Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AraK29dzhH.exe

Overview

General Information

Sample name:AraK29dzhH.exe
renamed because original name is a hash value
Original sample name:87e25b8e625db3f46d50ed170e499170b10864bb3b089acf963bf89eea0e030e.exe
Analysis ID:1588372
MD5:56b7d0211a7897b5457a86cdfe676379
SHA1:1cc2c7b72e07c35e477f4e569faae505c84319f9
SHA256:87e25b8e625db3f46d50ed170e499170b10864bb3b089acf963bf89eea0e030e
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • AraK29dzhH.exe (PID: 7656 cmdline: "C:\Users\user\Desktop\AraK29dzhH.exe" MD5: 56B7D0211A7897B5457A86CDFE676379)
    • svchost.exe (PID: 7744 cmdline: "C:\Users\user\Desktop\AraK29dzhH.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2f7f3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x178b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000002.00000002.1765310528.0000000003950000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.1765310528.0000000003950000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2c230:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x142ef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2f7f3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x178b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e9f3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16ab2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\AraK29dzhH.exe", CommandLine: "C:\Users\user\Desktop\AraK29dzhH.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\AraK29dzhH.exe", ParentImage: C:\Users\user\Desktop\AraK29dzhH.exe, ParentProcessId: 7656, ParentProcessName: AraK29dzhH.exe, ProcessCommandLine: "C:\Users\user\Desktop\AraK29dzhH.exe", ProcessId: 7744, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\AraK29dzhH.exe", CommandLine: "C:\Users\user\Desktop\AraK29dzhH.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\AraK29dzhH.exe", ParentImage: C:\Users\user\Desktop\AraK29dzhH.exe, ParentProcessId: 7656, ParentProcessName: AraK29dzhH.exe, ProcessCommandLine: "C:\Users\user\Desktop\AraK29dzhH.exe", ProcessId: 7744, ProcessName: svchost.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: AraK29dzhH.exeVirustotal: Detection: 58%Perma Link
          Source: AraK29dzhH.exeReversingLabs: Detection: 79%
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1765310528.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: AraK29dzhH.exeJoe Sandbox ML: detected
          Source: AraK29dzhH.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: svchost.exe, 00000002.00000002.1765008354.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1420358240.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1422274666.0000000003400000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000002.00000002.1765008354.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1420358240.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1422274666.0000000003400000.00000004.00000020.00020000.00000000.sdmp

