuzzy Hash: 3628b14a8fe7c638453de3437cfcdc6327ccce1ea2f6e233e03d7b2c626f490c
              • Instruction Fuzzy Hash: 11F0F03D9023D08ED725CB1BC404BA6B7D8DB0A720F0C98ABC4998F741C320D881CA08
              Function 034EF6C7 Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f0feb34ec122888713823ea5b93c9378ccdaedebd805b3d3a20f4539ff478f2d
              • Instruction ID: 578a662eb16ae826595d33037fd695ceef5dd7a0d9fb82e169fca8ea0524778a
              • Opcode Fuzzy Hash: f0feb34ec122888713823ea5b93c9378ccdaedebd805b3d3a20f4539ff478f2d
              • Instruction Fuzzy Hash: 67F06D79A10348EFDB14EFAAD805EAEB7F4AF08304F00406AE901EF391E674D901DB58
              Function 034F0115 Relevance: .0, Instructions: 32COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2c9e389ccf7715fedb59e3bcfb868314cfe936987c36a5704f009666651c0a94
              • Instruction ID: 64ea0020f703750876ed26b91102ddb02dee912d68fefcb62e22f90d4863065b
              • Opcode Fuzzy Hash: 2c9e389ccf7715fedb59e3bcfb868314cfe936987c36a5704f009666651c0a94
              • Instruction Fuzzy Hash: A0F0273A4167C04ECF31FB297690692AF68A793010F1E108BC5A15F316C9B98887D62C
              Function 0350539D Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 729157448129532a0c06a92a4e20042bd668682bc71501ddb207ef40fde7acf1
              • Instruction ID: 495942dcc94e196df7e2cc3d41986e02bfbaeb8c16d0d4a4036788f123ffe975
              • Opcode Fuzzy Hash: 729157448129532a0c06a92a4e20042bd668682bc71501ddb207ef40fde7acf1
              • Instruction Fuzzy Hash: 7BF0B474A1074C9FDB04EF79E441EADB7B4EF04300F108459E501EF290EA74D901CB24
              Function 035052E2 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 24d074997e188c8d88a5d60030afc4a39707b7b5f6609d545dc874397b1b3f96
              • Instruction ID: be5c2df4cdb4a9dc206209319dfd2ae3254958c2a135984e26ca1f2868f6f84f
              • Opcode Fuzzy Hash: 24d074997e188c8d88a5d60030afc4a39707b7b5f6609d545dc874397b1b3f96
              • Instruction Fuzzy Hash: CBF0BE74A10348AFDB04EFBAE901EAEB3B8BF14300F444469A401EF2D0EA74D900CB58
              Function 03505283 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fd6d298ae3d45b786a4236d90b8c0e456aed326072d224fcc801b7ff01562862
              • Instruction ID: 94959df3601ab5af5733ae1eb9e0dbe9c74e60b6f05b85f7b1b90ca3bdc0b624
              • Opcode Fuzzy Hash: fd6d298ae3d45b786a4236d90b8c0e456aed326072d224fcc801b7ff01562862
              • Instruction Fuzzy Hash: 52F0B474A10349DFDB04EFA5E501EAEB7B4BF04300F004859A441EF3D1EA34D9008B54
              Function 03472619 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
              • Instruction ID: 6f7a9c943c37f98e3f0e0873bc036f3957cbb25a9d0a354364fb562de068d9e6
              • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
              • Instruction Fuzzy Hash: 0BE092723006402BE721DE5ACC80F87776EAF92B10F04047FB5045E251CAE29D0982A8
              Function 03505341 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3b1d65a00bc45bb56f2001d05c11f987ff30541ceb3d97b536bd80dd74699df9
              • Instruction ID: 8e3762c0eaeff1699cffa7dba4681751da7f55f2fafdcd3067e940342229de02
              • Opcode Fuzzy Hash: 3b1d65a00bc45bb56f2001d05c11f987ff30541ceb3d97b536bd80dd74699df9
              • Instruction Fuzzy Hash: C9F08274A04248AFDB14EFBAE945E9EB7B8AF0A304F540459A501EF2E0EA74D9008719
              Function 03467208 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d1b406b89f365b94b599e2cd04a704da6d834045c4d933fceae25050edb9ce0c
              • Instruction ID: 1eaa88b368ebfe2f86499bc504f04404c32dc530e411ae01dde0a6828313d502
              • Opcode Fuzzy Hash: d1b406b89f365b94b599e2cd04a704da6d834045c4d933fceae25050edb9ce0c
              • Instruction Fuzzy Hash: 83F02771911BA49FD7A1D71EC084B1BB7D99F10770F0C80A3D5058F701CBB8C880C259
              Function 03505227 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 59cc8b7241de3fbeea1c669e4f20509af4bd73bb452a1adb50ec4a2542573929
              • Instruction ID: fcaadf93357ef1dfcf58462df79681eca5621c7e08a50d0638912278f5518a0c