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1765310528.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.1765310528.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Binary is likely a compiled AutoIt script file
          Source: AraK29dzhH.exe, 00000000.00000000.1359169219.0000000000B14000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_3e1ddc60-8
          Source: AraK29dzhH.exe, 00000000.00000000.1359169219.0000000000B14000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_8b18a475-e
          Source: AraK29dzhH.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a178f97a-c
          Source: AraK29dzhH.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_53ae67f3-3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042CAA3 NtClose,2_2_0042CAA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036735C0 NtCreateMutant,LdrInitializeThunk,2_2_036735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672B60 NtClose,LdrInitializeThunk,2_2_03672B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03672DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03674340 NtSetContextThread,2_2_03674340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673010 NtOpenDirectoryObject,2_2_03673010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673090 NtSetValueKey,2_2_03673090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03674650 NtSuspendThread,2_2_03674650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672BE0 NtQueryValueKey,2_2_03672BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672BF0 NtAllocateVirtualMemory,2_2_03672BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672BA0 NtEnumerateValueKey,2_2_03672BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672B80 NtQueryInformationFile,2_2_03672B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672AF0 NtWriteFile,2_2_03672AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672AD0 NtReadFile,2_2_03672AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672AB0 NtWaitForSingleObject,2_2_03672AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036739B0 NtGetContextThread,2_2_036739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672F60 NtCreateProcessEx,2_2_03672F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672F30 NtCreateSection,2_2_03672F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672FE0 NtCreateFile,2_2_03672FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672FA0 NtQuerySection,2_2_03672FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672FB0 NtResumeThread,2_2_03672FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672F90 NtProtectVirtualMemory,2_2_03672F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672E30 NtWriteVirtualMemory,2_2_03672E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672EE0 NtQueueApcThread,2_2_03672EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672EA0 NtAdjustPrivilegesToken,2_2_03672EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672E80 NtReadVirtualMemory,2_2_03672E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673D70 NtOpenThread,2_2_03673D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672D30 NtUnmapViewOfSection,2_2_03672D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672D00 NtSetInformationFile,2_2_03672D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672D10 NtMapViewOfSection,2_2_03672D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673D10 NtOpenProcessToken,2_2_03673D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672DD0 NtDelayExecution,2_2_03672DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672DB0 NtEnumerateKey,2_2_03672DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672C60 NtCreateKey,2_2_03672C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672C70 NtFreeVirtualMemory,2_2_03672C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672C00 NtQueryInformationProcess,2_2_03672C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672CF0 NtOpenProcess,2_2_03672CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672CC0 NtQueryVirtualMemory,2_2_03672CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672CA0 NtQueryInformationToken,2_2_03672CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010002_2_00401000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042F0E32_2_0042F0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012502_2_00401250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402A282_2_00402A28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402A302_2_00402A30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004102C32_2_004102C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004033402_2_00403340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416C1E2_2_00416C1E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416C232_2_00416C23
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004104E32_2_004104E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004024AC2_2_004024AC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004024B02_2_004024B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E5632_2_0040E563
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026502_2_00402650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402E742_2_00402E74
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402E802_2_00402E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027792_2_00402779
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362D34C2_2_0362D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FA3522_2_036FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F132D2_2_036F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F02_2_0364E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037003E62_2_037003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0368739A2_2_0368739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E02742_2_036E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E12ED2_2_036E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365B2C02_2_0365B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036452A02_2_036452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367516C2_2_0367516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F1722_2_0362F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370B16B2_2_0370B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036301002_2_03630100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA1182_2_036DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F81CC2_2_036F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364B1B02_2_0364B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037001AA2_2_037001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F70E92_2_036F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FF0E02_2_036FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EF0CC2_2_036EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036470C02_2_036470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036407702_2_03640770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036647502_2_03664750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363C7C02_2_0363C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FF7B02_2_036FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365C6E02_2_0365C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F16CC2_2_036F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F75712_2_036F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036405352_2_03640535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DD5B02_2_036DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037005912_2_03700591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036314602_2_03631460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F24462_2_036F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FF43F2_2_036FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EE4F62_2_036EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFB762_2_036FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FAB402_2_036FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B5BF02_2_036B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367DBF92_2_0367DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F6BD72_2_036F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365FB802_2_0365FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B3A6C2_2_036B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFA492_2_036FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F7A462_2_036F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EDAC62_2_036EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DDAAC2_2_036DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03685AA02_2_03685AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA802_2_0363EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036569622_2_03656962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036499502_2_03649950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365B9502_2_0365B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A02_2_036429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370A9A62_2_0370A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036428402_2_03642840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364A8402_2_0364A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AD8002_2_036AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036438E02_2_036438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E8F02_2_0366E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036268B82_2_036268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B4F402_2_036B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03682F282_2_03682F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660F302_2_03660F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFF092_2_036FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364CFE02_2_0364CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632FC82_2_03632FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFFB12_2_036FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03641F922_2_03641F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640E592_2_03640E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FEE262_2_036FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FEEDB2_2_036FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03649EB02_2_03649EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652E902_2_03652E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FCE932_2_036FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F7D732_2_036F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03643D402_2_03643D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F1D5A2_2_036F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364AD002_2_0364AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363ADE02_2_0363ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365FDC02_2_0365FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03658DBF2_2_03658DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B9C322_2_036B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640C002_2_03640C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630CF22_2_03630CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFCF22_2_036FFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0CB52_2_036E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03675130 appears 36 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036BF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036AEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0362B970 appears 268 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03687E54 appears 89 times
          Source: AraK29dzhH.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.1765310528.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal88.troj.evad.winEXE@3/2@0/0
          Source: C:\Users\user\Desktop\AraK29dzhH.exeFile created: C:\Users\user\AppData\Local\Temp\aut64B0.tmpJump to behavior
          Source: AraK29dzhH.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\AraK29dzhH.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: AraK29dzhH.exeVirustotal: Detection: 58%
          Source: AraK29dzhH.exeReversingLabs: Detection: 79%
          Source: unknownProcess created: C:\Users\user\Desktop\AraK29dzhH.exe "C:\Users\user\Desktop\AraK29dzhH.exe"
          Source: C:\Users\user\Desktop\AraK29dzhH.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\AraK29dzhH.exe"
          Source: C:\Users\user\Desktop\AraK29dzhH.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\AraK29dzhH.exe"Jump to behavior
          Source: C:\Users\user\Desktop\AraK29dzhH.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\AraK29dzhH.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\AraK29dzhH.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\AraK29dzhH.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\AraK29dzhH.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\AraK29dzhH.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\AraK29dzhH.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\AraK29dzhH.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\AraK29dzhH.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\AraK29dzhH.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\AraK29dzhH.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\AraK29dzhH.exeSection loaded: ntmarta.dllJump to behavior
          Source: AraK29dzhH.exeStatic file information: File size 1220608 > 1048576
          Source: AraK29dzhH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: AraK29dzhH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: AraK29dzhH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: AraK29dzhH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: AraK29dzhH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: AraK29dzhH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: AraK29dzhH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: svchost.exe, 00000002.00000002.1765008354.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1420358240.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1422274666.0000000003400000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000002.00000002.1765008354.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1420358240.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1422274666.0000000003400000.00000004.00000020.00020000.00000000.sdmp
          Source: AraK29dzhH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: AraK29dzhH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: AraK29dzhH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: AraK29dzhH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: AraK29dzhH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411AC7 push edi; retf 2_2_00411ADA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411AD3 push edi; retf 2_2_00411ADA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00404AB8 push ds; iretd 2_2_00404AC2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041AB58 pushad ; retf 2_2_0041AB6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040ACDF push ebp; ret 2_2_0040ACE5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411D00 push esi; ret 2_2_00411D01
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004035C0 push eax; ret 2_2_004035C2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EDDF push ds; retf 2_2_0041EDE1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00423E14 push ecx; retf 2_2_00423E17
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00423E2C push ecx; retf 2_2_00423E17
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D68D push 14FEF134h; retf 2_2_0040D692
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036309AD push ecx; mov dword ptr [esp], ecx2_2_036309B6
          Source: C:\Users\user\Desktop\AraK29dzhH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AraK29dzhH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\AraK29dzhH.exeAPI/Special instruction interceptor: Address: D8D484
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AD1C0 rdtsc 2_2_036AD1C0
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 7748Thread sleep time: -30000s >= -30000sJump to behavior
          Source: AraK29dzhH.exe, 00000000.00000003.1383921510.0000000000DEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareworkstation.exe
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AD1C0 rdtsc 2_2_036AD1C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417BD3 LdrLoadDll,2_2_00417BD3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EF367 mov eax, dword ptr fs:[00000030h]2_2_036EF367
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D437C mov eax, dword ptr fs:[00000030h]2_2_036D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03637370 mov eax, dword ptr fs:[00000030h]2_2_03637370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03637370 mov eax, dword ptr fs:[00000030h]2_2_03637370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03637370 mov eax, dword ptr fs:[00000030h]2_2_03637370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362D34C mov eax, dword ptr fs:[00000030h]2_2_0362D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362D34C mov eax, dword ptr fs:[00000030h]2_2_0362D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03705341 mov eax, dword ptr fs:[00000030h]2_2_03705341
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03629353 mov eax, dword ptr fs:[00000030h]2_2_03629353
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03629353 mov eax, dword ptr fs:[00000030h]2_2_03629353
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov ecx, dword ptr fs:[00000030h]2_2_036B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FA352 mov eax, dword ptr fs:[00000030h]2_2_036FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F132D mov eax, dword ptr fs:[00000030h]2_2_036F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F132D mov eax, dword ptr fs:[00000030h]2_2_036F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365F32A mov eax, dword ptr fs:[00000030h]2_2_0365F32A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03627330 mov eax, dword ptr fs:[00000030h]2_2_03627330
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B930B mov eax, dword ptr fs:[00000030h]2_2_036B930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B930B mov eax, dword ptr fs:[00000030h]2_2_036B930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B930B mov eax, dword ptr fs:[00000030h]2_2_036B930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]2_2_0366A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]2_2_0366A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]2_2_0366A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C310 mov ecx, dword ptr fs:[00000030h]2_2_0362C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650310 mov ecx, dword ptr fs:[00000030h]2_2_03650310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EF3E6 mov eax, dword ptr fs:[00000030h]2_2_036EF3E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037053FC mov eax, dword ptr fs:[00000030h]2_2_037053FC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]2_2_0364E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]2_2_0364E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]2_2_0364E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036663FF mov eax, dword ptr fs:[00000030h]2_2_036663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EC3CD mov eax, dword ptr fs:[00000030h]2_2_036EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EB3D0 mov ecx, dword ptr fs:[00000030h]2_2_036EB3D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036533A5 mov eax, dword ptr fs:[00000030h]2_2_036533A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036633A0 mov eax, dword ptr fs:[00000030h]2_2_036633A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036633A0 mov eax, dword ptr fs:[00000030h]2_2_036633A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]2_2_0362E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]2_2_0362E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]2_2_0362E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365438F mov eax, dword ptr fs:[00000030h]2_2_0365438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365438F mov eax, dword ptr fs:[00000030h]2_2_0365438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370539D mov eax, dword ptr fs:[00000030h]2_2_0370539D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0368739A mov eax, dword ptr fs:[00000030h]2_2_0368739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0368739A mov eax, dword ptr fs:[00000030h]2_2_0368739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]2_2_03628397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]2_2_03628397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]2_2_03628397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]2_2_03634260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]2_2_03634260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]2_2_03634260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FD26B mov eax, dword ptr fs:[00000030h]2_2_036FD26B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FD26B mov eax, dword ptr fs:[00000030h]2_2_036FD26B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362826B mov eax, dword ptr fs:[00000030h]2_2_0362826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03659274 mov eax, dword ptr fs:[00000030h]2_2_03659274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03671270 mov eax, dword ptr fs:[00000030h]2_2_03671270
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03671270 mov eax, dword ptr fs:[00000030h]2_2_03671270
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03629240 mov eax, dword ptr fs:[00000030h]2_2_03629240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03629240 mov eax, dword ptr fs:[00000030h]2_2_03629240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366724D mov eax, dword ptr fs:[00000030h]2_2_0366724D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A250 mov eax, dword ptr fs:[00000030h]2_2_0362A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EB256 mov eax, dword ptr fs:[00000030h]2_2_036EB256
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EB256 mov eax, dword ptr fs:[00000030h]2_2_036EB256
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636259 mov eax, dword ptr fs:[00000030h]2_2_03636259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03705227 mov eax, dword ptr fs:[00000030h]2_2_03705227
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362823B mov eax, dword ptr fs:[00000030h]2_2_0362823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03667208 mov eax, dword ptr fs:[00000030h]2_2_03667208
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03667208 mov eax, dword ptr fs:[00000030h]2_2_03667208
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E12ED mov eax, dword ptr fs:[00000030h]2_2_036E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E12ED mov eax, dword ptr fs:[00000030h]2_2_036E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E12ED mov eax, dword ptr fs:[00000030h]2_2_036E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E12ED mov eax, dword ptr fs:[00000030h]2_2_036E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E12ED mov eax, dword ptr fs:[00000030h]2_2_036E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E12ED mov eax, dword ptr fs:[00000030h]2_2_036E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E12ED mov eax, dword ptr fs:[00000030h]2_2_036E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E12ED mov eax, dword ptr fs:[00000030h]2_2_036E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E12ED mov eax, dword ptr fs:[00000030h]2_2_036E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E12ED mov eax, dword ptr fs:[00000030h]2_2_036E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E12ED mov eax, dword ptr fs:[00000030h]2_2_036E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E12ED mov eax, dword ptr fs:[00000030h]2_2_036E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E12ED mov eax, dword ptr fs:[00000030h]2_2_036E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E12ED mov eax, dword ptr fs:[00000030h]2_2_036E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]2_2_036402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]2_2_036402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]2_2_036402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037052E2 mov eax, dword ptr fs:[00000030h]2_2_037052E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EF2F8 mov eax, dword ptr fs:[00000030h]2_2_036EF2F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036292FF mov eax, dword ptr fs:[00000030h]2_2_036292FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365B2C0 mov eax, dword ptr fs:[00000030h]2_2_0365B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365B2C0 mov eax, dword ptr fs:[00000030h]2_2_0365B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365B2C0 mov eax, dword ptr fs:[00000030h]2_2_0365B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365B2C0 mov eax, dword ptr fs:[00000030h]2_2_0365B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365B2C0 mov eax, dword ptr fs:[00000030h]2_2_0365B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365B2C0 mov eax, dword ptr fs:[00000030h]2_2_0365B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365B2C0 mov eax, dword ptr fs:[00000030h]2_2_0365B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036392C5 mov eax, dword ptr fs:[00000030h]2_2_036392C5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036392C5 mov eax, dword ptr fs:[00000030h]2_2_036392C5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362B2D3 mov eax, dword ptr fs:[00000030h]2_2_0362B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362B2D3 mov eax, dword ptr fs:[00000030h]2_2_0362B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362B2D3 mov eax, dword ptr fs:[00000030h]2_2_0362B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365F2D0 mov eax, dword ptr fs:[00000030h]2_2_0365F2D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365F2D0 mov eax, dword ptr fs:[00000030h]2_2_0365F2D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402A0 mov eax, dword ptr fs:[00000030h]2_2_036402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402A0 mov eax, dword ptr fs:[00000030h]2_2_036402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036452A0 mov eax, dword ptr fs:[00000030h]2_2_036452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036452A0 mov eax, dword ptr fs:[00000030h]2_2_036452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036452A0 mov eax, dword ptr fs:[00000030h]2_2_036452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036452A0 mov eax, dword ptr fs:[00000030h]2_2_036452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F92A6 mov eax, dword ptr fs:[00000030h]2_2_036F92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F92A6 mov eax, dword ptr fs:[00000030h]2_2_036F92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F92A6 mov eax, dword ptr fs:[00000030h]2_2_036F92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F92A6 mov eax, dword ptr fs:[00000030h]2_2_036F92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov ecx, dword ptr fs:[00000030h]2_2_036C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C72A0 mov eax, dword ptr fs:[00000030h]2_2_036C72A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C72A0 mov eax, dword ptr fs:[00000030h]2_2_036C72A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B92BC mov eax, dword ptr fs:[00000030h]2_2_036B92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B92BC mov eax, dword ptr fs:[00000030h]2_2_036B92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B92BC mov ecx, dword ptr fs:[00000030h]2_2_036B92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B92BC mov ecx, dword ptr fs:[00000030h]2_2_036B92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E284 mov eax, dword ptr fs:[00000030h]2_2_0366E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E284 mov eax, dword ptr fs:[00000030h]2_2_0366E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]2_2_036B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]2_2_036B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]2_2_036B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03705283 mov eax, dword ptr fs:[00000030h]2_2_03705283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366329E mov eax, dword ptr fs:[00000030h]2_2_0366329E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366329E mov eax, dword ptr fs:[00000030h]2_2_0366329E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F172 mov eax, dword ptr fs:[00000030h]2_2_0362F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F172 mov eax, dword ptr fs:[00000030h]2_2_0362F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F172 mov eax, dword ptr fs:[00000030h]2_2_0362F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F172 mov eax, dword ptr fs:[00000030h]2_2_0362F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F172 mov eax, dword ptr fs:[00000030h]2_2_0362F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F172 mov eax, dword ptr fs:[00000030h]2_2_0362F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F172 mov eax, dword ptr fs:[00000030h]2_2_0362F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F172 mov eax, dword ptr fs:[00000030h]2_2_0362F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F172 mov eax, dword ptr fs:[00000030h]2_2_0362F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F172 mov eax, dword ptr fs:[00000030h]2_2_0362F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F172 mov eax, dword ptr fs:[00000030h]2_2_0362F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F172 mov eax, dword ptr fs:[00000030h]2_2_0362F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F172 mov eax, dword ptr fs:[00000030h]2_2_0362F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F172 mov eax, dword ptr fs:[00000030h]2_2_0362F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F172 mov eax, dword ptr fs:[00000030h]2_2_0362F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F172 mov eax, dword ptr fs:[00000030h]2_2_0362F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F172 mov eax, dword ptr fs:[00000030h]2_2_0362F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F172 mov eax, dword ptr fs:[00000030h]2_2_0362F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F172 mov eax, dword ptr fs:[00000030h]2_2_0362F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F172 mov eax, dword ptr fs:[00000030h]2_2_0362F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F172 mov eax, dword ptr fs:[00000030h]2_2_0362F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C9179 mov eax, dword ptr fs:[00000030h]2_2_036C9179
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03705152 mov eax, dword ptr fs:[00000030h]2_2_03705152
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov ecx, dword ptr fs:[00000030h]2_2_036C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03629148 mov eax, dword ptr fs:[00000030h]2_2_03629148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03629148 mov eax, dword ptr fs:[00000030h]2_2_03629148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03629148 mov eax, dword ptr fs:[00000030h]2_2_03629148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03629148 mov eax, dword ptr fs:[00000030h]2_2_03629148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03637152 mov eax, dword ptr fs:[00000030h]2_2_03637152
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C156 mov eax, dword ptr fs:[00000030h]2_2_0362C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636154 mov eax, dword ptr fs:[00000030h]2_2_03636154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636154 mov eax, dword ptr fs:[00000030h]2_2_03636154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660124 mov eax, dword ptr fs:[00000030h]2_2_03660124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03631131 mov eax, dword ptr fs:[00000030h]2_2_03631131
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03631131 mov eax, dword ptr fs:[00000030h]2_2_03631131
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362B136 mov eax, dword ptr fs:[00000030h]2_2_0362B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362B136 mov eax, dword ptr fs:[00000030h]2_2_0362B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362B136 mov eax, dword ptr fs:[00000030h]2_2_0362B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362B136 mov eax, dword ptr fs:[00000030h]2_2_0362B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov ecx, dword ptr fs:[00000030h]2_2_036DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]2_2_036DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]2_2_036DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]2_2_036DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F0115 mov eax, dword ptr fs:[00000030h]2_2_036F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036551EF mov eax, dword ptr fs:[00000030h]2_2_036551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036551EF mov eax, dword ptr fs:[00000030h]2_2_036551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036551EF mov eax, dword ptr fs:[00000030h]2_2_036551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036551EF mov eax, dword ptr fs:[00000030h]2_2_036551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036551EF mov eax, dword ptr fs:[00000030h]2_2_036551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036551EF mov eax, dword ptr fs:[00000030h]2_2_036551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036551EF mov eax, dword ptr fs:[00000030h]2_2_036551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036551EF mov eax, dword ptr fs:[00000030h]2_2_036551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036551EF mov eax, dword ptr fs:[00000030h]2_2_036551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036551EF mov eax, dword ptr fs:[00000030h]2_2_036551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036551EF mov eax, dword ptr fs:[00000030h]2_2_036551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036551EF mov eax, dword ptr fs:[00000030h]2_2_036551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036551EF mov eax, dword ptr fs:[00000030h]2_2_036551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036351ED mov eax, dword ptr fs:[00000030h]2_2_036351ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D71F9 mov esi, dword ptr fs:[00000030h]2_2_036D71F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037061E5 mov eax, dword ptr fs:[00000030h]2_2_037061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036601F8 mov eax, dword ptr fs:[00000030h]2_2_036601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F61C3 mov eax, dword ptr fs:[00000030h]2_2_036F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F61C3 mov eax, dword ptr fs:[00000030h]2_2_036F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366D1D0 mov eax, dword ptr fs:[00000030h]2_2_0366D1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366D1D0 mov ecx, dword ptr fs:[00000030h]2_2_0366D1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_036AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037051CB mov eax, dword ptr fs:[00000030h]2_2_037051CB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E11A4 mov eax, dword ptr fs:[00000030h]2_2_036E11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E11A4 mov eax, dword ptr fs:[00000030h]2_2_036E11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E11A4 mov eax, dword ptr fs:[00000030h]2_2_036E11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E11A4 mov eax, dword ptr fs:[00000030h]2_2_036E11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364B1B0 mov eax, dword ptr fs:[00000030h]2_2_0364B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03670185 mov eax, dword ptr fs:[00000030h]2_2_03670185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EC188 mov eax, dword ptr fs:[00000030h]2_2_036EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EC188 mov eax, dword ptr fs:[00000030h]2_2_036EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]2_2_0362A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]2_2_0362A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]2_2_0362A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03687190 mov eax, dword ptr fs:[00000030h]2_2_03687190
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B106E mov eax, dword ptr fs:[00000030h]2_2_036B106E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03705060 mov eax, dword ptr fs:[00000030h]2_2_03705060
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03641070 mov eax, dword ptr fs:[00000030h]2_2_03641070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03641070 mov ecx, dword ptr fs:[00000030h]2_2_03641070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03641070 mov eax, dword ptr fs:[00000030h]2_2_03641070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03641070 mov eax, dword ptr fs:[00000030h]2_2_03641070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03641070 mov eax, dword ptr fs:[00000030h]2_2_03641070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03641070 mov eax, dword ptr fs:[00000030h]2_2_03641070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03641070 mov eax, dword ptr fs:[00000030h]2_2_03641070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03641070 mov eax, dword ptr fs:[00000030h]2_2_03641070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03641070 mov eax, dword ptr fs:[00000030h]2_2_03641070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03641070 mov eax, dword ptr fs:[00000030h]2_2_03641070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03641070 mov eax, dword ptr fs:[00000030h]2_2_03641070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03641070 mov eax, dword ptr fs:[00000030h]2_2_03641070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03641070 mov eax, dword ptr fs:[00000030h]2_2_03641070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365C073 mov eax, dword ptr fs:[00000030h]2_2_0365C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AD070 mov ecx, dword ptr fs:[00000030h]2_2_036AD070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632050 mov eax, dword ptr fs:[00000030h]2_2_03632050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D705E mov ebx, dword ptr fs:[00000030h]2_2_036D705E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D705E mov eax, dword ptr fs:[00000030h]2_2_036D705E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365B052 mov eax, dword ptr fs:[00000030h]2_2_0365B052
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A020 mov eax, dword ptr fs:[00000030h]2_2_0362A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C020 mov eax, dword ptr fs:[00000030h]2_2_0362C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F903E mov eax, dword ptr fs:[00000030h]2_2_036F903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F903E mov eax, dword ptr fs:[00000030h]2_2_036F903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F903E mov eax, dword ptr fs:[00000030h]2_2_036F903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F903E mov eax, dword ptr fs:[00000030h]2_2_036F903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B4000 mov ecx, dword ptr fs:[00000030h]2_2_036B4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036550E4 mov eax, dword ptr fs:[00000030h]2_2_036550E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036550E4 mov ecx, dword ptr fs:[00000030h]2_2_036550E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0362A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036380E9 mov eax, dword ptr fs:[00000030h]2_2_036380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C0F0 mov eax, dword ptr fs:[00000030h]2_2_0362C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036720F0 mov ecx, dword ptr fs:[00000030h]2_2_036720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036470C0 mov eax, dword ptr fs:[00000030h]2_2_036470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036470C0 mov ecx, dword ptr fs:[00000030h]2_2_036470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036470C0 mov ecx, dword ptr fs:[00000030h]2_2_036470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036470C0 mov eax, dword ptr fs:[00000030h]2_2_036470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036470C0 mov ecx, dword ptr fs:[00000030h]2_2_036470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036470C0 mov ecx, dword ptr fs:[00000030h]2_2_036470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036470C0 mov eax, dword ptr fs:[00000030h]2_2_036470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036470C0 mov eax, dword ptr fs:[00000030h]2_2_036470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036470C0 mov eax, dword ptr fs:[00000030h]2_2_036470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036470C0 mov eax, dword ptr fs:[00000030h]2_2_036470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036470C0 mov eax, dword ptr fs:[00000030h]2_2_036470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036470C0 mov eax, dword ptr fs:[00000030h]2_2_036470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036470C0 mov eax, dword ptr fs:[00000030h]2_2_036470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036470C0 mov eax, dword ptr fs:[00000030h]2_2_036470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036470C0 mov eax, dword ptr fs:[00000030h]2_2_036470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036470C0 mov eax, dword ptr fs:[00000030h]2_2_036470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036470C0 mov eax, dword ptr fs:[00000030h]2_2_036470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036470C0 mov eax, dword ptr fs:[00000030h]2_2_036470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037050D9 mov eax, dword ptr fs:[00000030h]2_2_037050D9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AD0C0 mov eax, dword ptr fs:[00000030h]2_2_036AD0C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AD0C0 mov eax, dword ptr fs:[00000030h]2_2_036AD0C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B20DE mov eax, dword ptr fs:[00000030h]2_2_036B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036590DB mov eax, dword ptr fs:[00000030h]2_2_036590DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F60B8 mov eax, dword ptr fs:[00000030h]2_2_036F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F60B8 mov ecx, dword ptr fs:[00000030h]2_2_036F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363208A mov eax, dword ptr fs:[00000030h]2_2_0363208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362D08D mov eax, dword ptr fs:[00000030h]2_2_0362D08D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03635096 mov eax, dword ptr fs:[00000030h]2_2_03635096
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365D090 mov eax, dword ptr fs:[00000030h]2_2_0365D090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365D090 mov eax, dword ptr fs:[00000030h]2_2_0365D090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366909C mov eax, dword ptr fs:[00000030h]2_2_0366909C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362B765 mov eax, dword ptr fs:[00000030h]2_2_0362B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362B765 mov eax, dword ptr fs:[00000030h]2_2_0362B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362B765 mov eax, dword ptr fs:[00000030h]2_2_0362B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362B765 mov eax, dword ptr fs:[00000030h]2_2_0362B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638770 mov eax, dword ptr fs:[00000030h]2_2_03638770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03643740 mov eax, dword ptr fs:[00000030h]2_2_03643740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03643740 mov eax, dword ptr fs:[00000030h]2_2_03643740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03643740 mov eax, dword ptr fs:[00000030h]2_2_03643740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366674D mov esi, dword ptr fs:[00000030h]2_2_0366674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366674D mov eax, dword ptr fs:[00000030h]2_2_0366674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366674D mov eax, dword ptr fs:[00000030h]2_2_0366674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630750 mov eax, dword ptr fs:[00000030h]2_2_03630750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672750 mov eax, dword ptr fs:[00000030h]2_2_03672750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672750 mov eax, dword ptr fs:[00000030h]2_2_03672750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03703749 mov eax, dword ptr fs:[00000030h]2_2_03703749
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B4755 mov eax, dword ptr fs:[00000030h]2_2_036B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EF72E mov eax, dword ptr fs:[00000030h]2_2_036EF72E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03633720 mov eax, dword ptr fs:[00000030h]2_2_03633720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364F720 mov eax, dword ptr fs:[00000030h]2_2_0364F720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364F720 mov eax, dword ptr fs:[00000030h]2_2_0364F720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364F720 mov eax, dword ptr fs:[00000030h]2_2_0364F720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F972B mov eax, dword ptr fs:[00000030h]2_2_036F972B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C720 mov eax, dword ptr fs:[00000030h]2_2_0366C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C720 mov eax, dword ptr fs:[00000030h]2_2_0366C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370B73C mov eax, dword ptr fs:[00000030h]2_2_0370B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370B73C mov eax, dword ptr fs:[00000030h]2_2_0370B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370B73C mov eax, dword ptr fs:[00000030h]2_2_0370B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370B73C mov eax, dword ptr fs:[00000030h]2_2_0370B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03629730 mov eax, dword ptr fs:[00000030h]2_2_03629730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03629730 mov eax, dword ptr fs:[00000030h]2_2_03629730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03665734 mov eax, dword ptr fs:[00000030h]2_2_03665734
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363973A mov eax, dword ptr fs:[00000030h]2_2_0363973A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363973A mov eax, dword ptr fs:[00000030h]2_2_0363973A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366273C mov eax, dword ptr fs:[00000030h]2_2_0366273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366273C mov ecx, dword ptr fs:[00000030h]2_2_0366273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366273C mov eax, dword ptr fs:[00000030h]2_2_0366273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AC730 mov eax, dword ptr fs:[00000030h]2_2_036AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03637703 mov eax, dword ptr fs:[00000030h]2_2_03637703
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03635702 mov eax, dword ptr fs:[00000030h]2_2_03635702
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03635702 mov eax, dword ptr fs:[00000030h]2_2_03635702
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C700 mov eax, dword ptr fs:[00000030h]2_2_0366C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630710 mov eax, dword ptr fs:[00000030h]2_2_03630710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660710 mov eax, dword ptr fs:[00000030h]2_2_03660710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366F71F mov eax, dword ptr fs:[00000030h]2_2_0366F71F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366F71F mov eax, dword ptr fs:[00000030h]2_2_0366F71F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363D7E0 mov ecx, dword ptr fs:[00000030h]2_2_0363D7E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]2_2_036527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]2_2_036527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]2_2_036527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036347FB mov eax, dword ptr fs:[00000030h]2_2_036347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036347FB mov eax, dword ptr fs:[00000030h]2_2_036347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363C7C0 mov eax, dword ptr fs:[00000030h]2_2_0363C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036357C0 mov eax, dword ptr fs:[00000030h]2_2_036357C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036357C0 mov eax, dword ptr fs:[00000030h]2_2_036357C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036357C0 mov eax, dword ptr fs:[00000030h]2_2_036357C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B07C3 mov eax, dword ptr fs:[00000030h]2_2_036B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B97A9 mov eax, dword ptr fs:[00000030h]2_2_036B97A9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BF7AF mov eax, dword ptr fs:[00000030h]2_2_036BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BF7AF mov eax, dword ptr fs:[00000030h]2_2_036BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BF7AF mov eax, dword ptr fs:[00000030h]2_2_036BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BF7AF mov eax, dword ptr fs:[00000030h]2_2_036BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BF7AF mov eax, dword ptr fs:[00000030h]2_2_036BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037037B6 mov eax, dword ptr fs:[00000030h]2_2_037037B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036307AF mov eax, dword ptr fs:[00000030h]2_2_036307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365D7B0 mov eax, dword ptr fs:[00000030h]2_2_0365D7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F7BA mov eax, dword ptr fs:[00000030h]2_2_0362F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F7BA mov eax, dword ptr fs:[00000030h]2_2_0362F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F7BA mov eax, dword ptr fs:[00000030h]2_2_0362F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F7BA mov eax, dword ptr fs:[00000030h]2_2_0362F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F7BA mov eax, dword ptr fs:[00000030h]2_2_0362F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F7BA mov eax, dword ptr fs:[00000030h]2_2_0362F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F7BA mov eax, dword ptr fs:[00000030h]2_2_0362F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F7BA mov eax, dword ptr fs:[00000030h]2_2_0362F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F7BA mov eax, dword ptr fs:[00000030h]2_2_0362F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EF78A mov eax, dword ptr fs:[00000030h]2_2_036EF78A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F866E mov eax, dword ptr fs:[00000030h]2_2_036F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F866E mov eax, dword ptr fs:[00000030h]2_2_036F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A660 mov eax, dword ptr fs:[00000030h]2_2_0366A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A660 mov eax, dword ptr fs:[00000030h]2_2_0366A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03669660 mov eax, dword ptr fs:[00000030h]2_2_03669660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03669660 mov eax, dword ptr fs:[00000030h]2_2_03669660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03662674 mov eax, dword ptr fs:[00000030h]2_2_03662674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364C640 mov eax, dword ptr fs:[00000030h]2_2_0364C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E627 mov eax, dword ptr fs:[00000030h]2_2_0364E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F626 mov eax, dword ptr fs:[00000030h]2_2_0362F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F626 mov eax, dword ptr fs:[00000030h]2_2_0362F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F626 mov eax, dword ptr fs:[00000030h]2_2_0362F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F626 mov eax, dword ptr fs:[00000030h]2_2_0362F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F626 mov eax, dword ptr fs:[00000030h]2_2_0362F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F626 mov eax, dword ptr fs:[00000030h]2_2_0362F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F626 mov eax, dword ptr fs:[00000030h]2_2_0362F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F626 mov eax, dword ptr fs:[00000030h]2_2_0362F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F626 mov eax, dword ptr fs:[00000030h]2_2_0362F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03666620 mov eax, dword ptr fs:[00000030h]2_2_03666620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03705636 mov eax, dword ptr fs:[00000030h]2_2_03705636
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668620 mov eax, dword ptr fs:[00000030h]2_2_03668620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363262C mov eax, dword ptr fs:[00000030h]2_2_0363262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03661607 mov eax, dword ptr fs:[00000030h]2_2_03661607
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE609 mov eax, dword ptr fs:[00000030h]2_2_036AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366F603 mov eax, dword ptr fs:[00000030h]2_2_0366F603
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03633616 mov eax, dword ptr fs:[00000030h]2_2_03633616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03633616 mov eax, dword ptr fs:[00000030h]2_2_03633616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672619 mov eax, dword ptr fs:[00000030h]2_2_03672619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C36EE mov eax, dword ptr fs:[00000030h]2_2_036C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C36EE mov eax, dword ptr fs:[00000030h]2_2_036C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C36EE mov eax, dword ptr fs:[00000030h]2_2_036C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C36EE mov eax, dword ptr fs:[00000030h]2_2_036C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C36EE mov eax, dword ptr fs:[00000030h]2_2_036C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C36EE mov eax, dword ptr fs:[00000030h]2_2_036C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365D6E0 mov eax, dword ptr fs:[00000030h]2_2_0365D6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365D6E0 mov eax, dword ptr fs:[00000030h]2_2_0365D6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036636EF mov eax, dword ptr fs:[00000030h]2_2_036636EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B06F1 mov eax, dword ptr fs:[00000030h]2_2_036B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B06F1 mov eax, dword ptr fs:[00000030h]2_2_036B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036ED6F0 mov eax, dword ptr fs:[00000030h]2_2_036ED6F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0366A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A6C7 mov eax, dword ptr fs:[00000030h]2_2_0366A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363B6C0 mov eax, dword ptr fs:[00000030h]2_2_0363B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363B6C0 mov eax, dword ptr fs:[00000030h]2_2_0363B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363B6C0 mov eax, dword ptr fs:[00000030h]2_2_0363B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363B6C0 mov eax, dword ptr fs:[00000030h]2_2_0363B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363B6C0 mov eax, dword ptr fs:[00000030h]2_2_0363B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363B6C0 mov eax, dword ptr fs:[00000030h]2_2_0363B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F16CC mov eax, dword ptr fs:[00000030h]2_2_036F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F16CC mov eax, dword ptr fs:[00000030h]2_2_036F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F16CC mov eax, dword ptr fs:[00000030h]2_2_036F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F16CC mov eax, dword ptr fs:[00000030h]2_2_036F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EF6C7 mov eax, dword ptr fs:[00000030h]2_2_036EF6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036616CF mov eax, dword ptr fs:[00000030h]2_2_036616CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C6A6 mov eax, dword ptr fs:[00000030h]2_2_0366C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362D6AA mov eax, dword ptr fs:[00000030h]2_2_0362D6AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362D6AA mov eax, dword ptr fs:[00000030h]2_2_0362D6AA