              • Opcode Fuzzy Hash: 59cc8b7241de3fbeea1c669e4f20509af4bd73bb452a1adb50ec4a2542573929
              • Instruction Fuzzy Hash: 89F08274A14349AFDB14EFA9E905EAEB3B8BF04704F040459A901EF2D5EA74D9018759
              Function 035051CB Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 27614c0b321722cd015389a4f72218c943e4e3f4d7bd84dbc556bd9437fc9de7
              • Instruction ID: 38d543d8e079a75c91aa53d6bdcd891f4cfed83fd2100d4e3bb7cfdd33a0077a
              • Opcode Fuzzy Hash: 27614c0b321722cd015389a4f72218c943e4e3f4d7bd84dbc556bd9437fc9de7
              • Instruction Fuzzy Hash: 94F08974614249DFDB14EBA5D505E6EB3B4FF04704F040459A501DF2D1E674D901C759
              Function 034EF72E Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4fe9a5fe1952e2a9ad80cd24ae950a72b7331560a68edb950f7b65dff4361818
              • Instruction ID: 35ed4d1bd63d22a2262f0b3e104f95f45ae09c71ccf743989a31d218bc6a4eb7
              • Opcode Fuzzy Hash: 4fe9a5fe1952e2a9ad80cd24ae950a72b7331560a68edb950f7b65dff4361818
              • Instruction Fuzzy Hash: 80F0E274A00348AFDB04EFAAC545E9EB7B8EF08700F01006AE101EF380D974D9059718
              Function 03430710 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
              • Instruction ID: 1fd0710a63319da2ed11644edca554b72fba0162c5c75ed33d38838e812b6e8c
              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
              • Instruction Fuzzy Hash: C9F0657D2047449FEB16DF16D050A997BA8EB46350F0405EAEC568F351D731E982CB98
              Function 035037B6 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
              • Instruction ID: c4aa3e67223fd07197469eea4735bb9931b4250a0d77a3865fe05afd84d458f4
              • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
              • Instruction Fuzzy Hash: C6E06D76210600AFE764DB59DD05FE673ACFB00720F140259B1159B0E0DAB0AE40CB64
              Function 034EB3D0 Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
              • Instruction ID: 5f596663d67330c6833901c815b17496e20e8ef41a98c2c39fea7e269281ceee
              • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
              • Instruction Fuzzy Hash: 84E0CD36244714BBDB22AE40CC00F697B15DB407D1F104037FA086E690C5719C51D6DC
              Function 0342823B Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction ID: e69526862965b4d9414350328357fc873aaf71c7657905c100fdafe78f0a0eb6
              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction Fuzzy Hash: 9EE08C36501A20EEDB31EF12DC04B9A7AA5FB44B10F14486FE0812E4A487B0A892DA6C
              Function 034B92BC Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b91f33541d64c2ab7218c3688c7990c6652dcafc89b10d842e63d12dc1c4641
              • Instruction ID: bf6aadc6c5cf7c94f79bcfe7abc214436cc4d27ced658a5eb2fb7785bf62cc42
              • Opcode Fuzzy Hash: 0b91f33541d64c2ab7218c3688c7990c6652dcafc89b10d842e63d12dc1c4641
              • Instruction Fuzzy Hash: 55F0ED34651B84CFE72ADF04C1E1F5173B9F756B40F500459D4464FBA1C73A9942DA54
              Function 03432050 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cbcd54b3d98ea7d063969fdf53cc1b0f519435bcc10e41ddfe668f0d1b7113a6
              • Instruction ID: ac1cf4014db6c236416173e125b753d49fb9d75f2d912ed5dcdf7151ac83f387
              • Opcode Fuzzy Hash: cbcd54b3d98ea7d063969fdf53cc1b0f519435bcc10e41ddfe668f0d1b7113a6
              • Instruction Fuzzy Hash: 02E08C322006506FC221FA6EDD00F8A739AEFAA660F00412AB1518F6A0CA60AC01C798
              Function 0040AA5A Relevance: .0, Instructions: 18COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1600546418.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 16949f193d4ff75b2ad57c59f95e2649afa4f897f6b9be48755ef9ea0869c192
              • Instruction ID: d72116506bd23156897673505813172983363e5748df56ba163cb5d274fa7e4e
              • Opcode Fuzzy Hash: 16949f193d4ff75b2ad57c59f95e2649afa4f897f6b9be48755ef9ea0869c192
              • Instruction Fuzzy Hash: C7D02374610322DEE705D9B4C0420C237A1BE56600374D43CF054CF559F33B94038706
              Function 0342A0E3 Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction ID: eca863c40c247bf8976d57c8f2fcdcfd702b1be4a4e008988d111462f8fc5efe
              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction Fuzzy Hash: E9D0223331203097CB28EA516800F63AD059B80AA0F0A002E3C0AEB900C8048C43C2E4
              Function 034402A0 Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
              • Instruction ID: 1af8e11dd02a69df77d2ff0a5028ff2a213971c9ba26eefb425c2146bf22ed1f
              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
              • Instruction Fuzzy Hash: 94D0C935212E80CFE61ACF0DC5A4B16B3B8BB44B44F8504E2E501CFB61D66CDD50CE04
              Function 034B930B Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
              • Instruction ID: 8918a1498d00e542248342c66a48e58a5d2b5b77496fc0ff8bedb9bc0fc27af2
              • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
              • Instruction Fuzzy Hash: 38D05E35945AC4CFE72BCB08C165B917BF8F709B40F891099E0424BBA2C37C9984CB20
              Function 0346C700 Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
              • Instruction ID: 2a890b930bd7248cbb28adac052e22f6e59eb69fe66143d4371bc2c99c1214f9
              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
              • Instruction Fuzzy Hash: 69C0123B290648AFD712EE99CD01F027BA9EB98B40F004022F2048B670C631E820EA88
              Function 03450310 Relevance: .0, Instructions: 11COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction ID: ae899504ba08d532988dd7c668f4a4dc3db266a2a41fade5b46fd64f0a98a0d5
              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction Fuzzy Hash: 9BD0123A100248EFCB01DF41C890D9A772AFBD8710F148019FD190B6118A31ED62DA50
              Function 03430750 Relevance: .0, Instructions: 9COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
              • Instruction ID: 9d00354ccffe02c1898cbcf578241d35f91f9cb65e197e717ed12aa70b4c33da
              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
              • Instruction Fuzzy Hash: F6C04C797016418FDF15DF1AD294F4977E4F744740F1508D1E805CF721E624E851CA14
              Function 0041BAC4 Relevance: .0, Instructions: 6COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1600546418.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 30051a409f226b7d8bda51f29b76b8275b0dd794a1806fd3da609d66983a90cd
              • Instruction ID: 5b8d2d5f81ce20177c3830b0d703f6098fc71dea2d170e182786fae2fd8ef3ce
              • Opcode Fuzzy Hash: 30051a409f226b7d8bda51f29b76b8275b0dd794a1806fd3da609d66983a90cd
              • Instruction Fuzzy Hash:
              Function 03474340 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 999881ee96d21e81fef1215127109708f4520cbe74ac6073b0c152aa10bc69b4
              • Instruction ID: 72c92bbcb24c92b6a2295692ef5c4e4972709a11658c111f7618beda93aab60a
              • Opcode Fuzzy Hash: 999881ee96d21e81fef1215127109708f4520cbe74ac6073b0c152aa10bc69b4
              • Instruction Fuzzy Hash: 4D900231605804129140B25848C458A4006D7F0301B95C012E0424958C8B148A565365
              Function 03473010 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4636aa21bb0cb6e4996e42b8d858158955d8d26882de98b84783c179bc3fe6ef
              • Instruction ID: ef1b1ced0675ba27183f9a7242c5c4417bef8cf81a9cd3bb6e097ee7ba9d86a8
              • Opcode Fuzzy Hash: 4636aa21bb0cb6e4996e42b8d858158955d8d26882de98b84783c179bc3fe6ef
              • Instruction Fuzzy Hash: BD90022120184842D140B3584844B4F4106C7F1302FD5C01AA4156958CCB1589555725
              Function 03473090 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5150c22baf50930bce8b332d14c8cae3ea1e6299f99c2500ee074dda019a5744
              • Instruction ID: 2c1624e538560c4c9fdae012cbbade4d66aef5da52686e89108512db981852b5
              • Opcode Fuzzy Hash: 5150c22baf50930bce8b332d14c8cae3ea1e6299f99c2500ee074dda019a5744
              • Instruction Fuzzy Hash: D790022124140C02D140B258845474B0007C7E0701F95C012A0024958D87168A6566B5
              Function 03474650 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dc00c96bad191c4697036bd28f6d791f7d8457f265c58a44dc25d1c8497a6615