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\AraK29dzhH.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\AraK29dzhH.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: B23008Jump to behavior
          Source: C:\Users\user\Desktop\AraK29dzhH.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\AraK29dzhH.exe"Jump to behavior
          Source: AraK29dzhH.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1765310528.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1765310528.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          DLL Side-Loading          		212
          Process Injection          		2
          Virtualization/Sandbox Evasion          		OS Credential Dumping121
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		212
          Process Injection          		LSASS Memory2
          Virtualization/Sandbox Evasion          		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
          Deobfuscate/Decode Files or Information          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          DLL Side-Loading          		NTDS11
          System Information Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
          Obfuscated Files or Information          		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          AraK29dzhH.exe58%VirustotalBrowse
          AraK29dzhH.exe79%ReversingLabsWin32.Trojan.AutoitInject
          AraK29dzhH.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          s-part-0017.t-0009.t-msedge.net
          		13.107.246.45
          		truefalse
            		high

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:42.0.0 Malachite
            Analysis ID:1588372
            Start date and time:2025-01-11 01:35:47 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 7m 2s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Run name:Run with higher sleep bypass
            Number of analysed new started processes analysed:9
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:AraK29dzhH.exe
            renamed because original name is a hash value
            Original Sample Name:87e25b8e625db3f46d50ed170e499170b10864bb3b089acf963bf89eea0e030e.exe
            Detection:MAL
            Classification:mal88.troj.evad.winEXE@3/2@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 98%
            • Number of executed functions: 9
            • Number of non-executed functions: 325
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
            • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
            • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            s-part-0017.t-0009.t-msedge.netYrCSUX2O3I.exeGet hashmaliciousGuLoaderBrowse
            • 13.107.246.45
            http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==Get hashmaliciousUnknownBrowse
            • 13.107.246.45
            uG3I84bQEr.exeGet hashmaliciousFormBookBrowse
            • 13.107.246.45
            12621132703258916868.jsGet hashmaliciousStrela DownloaderBrowse
            • 13.107.246.45
            Cpfkf79Rzk.exeGet hashmaliciousGuLoaderBrowse
            • 13.107.246.45
            https://noiclethomas.wixsite.com/riceGet hashmaliciousUnknownBrowse
            • 13.107.246.45
            TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
            • 13.107.246.45
            OKkUGRkZV7.exeGet hashmaliciousRemcosBrowse
            • 13.107.246.45
            https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351Get hashmaliciousUnknownBrowse
            • 13.107.246.45
            https://maya-lopez.filemail.com/t/XhcWEjoRGet hashmaliciousUnknownBrowse
            • 13.107.246.45