              • Instruction ID: 09a6dc104a7221763c81892134439d020f2e9f20716e62529d814148475769c9
              • Opcode Fuzzy Hash: dc00c96bad191c4697036bd28f6d791f7d8457f265c58a44dc25d1c8497a6615
              • Instruction Fuzzy Hash: 84900261601504424140B258484444A6006D7F13013D5C116A0554964C87188955926D
              Function 03472BE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 56c43f02746c319b28b8f694ab1669c35885a25df32d35be58ac5247bd37f954
              • Instruction ID: 5cb4092ec6905c91303e444233e23db69c8a7823047fe6b16d9bf8a262b4ba3a
              • Opcode Fuzzy Hash: 56c43f02746c319b28b8f694ab1669c35885a25df32d35be58ac5247bd37f954
              • Instruction Fuzzy Hash: 7F90023120544C42D140B2584444A8A0016C7E0305F95C012A0064A98D97258E55B665
              Function 03472BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ae6dae04a31183f797cd141bcc70c21eabe959961fb1413dbc5ba4a2e4001053
              • Instruction ID: bfb556593fc9188f6595328e0eef3940e6ea9b95108cc597480273b1cd83c652
              • Opcode Fuzzy Hash: ae6dae04a31183f797cd141bcc70c21eabe959961fb1413dbc5ba4a2e4001053
              • Instruction Fuzzy Hash: 0F90023120140C02D180B258444468E0006C7E1301FD5C016A0025A58DCB158B5977A5
              Function 03472B80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2a197ac23318200b7564a2045a912062a00f3ead51b91d54e88246d2539b4633
              • Instruction ID: bb98d3205496ada1ec8f6399f6c67ec8e504d4bcf0408c1b0014609fb924b4fb
              • Opcode Fuzzy Hash: 2a197ac23318200b7564a2045a912062a00f3ead51b91d54e88246d2539b4633
              • Instruction Fuzzy Hash: BE90023120140C02D104B25848446CA0006C7E0301F95C012A6024A59E976589917135
              Function 03472BA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 205dda8ca7947066e8c048ef7efef9781cf025ac443f82423534e85e4cf55a9c
              • Instruction ID: 11c38fe69be812629be4a4c4d52382f0f1785cab8268b41d6f3e95fd67f10d3c
              • Opcode Fuzzy Hash: 205dda8ca7947066e8c048ef7efef9781cf025ac443f82423534e85e4cf55a9c
              • Instruction Fuzzy Hash: 9290023160540C02D150B258445478A0006C7E0301F95C012A0024A58D87558B5576A5
              Function 03472AD0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 22f7de448098a9f4c48f2a682c8f1ef755fbcfaa47434f822ea38d34894acd90
              • Instruction ID: 69daad7016237f5548ded85334c572891d3c2dbd83542f723c1ab4b59bccc68d
              • Opcode Fuzzy Hash: 22f7de448098a9f4c48f2a682c8f1ef755fbcfaa47434f822ea38d34894acd90
              • Instruction Fuzzy Hash: EA900435311404030105F75C074454F0047C7F53513D5C033F1015D54CD731CD715135
              Function 03472AF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: eafd9c12e4bcd058fc169bb57aef2e9dbbebacc96cadbc8138ce139f17d9f337
              • Instruction ID: 3439920f6f3c2e2ce0ef6eb975adae44e9dbe64eb16bc2de4f4d596b8514799e
              • Opcode Fuzzy Hash: eafd9c12e4bcd058fc169bb57aef2e9dbbebacc96cadbc8138ce139f17d9f337
              • Instruction Fuzzy Hash: 37900225221404020145F658064454F0446D7E63513D5C016F1416994CC72189655325
              Function 03472AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 78032f4d8103c9520c3c3c73ecfd3e06f80d7e42db609ebc5109c627320c0db2
              • Instruction ID: 6334777e1deaf2ce256e5635b7a99c7f439acc816010344976ae90d6232f257b
              • Opcode Fuzzy Hash: 78032f4d8103c9520c3c3c73ecfd3e06f80d7e42db609ebc5109c627320c0db2
              • Instruction Fuzzy Hash: C79002A1201544924500F3588444B4E4506C7F0301B95C017E1054964CC72589519139
              Function 034739B0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 185f9c956e42f43e7be4556c48d3a137fda8d4e4f601cb687d0473a206269c4a
              • Instruction ID: 47cdf6eec6ed39feeeb7053ae7b290b7846c0bf0ef8dc50b8db8d3e1c38d803e
              • Opcode Fuzzy Hash: 185f9c956e42f43e7be4556c48d3a137fda8d4e4f601cb687d0473a206269c4a
              • Instruction Fuzzy Hash: B490022124545502D150B25C444465A4006E7F0301F95C022A0814998D875589556225
              Function 03472F60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b5a42c96833ee465c85642f07621caf4f2a2629328ed28bab2b8d9e17492b657