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Temp\aut64B0.tmp

            Download File
            Process:C:\Users\user\Desktop\AraK29dzhH.exe
            File Type:data
            Category:dropped
            Size (bytes):289280
            Entropy (8bit):7.992401302623123
            Encrypted:true
            SSDEEP:6144:iwYQgTlIDuMqMJy8+JelK5+Rg2oY8NxwO7p9kIYMufF0EmP1GYVZ:ijxSNDx8jN9kPLjaZ
            MD5:3D6C536E452EDC619C8A0626770597A3
            SHA1:540319C71D52D50DF7BFC506CC1C7904DDA8FC02
            SHA-256:E786BE5369213C10962715FC9F28F9F69B43F18444E6BBB02ECCB729CC2578EA
            SHA-512:A9E2CA60E84E838862BC98B78C7AE598B66C5BA4226497C0F7D98DEB22E63C9DD813D571D0112A1910CF7D54CDF7D95A20469761F2AC0F78D9AB7278E1D2DEBF
            Malicious:false
            Reputation:low
            Preview:{i...NRLL...:...n.LP...jV1...LSR63BU9NRLLSR63BU9NRLLSR63BU9.RLL]M.=B.0.s.M...g*<Jn">#4 W^b6X <#8s0S.0 Wn;"l..e./:]+|AAYv63BU9NR5MZ..S%...5.q35.)...t2+.I...~5^.H..nVT..P-:q,4.63BU9NRL..R6.CT9..j.SR63BU9N.LNRY78BUaJRLLSR63BU.ZRLLCR632Q9NR.LSB63BW9NTLLSR63BS9NRLLSR6CFU9LRLLSR61B..NR\LSB63BU)NR\LSR63BE9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63B{M+*8LSR.dFU9^RLL.V63RU9NRLLSR63BU9NrLL3R63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLS

            C:\Users\user\AppData\Local\Temp\meshummad

            Download File
            Process:C:\Users\user\Desktop\AraK29dzhH.exe
            File Type:data
            Category:dropped
            Size (bytes):289280
            Entropy (8bit):7.992401302623123
            Encrypted:true
            SSDEEP:6144:iwYQgTlIDuMqMJy8+JelK5+Rg2oY8NxwO7p9kIYMufF0EmP1GYVZ:ijxSNDx8jN9kPLjaZ
            MD5:3D6C536E452EDC619C8A0626770597A3
            SHA1:540319C71D52D50DF7BFC506CC1C7904DDA8FC02
            SHA-256:E786BE5369213C10962715FC9F28F9F69B43F18444E6BBB02ECCB729CC2578EA
            SHA-512:A9E2CA60E84E838862BC98B78C7AE598B66C5BA4226497C0F7D98DEB22E63C9DD813D571D0112A1910CF7D54CDF7D95A20469761F2AC0F78D9AB7278E1D2DEBF
            Malicious:false
            Reputation:low
            Preview:{i...NRLL...:...n.LP...jV1...LSR63BU9NRLLSR63BU9NRLLSR63BU9.RLL]M.=B.0.s.M...g*<Jn">#4 W^b6X <#8s0S.0 Wn;"l..e./:]+|AAYv63BU9NR5MZ..S%...5.q35.)...t2+.I...~5^.H..nVT..P-:q,4.63BU9NRL..R6.CT9..j.SR63BU9N.LNRY78BUaJRLLSR63BU.ZRLLCR632Q9NR.LSB63BW9NTLLSR63BS9NRLLSR6CFU9LRLLSR61B..NR\LSB63BU)NR\LSR63BE9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63B{M+*8LSR.dFU9^RLL.V63RU9NRLLSR63BU9NrLL3R63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLSR63BU9NRLLS

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):7.202371247830792
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:AraK29dzhH.exe
            File size:1'220'608 bytes
            MD5:56b7d0211a7897b5457a86cdfe676379
            SHA1:1cc2c7b72e07c35e477f4e569faae505c84319f9
            SHA256:87e25b8e625db3f46d50ed170e499170b10864bb3b089acf963bf89eea0e030e
            SHA512:116284a3671842f1b63ee1c60526145855b6a76b7fdb9e4ce931ced75f4a453741ee506b86b16348acfad9365416d99f8317596ff591c6e1d4bb09b7bedeffe2
            SSDEEP:24576:9u6J33O0c+JY5UZ+XC0kGso6Fant/jeHMd9+2w7xAPc78U2WY:Pu0c++OCvkGs9FantIe02w7xAwhY
            TLSH:6D45CF2273DEC360CB679173BF69B7016EBF38610630B95B2F980D7DA950162262D763
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

            File Icon

            Icon Hash:aaf3e3e3938382a0

            Static PE Info

            General

            Entrypoint:0x427dcd
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
            Time Stamp:0x6752DAF6 [Fri Dec 6 11:07:34 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:1
            File Version Major:5
            File Version Minor:1
            Subsystem Version Major:5
            Subsystem Version Minor:1
            Import Hash:afcdf79be1557326c854b6e20cb900a7

            Entrypoint Preview

            Instruction
            call 00007FE5A0F474FAh
            jmp 00007FE5A0F3A2C4h
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            push edi
            push esi
            mov esi, dword ptr [esp+10h]
            mov ecx, dword ptr [esp+14h]
            mov edi, dword ptr [esp+0Ch]
            mov eax, ecx
            mov edx, ecx
            add eax, esi
            cmp edi, esi
            jbe 00007FE5A0F3A44Ah
            cmp edi, eax
            jc 00007FE5A0F3A7AEh
            bt dword ptr [004C31FCh], 01h
            jnc 00007FE5A0F3A449h
            rep movsb
            jmp 00007FE5A0F3A75Ch
            cmp ecx, 00000080h
            jc 00007FE5A0F3A614h
            mov eax, edi
            xor eax, esi
            test eax, 0000000Fh
            jne 00007FE5A0F3A450h
            bt dword ptr [004BE324h], 01h
            jc 00007FE5A0F3A920h
            bt dword ptr [004C31FCh], 00000000h
            jnc 00007FE5A0F3A5EDh
            test edi, 00000003h
            jne 00007FE5A0F3A5FEh
            test esi, 00000003h
            jne 00007FE5A0F3A5DDh
            bt edi, 02h
            jnc 00007FE5A0F3A44Fh
            mov eax, dword ptr [esi]
            sub ecx, 04h
            lea esi, dword ptr [esi+04h]
            mov dword ptr [edi], eax
            lea edi, dword ptr [edi+04h]
            bt edi, 03h
            jnc 00007FE5A0F3A453h
            movq xmm1, qword ptr [esi]
            sub ecx, 08h
            lea esi, dword ptr [esi+08h]
            movq qword ptr [edi], xmm1
            lea edi, dword ptr [edi+08h]
            test esi, 00000007h
            je 00007FE5A0F3A4A5h
            bt esi, 03h
            jnc 00007FE5A0F3A4F8h

            Rich Headers

            Programming Language:
            • [ASM] VS2013 build 21005
            • [ C ] VS2013 build 21005
            • [C++] VS2013 build 21005
            • [ C ] VS2008 SP1 build 30729
            • [IMP] VS2008 SP1 build 30729
            • [ASM] VS2013 UPD4 build 31101
            • [RES] VS2013 build 21005
            • [LNK] VS2013 UPD4 build 31101

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x61788.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1290000x711c.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0xc70000x617880x61800cbda9d8855f8c8b6ca8bde3c1906bfb6False0.9329326923076923data7.904232852231151IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x1290000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
            RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
            RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
            RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
            RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
            RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
            RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
            RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
            RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
            RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
            RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
            RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
            RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
            RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
            RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
            RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
            RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
            RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
            RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
            RT_RCDATA0xcf7b80x58a4fdata1.0003332534626688
            RT_GROUP_ICON0x1282080x76dataEnglishGreat Britain0.6610169491525424
            RT_GROUP_ICON0x1282800x14dataEnglishGreat Britain1.25
            RT_GROUP_ICON0x1282940x14dataEnglishGreat Britain1.15
            RT_GROUP_ICON0x1282a80x14dataEnglishGreat Britain1.25
            RT_VERSION0x1282bc0xdcdataEnglishGreat Britain0.6181818181818182
            RT_MANIFEST0x1283980x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

            Imports

            DLLImport
            WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
            VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
            COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
            MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
            WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
            PSAPI.DLLGetProcessMemoryInfo
            IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
            USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
            UxTheme.dllIsThemeActive
            KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
            USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
            GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
            COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
            ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
            SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
            OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishGreat Britain

            Network Behavior

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Jan 11, 2025 01:36:35.528656006 CET1.1.1.1192.168.2.90xc5a6No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
            Jan 11, 2025 01:36:35.528656006 CET1.1.1.1192.168.2.90xc5a6No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:19:36:40
            Start date:10/01/2025
            Path:C:\Users\user\Desktop\AraK29dzhH.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\AraK29dzhH.exe"
            Imagebase:0xa60000
            File size:1'220'608 bytes
            MD5 hash:56B7D0211A7897B5457A86CDFE676379
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:2
            Start time:19:36:46
            Start date:10/01/2025
            Path:C:\Windows\SysWOW64\svchost.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\AraK29dzhH.exe"
            Imagebase:0xf40000
            File size:46'504 bytes
            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1765310528.0000000003950000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1765310528.0000000003950000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:0.9%
              Dynamic/Decrypted Code Coverage:5.8%
              Signature Coverage:9.7%
              Total number of Nodes:103
              Total number of Limit Nodes:9
              execution_graph 78187 42ec63 78190 42cdc3 78187->78190 78189 42ec7e 78191 42cddd 78190->78191 78192 42cdee RtlAllocateHeap 78191->78192 78192->78189 78193 4251e3 78197 4251fc 78193->78197 78194 42528c 78195 425244 78201 42eb83 78195->78201 78197->78194 78197->78195 78199 425287 78197->78199 78200 42eb83 RtlFreeHeap 78199->78200 78200->78194 78204 42ce13 78201->78204 78203 425254 78205 42ce2d 78204->78205 78206 42ce3e RtlFreeHeap 78205->78206 78206->78203 78207 42c0a3 78208 42c0bd 78207->78208 78211 3672df0 LdrInitializeThunk 78208->78211 78209 42c0e5 78211->78209 78212 42fda3 78213 42eb83 RtlFreeHeap 78212->78213 78214 42fdb8 78213->78214 78231 424e53 78232 424e6f 78231->78232 78233 424e97 78232->78233 78234 424eab 78232->78234 78235 42caa3 NtClose 78233->78235 78236 42caa3 NtClose 78234->78236 78237 424ea0 78235->78237 78238 424eb4 78236->78238 78241 42eca3 RtlAllocateHeap 78238->78241 78240 424ebf 78241->78240 78242 417bd3 78243 417bf7 78242->78243 78244 417bfe 78243->78244 78245 417c33 LdrLoadDll 78243->78245 78245->78244 78246 414073 78248 414093 78246->78248 78249 4140fc 78248->78249 78251 41b823 RtlFreeHeap LdrInitializeThunk 78248->78251 78250 4140f2 78251->78250 78215 4249a4 78217 4249a7 78215->78217 78216 4249b0 78217->78216 78218 424a13 78217->78218 78219 424a28 78217->78219 78221 42caa3 NtClose 78218->78221 78227 42caa3 78219->78227 78222 424a1c 78221->78222 78223 424a68 78224 424a31 78224->78223 78225 42eb83 RtlFreeHeap 78224->78225 78226 424a5c 78225->78226 78228 42cac0 78227->78228 78229 42cad1 NtClose 78228->78229 78229->78224 78230 3672b60 LdrInitializeThunk 78252 401c18 78253 401c20 78252->78253 78256 430213 78253->78256 78259 42e733 78256->78259 78260 42e759 78259->78260 78269 407703 78260->78269 78262 42e76f 78268 401cbd 78262->78268 78272 41b513 78262->78272 78264 42e78e 78265 42ce63 ExitProcess 78264->78265 78266 42e7a3 78264->78266 78265->78266 78283 42ce63 78266->78283 78271 407710 78269->78271 78286 416893 78269->78286 78271->78262 78273 41b53f 78272->78273 78304 41b403 78273->78304 78276 41b584 78279 41b5a0 78276->78279 78281 42caa3 NtClose 78276->78281 78277 41b56c 78278 41b577 78277->78278 78280 42caa3 NtClose 78277->78280 78278->78264 78279->78264 78280->78278 78282 41b596 78281->78282 78282->78264 78284 42ce80 78283->78284 78285 42ce91 ExitProcess 78284->78285 78285->78268 78287 4168b0 78286->78287 78289 4168c9 78287->78289 78290 42d503 78287->78290 78289->78271 78292 42d51d 78290->78292 78291 42d54c 78291->78289 78292->78291 78297 42c0f3 78292->78297 78295 42eb83 RtlFreeHeap 78296 42d5c5 78295->78296 78296->78289 78298 42c110 78297->78298 78301 3672c0a 78298->78301 78299 42c13c 78299->78295 78302 3672c1f LdrInitializeThunk 78301->78302 78303 3672c11 78301->78303 78302->78299 78303->78299 78305 41b41d 78304->78305 78309 41b4f9 78304->78309 78310 42c193 78305->78310 78308 42caa3 NtClose 78308->78309 78309->78276 78309->78277 78311 42c1ad 78310->78311 78314 36735c0 LdrInitializeThunk 78311->78314 78312 41b4ed 78312->78308 78314->78312