              • Instruction ID: 21f84e446a88bb02145d3cab3107e2298acfa9339c0fccfcd1799706e9943cdf
              • Opcode Fuzzy Hash: b5a42c96833ee465c85642f07621caf4f2a2629328ed28bab2b8d9e17492b657
              • Instruction Fuzzy Hash: 8090026121140442D104B258444474A0046C7F1301F95C013A2154958CC7298D615129
              Function 03472F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a6c46bb0a739b6535eca5193581950f4bb4144fe7aed55b0fd806c8cb6a62006
              • Instruction ID: c14d874ccc1f0c1e00700b0332997a2ac578efca10b798a98b9ae6454404502b
              • Opcode Fuzzy Hash: a6c46bb0a739b6535eca5193581950f4bb4144fe7aed55b0fd806c8cb6a62006
              • Instruction Fuzzy Hash: F090026134140842D100B2584454B4A0006C7F1301F95C016E1064958D8719CD52612A
              Function 03472FE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 658390109daa7272b6d252a106a63f1ec800042c1589717b036c1192c10602ac
              • Instruction ID: 8578209f691f6f6d3f36360c5e96c9e92a940fe244bfb2d04a34e426fd988201
              • Opcode Fuzzy Hash: 658390109daa7272b6d252a106a63f1ec800042c1589717b036c1192c10602ac
              • Instruction Fuzzy Hash: 6B900221211C0442D200B6684C54B4B0006C7E0303F95C116A0154958CCB1589615525
              Function 03472F90 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b20f8bbb71df9137e109f31caedc5a56ee0cf081caa111bccc693983ff269468
              • Instruction ID: a1b10872354a22db717931eaa8a5ccbf7e5a5c287dff298ea38925f5f3e67ddd
              • Opcode Fuzzy Hash: b20f8bbb71df9137e109f31caedc5a56ee0cf081caa111bccc693983ff269468
              • Instruction Fuzzy Hash: A790023120180802D100B258485474F0006C7E0302F95C012A1164959D872589516575
              Function 03472FA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 22fc12a2685a6be4b47bb12905d02a8dafba19e707ff7bc83c7eecb7135eaed1
              • Instruction ID: 4fd4ea6257cc6a5956cbeecab6a11a3e19f00c96f8c23b2e1c7cfa08ddc84d21
              • Opcode Fuzzy Hash: 22fc12a2685a6be4b47bb12905d02a8dafba19e707ff7bc83c7eecb7135eaed1
              • Instruction Fuzzy Hash: 8990023120180802D100B258484878B0006C7E0302F95C012A5164959E8765C9916535
              Function 03472FB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c5893831817649cb1e1e44d0510f1dc0d2af392abf5f640d6a28f0f95e01da98
              • Instruction ID: 1b8e297135e053990b57d6a5726b469420328d6dd36b46e306be3dfe52296c16
              • Opcode Fuzzy Hash: c5893831817649cb1e1e44d0510f1dc0d2af392abf5f640d6a28f0f95e01da98
              • Instruction Fuzzy Hash: 97900221601404424140B268888494A4006EBF1311795C122A0998954D875989655669
              Function 03472E30 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4d955ba4e1be1f9f8bab713e987f41977471cc657b0e840e50f85bdb33f29dde
              • Instruction ID: 65132f1205f39add78fdf2a53685adc8f3bf2982a33afbee968ce22d1220638a
              • Opcode Fuzzy Hash: 4d955ba4e1be1f9f8bab713e987f41977471cc657b0e840e50f85bdb33f29dde
              • Instruction Fuzzy Hash: 2B90022130140802D102B258445464A000AC7E1345FD5C013E1424959D87258A53A136
              Function 03472EE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5e93a703c7f5f54fc9e144388878dbb1c25cbcaf6e3f42b7074de15c1c7a85be
              • Instruction ID: dfe9b4d20b83632294945e48237db2af787c42e5f342c93c6f8b94d8409d2823
              • Opcode Fuzzy Hash: 5e93a703c7f5f54fc9e144388878dbb1c25cbcaf6e3f42b7074de15c1c7a85be
              • Instruction Fuzzy Hash: DF90026120180803D140B658484464B0006C7E0302F95C012A2064959E8B298D516139
              Function 03472E80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5ad20d37507022d2f2273f13ea7a713b5c9947c9313c6518467cc18144a7028d
              • Instruction ID: 5b2508f1a83d2d699049f6d0716aa297cdb4ef6126c4b29bee7b16b2be661737
              • Opcode Fuzzy Hash: 5ad20d37507022d2f2273f13ea7a713b5c9947c9313c6518467cc18144a7028d
              • Instruction Fuzzy Hash: C390022160140902D101B258444465A000BC7E0341FD5C023A1024959ECB258A92A135