              Executed Functions

              Function 00417BD3 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 23 417bd3-417bef 24 417bf7-417bfc 23->24 25 417bf2 call 42f883 23->25 26 417c02-417c10 call 42fe83 24->26 27 417bfe-417c01 24->27 25->24 30 417c20-417c31 call 42e203 26->30 31 417c12-417c1d call 430123 26->31 36 417c33-417c47 LdrLoadDll 30->36 37 417c4a-417c4d 30->37 31->30 36->37
              APIs
              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417C45
              Memory Dump Source
              • Source File: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID: Load
              • String ID:
              • API String ID: 2234796835-0
              • Opcode ID: 5dcbc6baf4d259431639129e786eea26c350e9648a9a52f79217b35080b91802
              • Instruction ID: 3b0d8c50eeb4b567371476669e8f4c9155d7e95f2bd301e88ead0cb1db0fa9de
              • Opcode Fuzzy Hash: 5dcbc6baf4d259431639129e786eea26c350e9648a9a52f79217b35080b91802
              • Instruction Fuzzy Hash: E40171B5E0020DBBDF10EBE5DC42FDEB3789B14308F4041AAE90897241F635EB488B95
              Function 0042CAA3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 43 42caa3-42cadf call 404a63 call 42dcf3 NtClose
              APIs
              • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CADA
              Memory Dump Source
              • Source File: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: 6a587ebc864418072ba2f7c6881afb4ee45f97099d84882bb3332dba188e180a
              • Instruction ID: 2db74bf3d827a474d3e24ae58c4e099c93b90a52d9e2e05ecaf09301b65d614c
              • Opcode Fuzzy Hash: 6a587ebc864418072ba2f7c6881afb4ee45f97099d84882bb3332dba188e180a
              • Instruction Fuzzy Hash: 2DE04F752012147BD510EA5ADC41FD7B79CDFC5714F00401AFA0967141C7B4BA118BF4
              Function 036735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 59 36735c0-36735cc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 6137beca0e7834bca7ee2681fdbfb31d3478a6c9e68e18d62e9f842641a3eaf3
              • Instruction ID: 14704e88bd9990a7bf10593cddd3698b0d90077dcbd448423a2d23fe0b545408
              • Opcode Fuzzy Hash: 6137beca0e7834bca7ee2681fdbfb31d3478a6c9e68e18d62e9f842641a3eaf3
              • Instruction Fuzzy Hash: 3A90023160550802D100B6584554746100687D4301FA5C511A042466CE87D58A5165A2
              Function 03672B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 57 3672b60-3672b6c LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: b47d092546cf0f668c24698b700959e6e4ba002d712871d4bc7a91d939c14bae
              • Instruction ID: 477d092c06117334780cd49e62da7514cc2248fe399308c3f7817f4bebfa49c6
              • Opcode Fuzzy Hash: b47d092546cf0f668c24698b700959e6e4ba002d712871d4bc7a91d939c14bae
              • Instruction Fuzzy Hash: 87900261202404034105B6584454656400B87E4301B95C121E1014694EC66589916125
              Function 03672DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 58 3672df0-3672dfc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 0c1941189cb1d193a099106bec33393777b3f246b878689b08df1d155923ecdd
              • Instruction ID: 6cebf13566ce982b6a45d412a60939e0e5e16a162780faa10336b83753f66aa7
              • Opcode Fuzzy Hash: 0c1941189cb1d193a099106bec33393777b3f246b878689b08df1d155923ecdd
              • Instruction Fuzzy Hash: 4490023120140813D111B6584544747000A87D4341FD5C512A042465CE97968A52A121
              Function 0042CE13 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 0 42ce13-42ce54 call 404a63 call 42dcf3 RtlFreeHeap
              APIs
              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042CE4F
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID: FreeHeap
              • String ID: 'iA
              • API String ID: 3298025750-2007443615
              • Opcode ID: cd3eb2b967f37c6adfde664a725905d554d7935b9f0b77ffa223850d1e3838bd
              • Instruction ID: dd66391a5299758d7e1bb29f81c04f5eb3714e5ab25b52c6be5cacda1a790507
              • Opcode Fuzzy Hash: cd3eb2b967f37c6adfde664a725905d554d7935b9f0b77ffa223850d1e3838bd
              • Instruction Fuzzy Hash: 0FE06DB1200204BBD614EE59DC41EDB73ACEFC5714F000019FA19A7241C770B9118BB8
              Function 0042CDC3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 38 42cdc3-42ce04 call 404a63 call 42dcf3 RtlAllocateHeap
              APIs
              • RtlAllocateHeap.NTDLL(?,0041E9D4,?,?,00000000,?,0041E9D4,?,?,?), ref: 0042CDFF
              Memory Dump Source
              • Source File: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: e26d892fea7482cb69df9b9dcb89b119b60ca1ab43a285922b77fa3b1ca7a7a7
              • Instruction ID: 344de082243cff50c6892ed5cc88854b7cd95f849dddb69859736b2b7d102034
              • Opcode Fuzzy Hash: e26d892fea7482cb69df9b9dcb89b119b60ca1ab43a285922b77fa3b1ca7a7a7
              • Instruction Fuzzy Hash: 73E06DB56042447BCA14EE59EC41F9B73ACEFC5714F000419FE08A7242D674BA118BB8
              Function 0042CE63 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 48 42ce63-42ce9f call 404a63 call 42dcf3 ExitProcess
              APIs
              Memory Dump Source
              • Source File: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID: ExitProcess
              • String ID:
              • API String ID: 621844428-0
              • Opcode ID: d390be443200311757a572f4639f82f2ea8815e5dd5a36250808a8a4829e368d
              • Instruction ID: 0fc10eccc1b3b55dbccadf14ffbb64c71cef1534a5fb43a42295309a2fd018e3
              • Opcode Fuzzy Hash: d390be443200311757a572f4639f82f2ea8815e5dd5a36250808a8a4829e368d
              • Instruction Fuzzy Hash: 55E04F352006547BC510EA6ADC41FDB775CDBC5714F50441AFA08A7241C6B4BA0187F4
              Function 03672C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 53 3672c0a-3672c0f 54 3672c11-3672c18 53->54 55 3672c1f-3672c26 LdrInitializeThunk 53->55
              APIs
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 9d5e928524a29dda8aaa5c14ada1cb18c27ed4adcf9f41b98dc9bbad4bc75352
              • Instruction ID: 8879c64833d99df56973c153897a30f1d1648756cce15cdd82e5853e14c7e5b8
              • Opcode Fuzzy Hash: 9d5e928524a29dda8aaa5c14ada1cb18c27ed4adcf9f41b98dc9bbad4bc75352
              • Instruction Fuzzy Hash: B4B09B719015C5C5DA51F7604708717790567D1701F59C561D3030755F4779C1D1E175