              Function 03472EA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7100db012def2b0bbbf263ce108f076d09d5a54425d3900cab2ba46494054c56
              • Instruction ID: 4abfbba142434adec4460873ee202493d5e6294d3ba8062f7428d1cf29506f5e
              • Opcode Fuzzy Hash: 7100db012def2b0bbbf263ce108f076d09d5a54425d3900cab2ba46494054c56
              • Instruction Fuzzy Hash: 2590027120140802D140B258444478A0006C7E0301F95C012A5064958E87598ED56669
              Function 03473D70 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3f0bccb976f22f9d697445e27023030ec3e9cd18eebedda095c33fed21bddf57
              • Instruction ID: 84404a08f22c07be66698be284cda465f0b9658ed4b11bbed20e1ba2347588e0
              • Opcode Fuzzy Hash: 3f0bccb976f22f9d697445e27023030ec3e9cd18eebedda095c33fed21bddf57
              • Instruction Fuzzy Hash: 8590023520140802D510B258584468A0047C7E0301F95D412A042495CD875489A1A125
              Function 03472D00 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0bc61d4a4a54ec31839cd2255202ee416375b6327c78a2bf2874e43ae9d82867
              • Instruction ID: f86384e5648168a8c7efcf50e52089e3f94c5881b9d4f7b8a1cd6f055e41013e
              • Opcode Fuzzy Hash: 0bc61d4a4a54ec31839cd2255202ee416375b6327c78a2bf2874e43ae9d82867
              • Instruction Fuzzy Hash: AF90022120544842D100B6585448A4A0006C7E0305F95D012A1064999DC7358951A135
              Function 03472D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a54b2899dfc8ca35ca12bdcca9794f85d5d64e0c25401c02d4e9d8d88d6ee4f3
              • Instruction ID: ffc033f7e1f6c6890b4aac20874f2776d581f4be96ba09313c4e47e33bd37ac5
              • Opcode Fuzzy Hash: a54b2899dfc8ca35ca12bdcca9794f85d5d64e0c25401c02d4e9d8d88d6ee4f3
              • Instruction Fuzzy Hash: D790022921340402D180B258544864E0006C7E1302FD5D416A001595CCCB1589695325
              Function 03473D10 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b587f3663bec5e6e50a9c594d1d95212efc12a3f6a443b08e008b24b60665b98
              • Instruction ID: efa34ec265412a91014986160917549e17317042c3f681a959d16d9426b4e8b4
              • Opcode Fuzzy Hash: b587f3663bec5e6e50a9c594d1d95212efc12a3f6a443b08e008b24b60665b98
              • Instruction Fuzzy Hash: 59900231202405429540B3585844A8E4106C7F1302BD5D416A0015958CCB1489615225
              Function 03472D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f2c96e209ac0d30abacb3cdfe97c92a9a03af4fdca27059db6f32e8a6a1893c8
              • Instruction ID: 3e068da38f2575aa266daf77abc10c18cfa6c1e4e4eb60675e31b78fc05b6fb4
              • Opcode Fuzzy Hash: f2c96e209ac0d30abacb3cdfe97c92a9a03af4fdca27059db6f32e8a6a1893c8
              • Instruction Fuzzy Hash: E690022130140403D140B258545864A4006D7F1301F95D012E0414958CDB1589565226
              Function 03472DD0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c92a54f9a4b905a300c94c250f8182f472e4bfe2beb934851d46e0a235b45dd
              • Instruction ID: 59f5aeeb119ec5e2b9127aed687eddae7065d09bc08c4bfc827971450e953640
              • Opcode Fuzzy Hash: 9c92a54f9a4b905a300c94c250f8182f472e4bfe2beb934851d46e0a235b45dd
              • Instruction Fuzzy Hash: 60900221242445525545F258444454B4007D7F03417D5C013A1414D54C87269956D625
              Function 03472DB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: be9ab9a34ed053ebe7e115e71e602d868011da3c5897177c1771e566fa96301c
              • Instruction ID: 5e7e0bcc90fcd5acff92a06363dc1b40c7b5f7a0316bfad2fc678054a9fd36a2
              • Opcode Fuzzy Hash: be9ab9a34ed053ebe7e115e71e602d868011da3c5897177c1771e566fa96301c
              • Instruction Fuzzy Hash: 0590023124140802D141B258444464A000AD7E0341FD5C013A0424958E87558B56AA65
              Function 03472C60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c1515ba76762767aee053f2ff061a1d560423c64ed3c9c577a0706a4e807a2e5
              • Instruction ID: bac37f058a9e44e3df3b834c4ea919e15cc8c498e56e899edf1770c556259564
              • Opcode Fuzzy Hash: c1515ba76762767aee053f2ff061a1d560423c64ed3c9c577a0706a4e807a2e5
              • Instruction Fuzzy Hash: DA90023120140C42D100B2584444B8A0006C7F0301F95C017A0124A58D8715C9517525