              Non-executed Functions

              Function 036B2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2160512332
              • Opcode ID: 37b12cec14bd1b1e05cd17cd46f08cae87ef28e74e10486562a68b379ed6b726
              • Instruction ID: 579dbb5c965ea333aca3dc55a386f555582a637ebc135a81a8874d41969481f9
              • Opcode Fuzzy Hash: 37b12cec14bd1b1e05cd17cd46f08cae87ef28e74e10486562a68b379ed6b726
              • Instruction Fuzzy Hash: 56929975608341ABD720DE24C890BABB7F8BB88754F184D2DFA949B350D770E885CF96
              Function 036268B8 Relevance: 19.0, Strings: 15, Instructions: 249COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim engine DLL$LdrpGetShimEngineInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_InitializeEngine$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$apphelp.dll$minkernel\ntdll\ldrinit.c
              • API String ID: 0-3089669407
              • Opcode ID: 460f89aef6cec8c33ae17b34ddeb96396b67d5c8f14a3744fd1f13cb21fb8456
              • Instruction ID: fe5cc9c18bd150f53253cd5fdb831e2684913840c2a20cfe30ccc87c1fa21018
              • Opcode Fuzzy Hash: 460f89aef6cec8c33ae17b34ddeb96396b67d5c8f14a3744fd1f13cb21fb8456
              • Instruction Fuzzy Hash: 168122B2D01618AF8B22FB98DDC5DEFB7FDAB15610B054525FA01FB104E724ED148BA0
              Function 03668620 Relevance: 19.0, Strings: 15, Instructions: 223COMMON
              Download Yara Rule
              Strings
              • double initialized or corrupted critical section, xrefs: 036A5508
              • Critical section address., xrefs: 036A5502
              • Thread is in a state in which it cannot own a critical section, xrefs: 036A5543
              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 036A54CE
              • 8, xrefs: 036A52E3
              • Thread identifier, xrefs: 036A553A
              • I_wI_w@4_w@4_w, xrefs: 036A5341, 036A534D
              • Invalid debug info address of this critical section, xrefs: 036A54B6
              • Critical section debug info address, xrefs: 036A541F, 036A552E
              • Address of the debug info found in the active list., xrefs: 036A54AE, 036A54FA
              • Critical section address, xrefs: 036A5425, 036A54BC, 036A5534
              • corrupted critical section, xrefs: 036A54C2
              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 036A54E2
              • undeleted critical section in freed memory, xrefs: 036A542B
              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 036A540A, 036A5496, 036A5519
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory$I_wI_w@4_w@4_w
              • API String ID: 0-4161880443
              • Opcode ID: 901b5db5c862ce80c417aeb69ce44e4ca8714589b9262d274409f882408629be
              • Instruction ID: 45aac73e284e222e6b6ce09a7945f23b09bfe3a2b8026c3149431584cb2a7b77
              • Opcode Fuzzy Hash: 901b5db5c862ce80c417aeb69ce44e4ca8714589b9262d274409f882408629be
              • Instruction Fuzzy Hash: E6819DB0A00758EFDB20CF98C941BAEBBB9FB49710F184159F659BB241D375A941CF60
              Function 03660F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
              • API String ID: 0-360209818
              • Opcode ID: 179af670409d6ee83614192e47aa7ff7d291949fba0f0d6c72591bd193f3ff25
              • Instruction ID: e17fecd882923972afb8290998e97f09edcb071017f5b709de10eee5121f10f8
              • Opcode Fuzzy Hash: 179af670409d6ee83614192e47aa7ff7d291949fba0f0d6c72591bd193f3ff25
              • Instruction Fuzzy Hash: 06628FB5E006298FDB24CF18C9417A9B7B6EF96310F5882DAD449AB340D7729EE1CF50
              Function 036E12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
              • API String ID: 0-3591852110
              • Opcode ID: c649eca0ecb7d5d24c71e40f20c9db7ea8caae3da64fca9e55583e340940f5c1
              • Instruction ID: c7e5ab7149c905e8582025eb4fa73cd6962cf932f39ae9c2765d505d8e99d2cb
              • Opcode Fuzzy Hash: c649eca0ecb7d5d24c71e40f20c9db7ea8caae3da64fca9e55583e340940f5c1
              • Instruction Fuzzy Hash: C012CC74601642DFCB25CF28C545BBABBF5FF0A704F188459E4968B782D734E889EB60
              Function 0364AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
              • API String ID: 0-3197712848
              • Opcode ID: 1ac064034c0d2c80aa3e91ff19a6cd1f59df3e96e3de8cb2fb1390c52900c032
              • Instruction ID: 795c46e2df0cc8f555d5d447516d9f282f181ef251fdc5b1e61611109ce8c171
              • Opcode Fuzzy Hash: 1ac064034c0d2c80aa3e91ff19a6cd1f59df3e96e3de8cb2fb1390c52900c032
              • Instruction Fuzzy Hash: 4512FE71A083419FD724DF68C940BAAB7E8BF85B04F08496EF8C58B381E774D945CB92
              Function 0362D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
              • API String ID: 0-3532704233
              • Opcode ID: 2fa499dab1739731274f3664558fec01f46db9498b3d81da4fb0a6d67204d1bb
              • Instruction ID: 3889651b34ef4b7b7e461938dcb844dcc8261e10efd52513ff04f19d353db04f
              • Opcode Fuzzy Hash: 2fa499dab1739731274f3664558fec01f46db9498b3d81da4fb0a6d67204d1bb
              • Instruction Fuzzy Hash: A9B1BD715087619FC721EF64C580A6BBBE8AF88744F06492EF899E7340D770D949CFA2
              Function 036E0CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
              • API String ID: 0-1357697941
              • Opcode ID: 103acd7d7ec564acf7d07e89c136e36fe58558bf3d77339d6da66afacafab9e4
              • Instruction ID: f9960eacd882f8698372767dc80e4e0f065a5b28fd14e252291b0af2dddba3c6
              • Opcode Fuzzy Hash: 103acd7d7ec564acf7d07e89c136e36fe58558bf3d77339d6da66afacafab9e4
              • Instruction Fuzzy Hash: 2BF11435A05655EFCB25CF6AC440BAAFBF5FF0A704F088059E4929B382C7B4A949DF50
              Function 036C9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
              • API String ID: 0-3063724069
              • Opcode ID: 7a9e26e6a5c68c2af10545e8cdc4c39cac6eb79fe9788ca00ff0ba153189ebfc
              • Instruction ID: 61ce727a3c23c3f364e3a98415374876f01d044730021300aec43b057caf5ffa
              • Opcode Fuzzy Hash: 7a9e26e6a5c68c2af10545e8cdc4c39cac6eb79fe9788ca00ff0ba153189ebfc
              • Instruction Fuzzy Hash: 79D1E372814395AFE721DB64C840BBFBBE8EF84714F48492DFA849B250D770D914CB96
              Function 036E0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
              • API String ID: 0-1700792311
              • Opcode ID: f2a5523afdce4ce977b8cd870b31103a34b0afbc92692948a2e92e7ef25879c5
              • Instruction ID: f0164e6b87c13e6c750d619c1bac27a5e9d3dd3b5db1fc0d2d676a67cefd902a
              • Opcode Fuzzy Hash: f2a5523afdce4ce977b8cd870b31103a34b0afbc92692948a2e92e7ef25879c5
              • Instruction Fuzzy Hash: A2D1DC39A01A81DFCB22DF6AC540AAEBBF1FF4A710F198049E4559F352C7B49949CF18
              Function 0362D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
              Download Yara Rule
              Strings
              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0362D2C3
              • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0362D146
              • Control Panel\Desktop\LanguageConfiguration, xrefs: 0362D196
              • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0362D0CF
              • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0362D262
              • @, xrefs: 0362D2AF
              • @, xrefs: 0362D0FD
              • @, xrefs: 0362D313
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
              • API String ID: 0-1356375266
              • Opcode ID: 72e69bebd7e70c3fd46cb39334945dfd6b6de61d69092ec852a43d40fe452e05
              • Instruction ID: cb85851827e826fcad21753db50097ac4547b48c8a4419d4333d8fff569c9925
              • Opcode Fuzzy Hash: 72e69bebd7e70c3fd46cb39334945dfd6b6de61d69092ec852a43d40fe452e05
              • Instruction Fuzzy Hash: CFA1BD719087159FD321DF20C584BABBBE8BB88715F014D2EFAA896240E774D908CF97
              Function 03649EB0 Relevance: 9.2, Strings: 7, Instructions: 499COMMON
              Download Yara Rule
              Strings
              • [%x.%x] SXS: %s - Relative redirection plus env var expansion., xrefs: 036976EE
              • Status != STATUS_NOT_FOUND, xrefs: 0369789A
              • @, xrefs: 03649EE7
              • Internal error check failed, xrefs: 03697718, 036978A9
              • !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT), xrefs: 03697709
              • sxsisol_SearchActCtxForDllName, xrefs: 036976DD
              • minkernel\ntdll\sxsisol.cpp, xrefs: 03697713, 036978A4
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)$@$Internal error check failed$Status != STATUS_NOT_FOUND$[%x.%x] SXS: %s - Relative redirection plus env var expansion.$minkernel\ntdll\sxsisol.cpp$sxsisol_SearchActCtxForDllName
              • API String ID: 0-761764676
              • Opcode ID: 9821035e8a453014ece937f37ce2b2cfc807442c344fa801961c18b93b8bfb36
              • Instruction ID: ce9a9625f476e71c852b35efcb2517c31bb16415e025f6bd00a69f6157030bd8
              • Opcode Fuzzy Hash: 9821035e8a453014ece937f37ce2b2cfc807442c344fa801961c18b93b8bfb36
              • Instruction Fuzzy Hash: 8D127E74E00215DBDF24CFA8C981AAEB7F8FF49714F1884AAE845EB341E7349851CB65
              Function 00402E74 Relevance: 8.9, Strings: 7, Instructions: 162COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: $P%$$P%$%$P%$P%$gfff$gfff
              • API String ID: 0-43842076
              • Opcode ID: 8da41ce92f03953d5ec289cbedc497a9ce89a693ad0e4764b5ff5bf19e43b5d0
              • Instruction ID: 962b7a0d0c3cb115c26724082a09e2e30fa0a220d73a52daec89eb66bd63c551
              • Opcode Fuzzy Hash: 8da41ce92f03953d5ec289cbedc497a9ce89a693ad0e4764b5ff5bf19e43b5d0
              • Instruction Fuzzy Hash: D5511631B0010A4BDB18CE5DDD987ED7BA6EBD4304F18827AD945EF3C5E5B89E019780
              Function 00402E80 Relevance: 8.9, Strings: 7, Instructions: 160COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: $P%$$P%$%$P%$P%$gfff$gfff
              • API String ID: 0-43842076
              • Opcode ID: 31aca3e6e6977ad261d090526770f9306a6cc3e602e858878364ccc00fc6dc20
              • Instruction ID: d98dac3a13b2671a3ca4c47b2c40224b09ca03738a9de665fe3f194ae633db93
              • Opcode Fuzzy Hash: 31aca3e6e6977ad261d090526770f9306a6cc3e602e858878364ccc00fc6dc20
              • Instruction Fuzzy Hash: D351E431B0010A4BDB18CE5DDE947EE7BA6EBD4304F18827AD945EF3C5E5B89E029784
              Function 0363EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
              • API String ID: 0-1109411897
              • Opcode ID: ada50179064d68e9e76df560ba570b3cc2044666056b4715a352dcda5ff2da1e
              • Instruction ID: a645f34ba35d29ffbd308ebaab3d8fc28a150dd271f91b5ccc4638435b5d80d1
              • Opcode Fuzzy Hash: ada50179064d68e9e76df560ba570b3cc2044666056b4715a352dcda5ff2da1e
              • Instruction Fuzzy Hash: 8FA23875E056298BDF65CF19CD887A9B7B9AF46304F1442EAD80DAB350DB319E82CF10
              Function 0362F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-523794902
              • Opcode ID: 72a5aef6ef6444e9595da745d8e539337873a800b6722f11a1ecf024c2a3e55f
              • Instruction ID: 322ca20196072f33bce53155b931c741b8985e9b5cbddc862d19e15b93ee4729
              • Opcode Fuzzy Hash: 72a5aef6ef6444e9595da745d8e539337873a800b6722f11a1ecf024c2a3e55f
              • Instruction Fuzzy Hash: C742FE75608B919FC714EF28C590A2AFBE5FF89204F094A6DE8868F381D730D842CF56
              Function 0363ADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
              • API String ID: 0-4098886588
              • Opcode ID: ba60c781db9624c796876b0880fc3e603f99dfd227fa986c71e2263b01d80aef
              • Instruction ID: ad6ac6569fc788e4d372939171c662bfd6d1268261e2ddd578ef8a0af49df29f
              • Opcode Fuzzy Hash: ba60c781db9624c796876b0880fc3e603f99dfd227fa986c71e2263b01d80aef
              • Instruction Fuzzy Hash: B432A175E042698BEF22CF14CD94BEEBBB9AF46340F1841EAE449A7350D7719E818F44
              Function 0364B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
              • API String ID: 0-122214566
              • Opcode ID: 8b98c884ee7763cdcea8c0fa9e12bbbeac5b2a7a574e0a433387637bb75a6b34
              • Instruction ID: 61a59e040741913a494003336e544fdeb4c8de8bb2103f00a1675c65baf34e3b
              • Opcode Fuzzy Hash: 8b98c884ee7763cdcea8c0fa9e12bbbeac5b2a7a574e0a433387637bb75a6b34
              • Instruction Fuzzy Hash: E0C14B31E00215ABDF25CF69C881BBFBB69AF46710F184069E8869F381E7B4DD45C7A4
              Function 036663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
              • API String ID: 0-792281065
              • Opcode ID: 4c1d2e7a04ecdc933ddece91727a85b4a9a4d1d6c9c034d6b9cce3b8d80b486e
              • Instruction ID: b68c1c0c0f3db365c919d15d3854d37e81bf53d2ce74437a05d76ae26da3ccad
              • Opcode Fuzzy Hash: 4c1d2e7a04ecdc933ddece91727a85b4a9a4d1d6c9c034d6b9cce3b8d80b486e
              • Instruction Fuzzy Hash: 73915A30B007149BDB35EF19ED95BAEBBA4EF41764F18812DE4106B381DBB45C01CBA4
              Function 03662674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
              Download Yara Rule
              Strings
              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 036A219F
              • RtlGetAssemblyStorageRoot, xrefs: 036A2160, 036A219A, 036A21BA
              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 036A2178
              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 036A21BF
              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 036A2180
              • SXS: %s() passed the empty activation context, xrefs: 036A2165
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
              • API String ID: 0-861424205
              • Opcode ID: 027ae63fec5a9fd33bf3da33435b057ce54c82c6edc4417136aa55880b35f0c9
              • Instruction ID: e1286b9a273467c86b25e2f7ae68a3f042581395811c0b9c48785418b40d85a3
              • Opcode Fuzzy Hash: 027ae63fec5a9fd33bf3da33435b057ce54c82c6edc4417136aa55880b35f0c9
              • Instruction Fuzzy Hash: AD312836F802147BE721CA998C65F5FBF78DB95A80F094469FA14AB241D670DE01CBE1
              Function 0366C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
              Download Yara Rule
              Strings
              • LdrpInitializeImportRedirection, xrefs: 036A8177, 036A81EB
              • minkernel\ntdll\ldrinit.c, xrefs: 0366C6C3
              • minkernel\ntdll\ldrredirect.c, xrefs: 036A8181, 036A81F5
              • Loading import redirection DLL: '%wZ', xrefs: 036A8170
              • LdrpInitializeProcess, xrefs: 0366C6C4
              • Unable to build import redirection Table, Status = 0x%x, xrefs: 036A81E5
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
              • API String ID: 0-475462383
              • Opcode ID: 7c478064954e2fd938fb7687bcf39ede4813842984e735763f085e740b15f587
              • Instruction ID: db67810cf4b8358810ca9bed863b29687789e513dc508bfa31e1f72894f933af
              • Opcode Fuzzy Hash: 7c478064954e2fd938fb7687bcf39ede4813842984e735763f085e740b15f587
              • Instruction Fuzzy Hash: AC310775744B459FD224EF28DD45E2ABBE4EF84B10F04056CF885AF391E660EC04CBA6
              Function 036B9C32 Relevance: 6.8, Strings: 5, Instructions: 542COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$AVRF: Verifier .dlls must not have thread locals$KnownDllPath$L$\KnownDlls32
              • API String ID: 0-3127649145
              • Opcode ID: f7528f36ef7996882a49b42605aec02799ccd89ba4be9cfd92f541c982d7d6a3
              • Instruction ID: 079f7b02c40717dd82f2f37a86bfded669839cbded2cc0aa82200cc3b98ade23
              • Opcode Fuzzy Hash: f7528f36ef7996882a49b42605aec02799ccd89ba4be9cfd92f541c982d7d6a3
              • Instruction Fuzzy Hash: 50325675A017199BDB21DF65CD88BDAB7F8FF48304F1041EAE509AB250EB70AA84CF54
              Function 03649950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
              • API String ID: 0-3393094623
              • Opcode ID: 4df38a12d84b5784f3ae92eada6a23063a2eb516cbd90a3db17ff7bf2ce9e9f6
              • Instruction ID: b4bbb8a3345e8df193a233aff2847d6fbb3dccb76847ee3e3fdb4cc015cfd3f5
              • Opcode Fuzzy Hash: 4df38a12d84b5784f3ae92eada6a23063a2eb516cbd90a3db17ff7bf2ce9e9f6
              • Instruction Fuzzy Hash: E80247759483418BD720CF64C184BABFBE9BF8A704F48895EE9998B350E770D845CB92
              Function 036551EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
              Download Yara Rule
              Strings
              • Kernel-MUI-Number-Allowed, xrefs: 03655247
              • Kernel-MUI-Language-SKU, xrefs: 0365542B
              • WindowsExcludedProcs, xrefs: 0365522A
              • Kernel-MUI-Language-Allowed, xrefs: 0365527B
              • Kernel-MUI-Language-Disallowed, xrefs: 03655352
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
              • API String ID: 0-258546922
              • Opcode ID: db691c9df998bc7dca5f14913f6d83fd39be106608a56654a86aac575ff5a186
              • Instruction ID: 2e24198e7618d9fd888421c9e0721b4db3869862d1ff53ce57264453007a6ab2
              • Opcode Fuzzy Hash: db691c9df998bc7dca5f14913f6d83fd39be106608a56654a86aac575ff5a186
              • Instruction Fuzzy Hash: D8F15E76D10218EFCF15DFA4C944AEEBBBDEF49610F54406AEA02AB350E7709E01CB90
              Function 036B4F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
              • API String ID: 0-2518169356
              • Opcode ID: d19f665de6145a23464f17b97a3df762c7a734309cf6e7456998d0b1962578c8
              • Instruction ID: faa293ad065d6e7de36ca2f0e14ba8532ee0e66932fe4de1b3f16d417c6be6df
              • Opcode Fuzzy Hash: d19f665de6145a23464f17b97a3df762c7a734309cf6e7456998d0b1962578c8
              • Instruction Fuzzy Hash: 2191CE72D006199BCB21CFA9C981AFEB7B4EF89310F594169E912EB350D735D981CF90
              Function 00401250 Relevance: 6.4, Strings: 5, Instructions: 178COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: Z<$WT$gfff$hA$yxxx
              • API String ID: 0-1043199181
              • Opcode ID: d66b576cd72b278be45e8b7395794f09f89dfcb978ce56046286705701148306
              • Instruction ID: fe8fd4f5ff400f515018e5ca1510789d5fd9794f98ddcc36c084e0073c9d8df2
              • Opcode Fuzzy Hash: d66b576cd72b278be45e8b7395794f09f89dfcb978ce56046286705701148306
              • Instruction Fuzzy Hash: DF614B71E1064E87CF04CFA9D8500EEF771EF99314F24926AE8087F390E6759A82CB94
              Function 0365D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1975516107
              • Opcode ID: e9bce0ca7d71ad87aa926909e0c09ac35583136da5c8a7dd21dab9b7836afb74
              • Instruction ID: 00efb9c74984a7da902590043fdc1eb3fbf7d88aa40c5547363a3a4106228ecf
              • Opcode Fuzzy Hash: e9bce0ca7d71ad87aa926909e0c09ac35583136da5c8a7dd21dab9b7836afb74
              • Instruction Fuzzy Hash: C451CC75E00345DFDB24EFA4C5847ADBBB1BF49318F288169E801AB3D1D778A981CB80
              Function 036470C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
              • API String ID: 0-3178619729
              • Opcode ID: 3fd0cfbd61013f7919ead066e3533beb73be444fa71dbf6bd8aaf22eecdd1f7a
              • Instruction ID: 8010ee9bfdacfffd91313a7cd346c0c7c5e4772cfe80c8784da66ebd3cb2a17f
              • Opcode Fuzzy Hash: 3fd0cfbd61013f7919ead066e3533beb73be444fa71dbf6bd8aaf22eecdd1f7a
              • Instruction Fuzzy Hash: 6F139A70E00655DFDB29CF68C9807AAFBF1BF49304F1881A9D859AB381D735A946CF90
              Function 03641070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
              • API String ID: 0-3570731704
              • Opcode ID: 3b3422b8ad626369b6065282067b3dbf932e79d6d1411e3bdd2ca28759595f88
              • Instruction ID: 207d8bdc2e9b9ac840d5169847e68bee684e19f89c6b0ba403329769e768eb60
              • Opcode Fuzzy Hash: 3b3422b8ad626369b6065282067b3dbf932e79d6d1411e3bdd2ca28759595f88
              • Instruction Fuzzy Hash: C4925775E00268CFEB25CF18C940BA9B7B9BF46314F0981EAD94AAB350D7749E81CF15
              Function 0364A840 Relevance: 5.4, Strings: 4, Instructions: 358COMMON
              Download Yara Rule
              Strings
              • SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 03697D39
              • RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 03697D03
              • SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 03697D56
              • SsHd, xrefs: 0364A885
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
              • API String ID: 0-2905229100
              • Opcode ID: 704b97210f796c4f7b329dfb576abca5c39fa37ad633598925c68217e32c54c6
              • Instruction ID: c7a2d3143bf4a17592fb71fa2447cf15ff0a1dbaead91b037836ee3d31c60cfb
              • Opcode Fuzzy Hash: 704b97210f796c4f7b329dfb576abca5c39fa37ad633598925c68217e32c54c6
              • Instruction Fuzzy Hash: 2ED17A35E50219AFDF24CFA8C980AADF7B5FF48310F19416AE845AB351D771E981CBA0
              Function 03643D40 Relevance: 5.4, Strings: 3, Instructions: 1603COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
              • API String ID: 0-3178619729
              • Opcode ID: c911a3fe964cba207369e77acec52996926706a5d937dba918cbb5ac7797f165
              • Instruction ID: 1d1a713801701c58b7fb724b231d1dd4a520da7f9ed6cb0412308eb216dc7ddf
              • Opcode Fuzzy Hash: c911a3fe964cba207369e77acec52996926706a5d937dba918cbb5ac7797f165
              • Instruction Fuzzy Hash: B9E2BF74E006158FDB29CF69C591BAAFBF1FF49304F188199D849AB385DB34A846CF90
              Function 00402650 Relevance: 5.3, Strings: 4, Instructions: 298COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: VUUU$yxxx$0$m
              • API String ID: 0-1512246746
              • Opcode ID: 4d84c8f7268f85f6c0cb2a1b4e6e3949f2d4f347eb9c04d5e0fa2b19623cb4a9
              • Instruction ID: c0df3cb0b48c016e3fcc5460302a816be35037d272d75fc5253249d0560dfd77
              • Opcode Fuzzy Hash: 4d84c8f7268f85f6c0cb2a1b4e6e3949f2d4f347eb9c04d5e0fa2b19623cb4a9
              • Instruction Fuzzy Hash: 6691E672B0050A4BCB18CE5DCE9426EB3A2EBD4304F18827BD945EF3D1E6B8DD518784
              Function 0363A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
              • API String ID: 0-379654539
              • Opcode ID: fc053538af66c696dd4f307808f14be0ec8fefc8c59e7ac7b50d88d981995292
              • Instruction ID: a74868723c90a63a18362ad2b71d5765b5d400c7e71879abf08eced96c4aa607
              • Opcode Fuzzy Hash: fc053538af66c696dd4f307808f14be0ec8fefc8c59e7ac7b50d88d981995292
              • Instruction Fuzzy Hash: 25C18774508386DFDB10CF98C144B6AB7E8BF86704F04896AF8D68B351E334C94ADB66
              Function 03640C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
              Download Yara Rule
              Strings
              • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 036954ED
              • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 036955AE
              • HEAP[%wZ]: , xrefs: 036954D1, 03695592
              • HEAP: , xrefs: 036954E0, 036955A1
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
              • API String ID: 0-1657114761
              • Opcode ID: 7f96ca36c8a509b0e9a803b4fbb077a9f73c1c66a7e328f4b82a1918980512f6