              Function 03472C70 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f2b091017c9f28c8a900117e2b27d45c1c94003280a1e4a53f373666f3404167
              • Instruction ID: b67a08933cf5a815060eef9f3b48562ffb39c8f438640fc5365241e215c9c810
              • Opcode Fuzzy Hash: f2b091017c9f28c8a900117e2b27d45c1c94003280a1e4a53f373666f3404167
              • Instruction Fuzzy Hash: 5F90023120148C02D110B258844478E0006C7E0301F99C412A4424A5CD879589917125
              Function 03472CC0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ac29edba6b7b7046f57b1685b0cf64795c3f1e5d8d84e3ced624d4fc8996f1c8
              • Instruction ID: f06c1f908be437909d050ca40309b51332627b7eb4e360361cbc4ebbdc595c59
              • Opcode Fuzzy Hash: ac29edba6b7b7046f57b1685b0cf64795c3f1e5d8d84e3ced624d4fc8996f1c8
              • Instruction Fuzzy Hash: 3090022160540802D140B258545874A0016C7E0301F95D012A0024958DC7598B5566A5
              Function 03472CF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b7a04e4bf0088d69d13e376e8da3d955ed0aa8960bc2ed3dd72658e904c7a42c
              • Instruction ID: a5f7e444ad941f78757c7fa50ded580913021834dca4b29cbff90b466098e92c
              • Opcode Fuzzy Hash: b7a04e4bf0088d69d13e376e8da3d955ed0aa8960bc2ed3dd72658e904c7a42c
              • Instruction Fuzzy Hash: 6D90023120140803D100B258554874B0006C7E0301F95D412A042495CDD75689516125
              Function 03472CA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 37e6147fe09257f3122507df560be3285eef27172d5cc52c7f670308aa226da7
              • Instruction ID: 946a263a7d4d4efd4ba6c07d996a6645221cdf0dd07269b2c62c99fa2a5343fa
              • Opcode Fuzzy Hash: 37e6147fe09257f3122507df560be3285eef27172d5cc52c7f670308aa226da7
              • Instruction Fuzzy Hash: 4790023120140802D100B698544868A0006C7F0301F95D012A5024959EC76589916135
              Function 03472C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction ID: 4f8004c5e8ac37823df6458296f537abc56ba31f6f56780d998710515bb2dd5b
              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction Fuzzy Hash:
              Function 03472890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
              • API String ID: 48624451-2108815105
              • Opcode ID: dfb2ab201aba613860b8ddaddb2c2ce2a578490b72da1ce0d487f64dedbc36d7
              • Instruction ID: 3849aca05d3806e097de92d7cbcdbed50a850603cac0f28d50e16cbdd20129d1
              • Opcode Fuzzy Hash: dfb2ab201aba613860b8ddaddb2c2ce2a578490b72da1ce0d487f64dedbc36d7
              • Instruction Fuzzy Hash: 9451D5B5B00516BFCB10DB9888909BFF7B8BB49200758866BE4A5DF641D274DE40CBA8
              Function 03467630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
              Download Yara Rule
              Strings
              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 034A4742
              • Execute=1, xrefs: 034A4713
              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 034A4725
              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 034A4655
              • ExecuteOptions, xrefs: 034A46A0
              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 034A46FC
              • CLIENT(ntdll): Processing section info %ws..., xrefs: 034A4787
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
              • API String ID: 0-484625025
              • Opcode ID: 6155378a286dc3fc4561b155d6678c8ba13fa7811350f1e1be1f24cac9b4c065
              • Instruction ID: 6633c514fc4ea3ec2782d37d2437d68f5bea1f8772490947faf64e61b3f56107
              • Opcode Fuzzy Hash: 6155378a286dc3fc4561b155d6678c8ba13fa7811350f1e1be1f24cac9b4c065
              • Instruction Fuzzy Hash: F5513B756003096EDB20EFA9DC85FEE7BB8AF14314F1400ABD505AF390E771AA458B59
              Function 0347B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-$0$0
              • API String ID: 1302938615-699404926
              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
              • Instruction ID: 190be8e3f855835c29307f5b229531a12148b597511bb2a7c84519a7f6e38254
              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
              • Instruction Fuzzy Hash: 6E81BF74E052499EDF24CE68C8917FEBBB6EF45320F1C425BD861AF390C73498418B69
              Function 0345F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
              Download Yara Rule
              Strings
              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 034A02E7
              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 034A02BD
              • RTL: Re-Waiting, xrefs: 034A031E
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
              • API String ID: 0-2474120054
              • Opcode ID: 38d9de2bd5d68b9d22f3905dcbaf2d0b2a99242a0acd0263f59817186a547686
              • Instruction ID: 500a430ecd6e8a603e56fcd3d3d0ca1709eda35d9053f14df8333e05cd389bdd
              • Opcode Fuzzy Hash: 38d9de2bd5d68b9d22f3905dcbaf2d0b2a99242a0acd0263f59817186a547686
              • Instruction Fuzzy Hash: D8E18C31A04B41DFD724CF28C884B6AB7E4BB44314F180A5EF9A58F3A1D775D949CB4A
              Function 0346BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
              Download Yara Rule
              Strings
              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 034A7B7F
              • RTL: Resource at %p, xrefs: 034A7B8E
              • RTL: Re-Waiting, xrefs: 034A7BAC
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 0-871070163
              • Opcode ID: c813fac53e79939e7bb44130736654a8397e5e0490ac7cfa967e43b15b27aa1f
              • Instruction ID: 744f114dd1256efbd74b17aaf5c9c18e0a9d0bafc8693eca25f5ba6320665f04
              • Opcode Fuzzy Hash: c813fac53e79939e7bb44130736654a8397e5e0490ac7cfa967e43b15b27aa1f
              • Instruction Fuzzy Hash: 7D41E5353007029FC728DE2ACC40B6BB7E9EB98710F14091EE956DF790D731E4058B9A
              Function 0346B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              APIs
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 034A728C
              Strings
              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 034A7294
              • RTL: Resource at %p, xrefs: 034A72A3
              • RTL: Re-Waiting, xrefs: 034A72C1
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 885266447-605551621
              • Opcode ID: 97fbdf91e9992b2d152f3593f8fa0b2421b6c8445247565f1ec57a1f7e57c24c
              • Instruction ID: 86e0366dad6b11ba8a6465968d3d7410d6f35a5f7bbe669803305ce7843c7ec0
              • Opcode Fuzzy Hash: 97fbdf91e9992b2d152f3593f8fa0b2421b6c8445247565f1ec57a1f7e57c24c
              • Instruction Fuzzy Hash: 3D41E136700A06AFC720DE6ACC41B6ABBA5FB94714F14462BF855DF380DB21F81687D9
              Function 03439126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $$@
              • API String ID: 0-1194432280
              • Opcode ID: 3d3a6df4a55a9d22efad0b02051240eda7e941a3c43e449110ee5704ea889b29
              • Instruction ID: ab6d1f0bf04d725aa5249a3fc28d94c7fe4129c2b41d4a5fb15b4e3b71714d27
              • Opcode Fuzzy Hash: 3d3a6df4a55a9d22efad0b02051240eda7e941a3c43e449110ee5704ea889b29
              • Instruction Fuzzy Hash: D5814B76D002699BEB31CF54CC44BEEB6B4AB09710F0445EBE919BB290D7709E85CFA4
              Function 034BCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
              Download Yara Rule
              APIs
              • @_EH4_CallFilterFunc@8.LIBCMT ref: 034BCFBD
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1601029420.0000000003400000.00000040.00001000.00020000.00000000.sdmp, Offset: 03400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3400000_svchost.jbxd
              Similarity
              • API ID: CallFilterFunc@8
              • String ID: @$@4rw@4rw
              • API String ID: 4062629308-2979693914
              • Opcode ID: 2a30a1edc8bfe871ecaba4ab18783712042292f0be744d4f4a67eccdf261066a
              • Instruction ID: d8673e1b50d7549f4fd3a54e175278ac9f8885952cd28c1a89e94d069ad56271
              • Opcode Fuzzy Hash: 2a30a1edc8bfe871ecaba4ab18783712042292f0be744d4f4a67eccdf261066a
              • Instruction Fuzzy Hash: 93418E79A00224DFDB21DF99D880AAEBBB8FF46B04F04446BE914DF264D774D801CB69