              • Instruction ID: a117a49997abac40d68902d0d6b1d5ca18416cb40009dac25e4bbfbc41b1a832
              • Opcode Fuzzy Hash: 7f96ca36c8a509b0e9a803b4fbb077a9f73c1c66a7e328f4b82a1918980512f6
              • Instruction Fuzzy Hash: 81A1F134A04625DFDB24DF28C940BBAFBE5EF46300F18856ED6968B782D774A845CB90
              Function 0366273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
              Download Yara Rule
              Strings
              • .Local, xrefs: 036628D8
              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 036A22B6
              • SXS: %s() passed the empty activation context, xrefs: 036A21DE
              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 036A21D9, 036A22B1
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
              • API String ID: 0-1239276146
              • Opcode ID: 51a3dceae6a4addfc07953bcc29b0a7d2fa2f15504eaaeb80e2fcacf3d540e5c
              • Instruction ID: 905c521ab44aaf4e7a28f89affa1539bfd952b7c7fe505270f7eeb2590cbdd8d
              • Opcode Fuzzy Hash: 51a3dceae6a4addfc07953bcc29b0a7d2fa2f15504eaaeb80e2fcacf3d540e5c
              • Instruction Fuzzy Hash: 5CA1C135940229DFCB24CF69CD98BA9B3B4BF58354F1849E9D848AB351D7309E81CF94
              Function 0362F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
              • API String ID: 0-2586055223
              • Opcode ID: 8ded01df173ea63816c809eff459c024424e26014d3d46bcb10b88773a3aa357
              • Instruction ID: e59a4751c5b4f8068db8e06b5ea877ea1a48c0706b3d4060e7ba87b01280271c
              • Opcode Fuzzy Hash: 8ded01df173ea63816c809eff459c024424e26014d3d46bcb10b88773a3aa357
              • Instruction Fuzzy Hash: F7612436205B809FD721EB24CA44F67BBE8EF84714F190968F9558F391C735D845CB62
              Function 036E11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
              • API String ID: 0-336120773
              • Opcode ID: 8e80f84559d280d86fca47a56a57caccf083d2d216aaa051492063be2cb6ea9b
              • Instruction ID: 426c4992b92e84d5824b540b06da6231e40f444e516b3efabb0d2fdf3307024e
              • Opcode Fuzzy Hash: 8e80f84559d280d86fca47a56a57caccf083d2d216aaa051492063be2cb6ea9b
              • Instruction Fuzzy Hash: B5310E35601610EFC711DBA8CC86F6BB7E8EF0B620F190049E412CF291D670ED88EA6D
              Function 03629148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
              • API String ID: 0-1391187441
              • Opcode ID: 6ea158822dcd103d89b9f5788b4ca83e562cda54d17e514fd659861d64eab67e
              • Instruction ID: 27b0681d14de7ffb4b75c89c2ab5c4fb49db492c8740b71d886c934b95bbfd05
              • Opcode Fuzzy Hash: 6ea158822dcd103d89b9f5788b4ca83e562cda54d17e514fd659861d64eab67e
              • Instruction Fuzzy Hash: 9531A236A00614AFCB11EB46C889F9EBFF8EF45B20F154165E915AB291D7B0E940CE64
              Function 036429A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
              Download Yara Rule
              Strings
              • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0364327D
              • HEAP[%wZ]: , xrefs: 03643255
              • HEAP: , xrefs: 03643264
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
              • API String ID: 0-617086771
              • Opcode ID: 5ee53b4f3f707573a1824395466f2a37f8394fd89810dd3af2c55cb56377896e
              • Instruction ID: e551bf6252910c8f41355ebfbe537fcdedde3e79d5fb30c6ea545229045044a0
              • Opcode Fuzzy Hash: 5ee53b4f3f707573a1824395466f2a37f8394fd89810dd3af2c55cb56377896e
              • Instruction Fuzzy Hash: A392CB74E042489FDB25CF68C5547AEBBF1FF09300F2884A9E899AB391D735A942CF50
              Function 03641F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
              • API String ID: 0-3178619729
              • Opcode ID: c4b8e071f2789d9a866296d6b8c3eea2ab42ccf0cbd210145798dd9cb28b4b13
              • Instruction ID: 2b87858562040dfd1f8efb95449a41afca5c3133cba8ea5a978de2e7be60714c
              • Opcode Fuzzy Hash: c4b8e071f2789d9a866296d6b8c3eea2ab42ccf0cbd210145798dd9cb28b4b13
              • Instruction Fuzzy Hash: F622EC70A007019FEB16DF28C594B7AFBF9EF06704F28849AE5568B382D771D882CB50
              Function 03640770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-4253913091
              • Opcode ID: c1320e1edd664823f12b0afff66126897848364d4b19cc6c3f51724909ef3457
              • Instruction ID: 14a6f40c8041341f98794048de3da69845a80a78d8b27170264774c1cda76ffc
              • Opcode Fuzzy Hash: c1320e1edd664823f12b0afff66126897848364d4b19cc6c3f51724909ef3457
              • Instruction Fuzzy Hash: 07F1BD34B00615DFEB15CF68CA94B6AF7B9FF45304F1881A9E6169B381D734E982CB90
              Function 03631460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
              Download Yara Rule
              Strings
              • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 03631728
              • HEAP[%wZ]: , xrefs: 03631712
              • HEAP: , xrefs: 03631596
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
              • API String ID: 0-3178619729
              • Opcode ID: d5381806d43d19562c1d1c57f69b291ed02a2a2518e180126918b30916624762
              • Instruction ID: 734c78e95ef54f98aa5f9b9c68c791cf17a07c7ee95aeb692af50f1e7bf25f1e
              • Opcode Fuzzy Hash: d5381806d43d19562c1d1c57f69b291ed02a2a2518e180126918b30916624762
              • Instruction Fuzzy Hash: 08E11F70A046419FDB28EF68C485BBABBF5EF4B310F18855DE4968B342E734E941CB60
              Function 0363B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
              • API String ID: 0-1145731471
              • Opcode ID: 962f23e4631cf13195801c3874ea54efabf73ca1a309c03576b347be8fa62831
              • Instruction ID: 4d3635842fa835983afbde0054c7871ca6b72992b32a5e3b0982e684ff6a2a74
              • Opcode Fuzzy Hash: 962f23e4631cf13195801c3874ea54efabf73ca1a309c03576b347be8fa62831
              • Instruction Fuzzy Hash: 33B17D79A046049BDF25CF69CA80BAEB7BAFF45714F28456AE451EB380D730E841CB54
              Function 03656962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $@
              • API String ID: 0-1077428164
              • Opcode ID: 6eaac94c2d86865941c000d8e2cf0fb9b7a610240f0be2dc341e524717fb7e0f
              • Instruction ID: 67d83b3aafe9440b28b48d9e8b053f5d2580256cd11e85f7bc82b7c2f3cab76b
              • Opcode Fuzzy Hash: 6eaac94c2d86865941c000d8e2cf0fb9b7a610240f0be2dc341e524717fb7e0f
              • Instruction Fuzzy Hash: 63C26F716083419FEB25CF24C981BABBBE9AF88754F08896EF989C7340D734D805CB52
              Function 0362A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: FilterFullPath$UseFilter$\??\
              • API String ID: 0-2779062949
              • Opcode ID: 44640b5790a54bcd1a445ac6e01eeda066765daef696c89f33b6bf6c1cfdeedd
              • Instruction ID: b127d04e308e54e1e1d1517372de0b1c43529b133f3e8ea653b882cdbd0854b2
              • Opcode Fuzzy Hash: 44640b5790a54bcd1a445ac6e01eeda066765daef696c89f33b6bf6c1cfdeedd
              • Instruction Fuzzy Hash: 17A1AE759116289BDB31EF64CC88BEAF7B8EF48700F1401E9E909A7250D7359E85CF64
              Function 036C36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
              • API String ID: 0-318774311
              • Opcode ID: 0aa7a9c2a0f2e9d52c4d0235ee905ae8f37854a63c46aaa244c036ded61b4868
              • Instruction ID: 7e3ddfb15f758bfb57fe84025e1f13cf8b8262dfa62131c6d5f1621e9372199b
              • Opcode Fuzzy Hash: 0aa7a9c2a0f2e9d52c4d0235ee905ae8f37854a63c46aaa244c036ded61b4868
              • Instruction Fuzzy Hash: 2381AD79619380AFE311DF14C944B6AB7E8FF85750F28892DF9809B390E778D904CB66
              Function 0366909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: %$&$@
              • API String ID: 0-1537733988
              • Opcode ID: 3d9acb8db45a08a742aa0d550ee2a1bb4cd6f3b75c444a2991670da462a2c339
              • Instruction ID: 2a2ccd1cfe23d223016cc74ba0c8c4b6504665c8401736f8c002467b0c59ddd2
              • Opcode Fuzzy Hash: 3d9acb8db45a08a742aa0d550ee2a1bb4cd6f3b75c444a2991670da462a2c339
              • Instruction Fuzzy Hash: C871C1745087419FC714DF24C680A2BFBE9BF86758F14891DE8979B351C731D80ACB9A
              Function 0370B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
              Download Yara Rule
              Strings
              • GlobalizationUserSettings, xrefs: 0370B834
              • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 0370B82A
              • TargetNtPath, xrefs: 0370B82F
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
              • API String ID: 0-505981995
              • Opcode ID: 3aaecf7e29bfde992202e6634c291bbe80133b10295fe86411ef0b49e38445ae
              • Instruction ID: 19108d0a0309964dab8fc0c3a7c00fbdcbb10abc091f9bfb249c985efe4116cf
              • Opcode Fuzzy Hash: 3aaecf7e29bfde992202e6634c291bbe80133b10295fe86411ef0b49e38445ae
              • Instruction Fuzzy Hash: 33616F76D51229EBDB31EB54CC88B9AB7F8AB14714F0101E9A509AB290C774DF80CF94
              Function 0362F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
              Download Yara Rule
              Strings
              • HEAP[%wZ]: , xrefs: 0368E6A6
              • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0368E6C6
              • HEAP: , xrefs: 0368E6B3
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
              • API String ID: 0-1340214556
              • Opcode ID: 5d138329f920074bbfe733780eff2e338b6ee6c556b30b7cb89b49d3e7b8d0ef
              • Instruction ID: a5376a3c1406178c61ae6691815ea3a972ce3b418ff9257a37480d5e1cf23467
              • Opcode Fuzzy Hash: 5d138329f920074bbfe733780eff2e338b6ee6c556b30b7cb89b49d3e7b8d0ef
              • Instruction Fuzzy Hash: CB51F335604B54EFD712EBA8C944BAAFBF8EF05300F0941A4E9418F792D779E951CB21
              Function 036DDAAC Relevance: 3.9, Strings: 3, Instructions: 163COMMON
              Download Yara Rule
              Strings
              • HEAP[%wZ]: , xrefs: 036DDC12
              • Heap block at %p modified at %p past requested size of %Ix, xrefs: 036DDC32
              • HEAP: , xrefs: 036DDC1F
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
              • API String ID: 0-3815128232
              • Opcode ID: 233070c64f5e25b08a90af233305c3895cebe0f3965d3a129b616b14f4fa89de
              • Instruction ID: e2e0cad41338870372b423a029cc99a66a253ce9193bc407400493f2810ebf9e
              • Opcode Fuzzy Hash: 233070c64f5e25b08a90af233305c3895cebe0f3965d3a129b616b14f4fa89de
              • Instruction Fuzzy Hash: C55138B5A046508ED374FB2AC944772B7F5DF46248F09888EE4D28B285D2B5D843DB61
              Function 0366C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrinit.c, xrefs: 036A82E8
              • Failed to reallocate the system dirs string !, xrefs: 036A82D7
              • LdrpInitializePerUserWindowsDirectory, xrefs: 036A82DE
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1783798831
              • Opcode ID: 2b4500b0e1f66675598eed332122eb3a1364315c68c10e075157fb52747f53fe
              • Instruction ID: b360cf84716fd48b47fa1f1ea973f7cffda89a53c94513d7bb956deb83898c0b
              • Opcode Fuzzy Hash: 2b4500b0e1f66675598eed332122eb3a1364315c68c10e075157fb52747f53fe
              • Instruction Fuzzy Hash: C741D2B5644710ABC720FB68D944B5BBBE8EF49750F08892EF988DB350E774E8108B95
              Function 036616CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
              Download Yara Rule
              Strings
              • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 036A1B39
              • LdrpAllocateTls, xrefs: 036A1B40
              • minkernel\ntdll\ldrtls.c, xrefs: 036A1B4A
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
              • API String ID: 0-4274184382
              • Opcode ID: f0ffe6b0039a5e397ce3a4709f1b566266e5846a9202fce269022d74cd7569c3
              • Instruction ID: 0e6b3fa95e245f629c21fbb679521386f1262f1fb8696253639b508b5aefc277
              • Opcode Fuzzy Hash: f0ffe6b0039a5e397ce3a4709f1b566266e5846a9202fce269022d74cd7569c3
              • Instruction Fuzzy Hash: 814188B9A00608AFDB15DFA8C941AAEFBF5FF4A310F148119E506AB300E774AC00CB94
              Function 036EC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
              Download Yara Rule
              Strings
              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 036EC1C5
              • PreferredUILanguages, xrefs: 036EC212
              • @, xrefs: 036EC1F1
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
              • API String ID: 0-2968386058
              • Opcode ID: d4de884c9876da6b4354e5e09cb4958300c13a97d461e9c7b3fb92f01925704f
              • Instruction ID: 16b1770528690e25bf75558f5efef2665a49f11f4e129dd5f3fcf586549cc995
              • Opcode Fuzzy Hash: d4de884c9876da6b4354e5e09cb4958300c13a97d461e9c7b3fb92f01925704f
              • Instruction Fuzzy Hash: 64418076E01219EFDB11DBD4C991FEEB7B8AB04700F14406AEA05B7290D7749A48CB58
              Function 036C4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
              • API String ID: 0-1373925480
              • Opcode ID: 3b50ed8a2ea0ce7282ea76b6fc8ee0a812a7af163318e186c43a71546eb4ef8e
              • Instruction ID: d94733950ffe19fb7b61f30551103cbb0a40077397c0b82cb9caa2f4cc4d33ec
              • Opcode Fuzzy Hash: 3b50ed8a2ea0ce7282ea76b6fc8ee0a812a7af163318e186c43a71546eb4ef8e
              • Instruction Fuzzy Hash: 4E41E275910388CBEB23DBA6C960BBDBBB8EF55340F28045DD841EF791DA398901CB14
              Function 036B4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrredirect.c, xrefs: 036B4899
              • LdrpCheckRedirection, xrefs: 036B488F
              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 036B4888
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
              • API String ID: 0-3154609507
              • Opcode ID: 47e162de139afe3140592014bf4b268a9a1b2c2432c332b13ff1702cd8560791
              • Instruction ID: 6ded236eca08a572a5f2b8fc5a4ac22cc2535a90e5a0c99886313ba69f5eb555
              • Opcode Fuzzy Hash: 47e162de139afe3140592014bf4b268a9a1b2c2432c332b13ff1702cd8560791
              • Instruction Fuzzy Hash: 3141D732A007509FCB22CE6AD944AA6BBF9EF49650F09056DEC59DB353DB30D880CF91
              Function 036633A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
              Download Yara Rule
              Strings
              • Actx , xrefs: 036633AC
              • SXS: %s() passed the empty activation context data, xrefs: 036A29FE
              • RtlCreateActivationContext, xrefs: 036A29F9
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
              • API String ID: 0-859632880
              • Opcode ID: 51373ccda66aa8f280aff8351b7eec90434d4e731b6229602dededce9e453326
              • Instruction ID: 72cdb6ae428f45c4bed7370226165ab3b6c4fe25471c16fbf783fbcb92778904
              • Opcode Fuzzy Hash: 51373ccda66aa8f280aff8351b7eec90434d4e731b6229602dededce9e453326
              • Instruction Fuzzy Hash: 293144366403019FDB26DE58C990B9AB7A4BF44750F288469EE059F3A2CB70DC41CBA0
              Function 03661607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
              Download Yara Rule
              Strings
              • DLL "%wZ" has TLS information at %p, xrefs: 036A1A40
              • minkernel\ntdll\ldrtls.c, xrefs: 036A1A51
              • LdrpInitializeTls, xrefs: 036A1A47
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
              • API String ID: 0-931879808
              • Opcode ID: 28c13e21bc57232204b2a05fc0144cec4ab7ce77b6a2b3488ef7cae3a2c851cf
              • Instruction ID: 36935fc0e9a02787b3bea93ff2d28eb9fc2d26be417a951e71a556c775132e61
              • Opcode Fuzzy Hash: 28c13e21bc57232204b2a05fc0144cec4ab7ce77b6a2b3488ef7cae3a2c851cf
              • Instruction Fuzzy Hash: F9312835A00205ABEB20DB58C985F7AB6BCFB537A4F08446DE505FB280E7B4AE558790
              Function 03671270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
              Download Yara Rule
              Strings
              • @, xrefs: 036712A5
              • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0367127B
              • BuildLabEx, xrefs: 0367130F
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
              • API String ID: 0-3051831665
              • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
              • Instruction ID: 4fd8307c7188cca98d1c06d6c092a7e7207332b4a941d40c4c93114e25f6681b
              • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
              • Instruction Fuzzy Hash: E131D17690061CAFCB11EFA5CC44EEEBBBDEB85720F50442AE915AB260E730DE05CB54
              Function 036B20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
              Download Yara Rule
              Strings
              • Process initialization failed with status 0x%08lx, xrefs: 036B20F3
              • minkernel\ntdll\ldrinit.c, xrefs: 036B2104
              • LdrpInitializationFailure, xrefs: 036B20FA
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2986994758
              • Opcode ID: e8b3e3e79338b02f87d36a5d5dc13f48748e430264bbde7ff24d847d1943a523
              • Instruction ID: 0a4142e7039449d8c5900139c798d5195d42f4a2dcdf50c3be5e8e353acffa7e
              • Opcode Fuzzy Hash: e8b3e3e79338b02f87d36a5d5dc13f48748e430264bbde7ff24d847d1943a523
              • Instruction Fuzzy Hash: C1F0FF34640308AFEA24EA4CCD62F9A7BA8EB40B14F080858F7006B281D2E4A9908A90
              Function 036403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: #%u
              • API String ID: 48624451-232158463
              • Opcode ID: 7343084effd2247b57d44dfc95ffa13bf232f305c97d3e47e988d96fa3b3bc15
              • Instruction ID: 214483f5722da649fb4074724e93516d4d52ecaf632acc76270ae9f323894c15
              • Opcode Fuzzy Hash: 7343084effd2247b57d44dfc95ffa13bf232f305c97d3e47e988d96fa3b3bc15
              • Instruction Fuzzy Hash: DD714975E00249DFDB01DFA9D990BAEB7B8AF08304F154069E905AB351EB34ED41CB65
              Function 036D705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID: kLsE
              • API String ID: 3446177414-3058123920
              • Opcode ID: 27b7865bd071bd89595841fcebaa55175b416f99aa41f8a518e06fbcdd8b8374
              • Instruction ID: d82621cd518209afc43787bbdbc7af76903f94be15bbeefd24b72865a1c233f5
              • Opcode Fuzzy Hash: 27b7865bd071bd89595841fcebaa55175b416f99aa41f8a518e06fbcdd8b8374
              • Instruction Fuzzy Hash: 404189719013504BE731FF65E949B697FA4AB11724F1C821EEC909F2C9CBB84485C7A6
              Function 036452A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$@
              • API String ID: 0-149943524
              • Opcode ID: a3e669032be63148fc582e8a5b8326c8c8c066297ac3a3ed1e97b60e7826532c
              • Instruction ID: 1d838454005d71be900683d78218450bf63a32e8a8788f1aa21738fbb595d2ad
              • Opcode Fuzzy Hash: a3e669032be63148fc582e8a5b8326c8c8c066297ac3a3ed1e97b60e7826532c
              • Instruction Fuzzy Hash: 42329B749083118BDB24CF18C680B3EB7E5EF86754F18492EFA969B3A0E734D855CB52
              Function 03632FC8 Relevance: 2.9, Strings: 2, Instructions: 410COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @4_w@4_w$PATH
              • API String ID: 0-1852745621
              • Opcode ID: 023c9aa3ba730e8dff961ab03c800ed178392423829caf6ed411e04152ac83bf
              • Instruction ID: c7f2ed9faacc10fb7b4ac0b0360b3df091f8f0f1326ef43721c1dde4de406b91
              • Opcode Fuzzy Hash: 023c9aa3ba730e8dff961ab03c800ed178392423829caf6ed411e04152ac83bf
              • Instruction Fuzzy Hash: D0F1D179E00258DBDB25DF98D981ABEBBF1FF4A700F688029E441AB350D7749C41CB65
              Function 036FA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: `$`
              • API String ID: 0-197956300
              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction ID: cebbe5c1e45975bd4e18db08795638696fde61b0f6d2d619a94603a1c12eeb5e
              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction Fuzzy Hash: 27C1CC312043429FDB24CF68C945B6BFBE5AF84318F088A2CFA99CA290D775E505CF95
              Function 03630CF2 Relevance: 2.8, Strings: 2, Instructions: 317COMMON
              Download Yara Rule
              Strings
              • ResIdCount less than 2., xrefs: 0368EEC9
              • Failed to retrieve service checksum., xrefs: 0368EE56
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Failed to retrieve service checksum.$ResIdCount less than 2.
              • API String ID: 0-863616075
              • Opcode ID: 5394d5e181c4a2895e3fb1b3525a552485fc303b5465257c9142ff308d4625f6
              • Instruction ID: c06d777cc868bbf6faafbc9238541352489e38bbc7d462d7af199cd1c1d58a35
              • Opcode Fuzzy Hash: 5394d5e181c4a2895e3fb1b3525a552485fc303b5465257c9142ff308d4625f6
              • Instruction Fuzzy Hash: C4E1E0B59087849FE324CF15C440BABFBE4FB89314F048A2EE5998B381DB759909CF56
              Function 00402A30 Relevance: 2.7, Strings: 2, Instructions: 203COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: VUUU$gfff
              • API String ID: 0-2662692612
              • Opcode ID: 5b37a3c0fd99ac5dd8da7a0bc5dc8699bd2e4810ffb2a429830c766f07b83ec5
              • Instruction ID: faed0db1614185bdfc269bfeaa8a77f00729948d722b9629d9375dac633fff41
              • Opcode Fuzzy Hash: 5b37a3c0fd99ac5dd8da7a0bc5dc8699bd2e4810ffb2a429830c766f07b83ec5
              • Instruction Fuzzy Hash: 66510531B0010947DB18CD5DDE9466A7366EBE4345F28817BDC0AEF3C1EAB9EE059B84
              Function 036AE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: Legacy$UEFI
              • API String ID: 2994545307-634100481
              • Opcode ID: f5bdff143d2a6c4c470b4854320c26fd364a918296e06342076583e22fc87f59
              • Instruction ID: 68e6d25f5e0dc5de08392799fb5897809773a15d80569401355860d50e0182c5
              • Opcode Fuzzy Hash: f5bdff143d2a6c4c470b4854320c26fd364a918296e06342076583e22fc87f59
              • Instruction Fuzzy Hash: 0D614975E00B089FDB24DFA88980AAEBBB9FB44700F14406DE559EB291D732AD01CF54
              Function 00402A28 Relevance: 2.7, Strings: 2, Instructions: 171COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: VUUU$gfff
              • API String ID: 0-2662692612
              • Opcode ID: 434f9dde78178f27ecfc5a2d5ca33501cbb7b233db91448e401a1e09e19ba84f
              • Instruction ID: 92736eb32ac0c33998f1676c2e4d164e19e82b770550d55c114ff46635d9b14e
              • Opcode Fuzzy Hash: 434f9dde78178f27ecfc5a2d5ca33501cbb7b233db91448e401a1e09e19ba84f
              • Instruction Fuzzy Hash: 5C513A31B0010687DB1CCD59CE9476A7666EBE4345F18817BDC06EF3D5EAB8EE058B84
              Function 00402779 Relevance: 2.7, Strings: 2, Instructions: 167COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: VUUU$yxxx
              • API String ID: 0-377871214
              • Opcode ID: 572b47ecb2e2cca45a6fe4cf031466cf0d07ef51f0e5dd03c07d56d48cc3463c
              • Instruction ID: 1eb99e56468885d6c607a4ccf16cd30ca7c65b4ff6116faa9cdd2c29117c225a
              • Opcode Fuzzy Hash: 572b47ecb2e2cca45a6fe4cf031466cf0d07ef51f0e5dd03c07d56d48cc3463c
              • Instruction Fuzzy Hash: 61519836B0050A4BCF18DE5DCE9526EB2E1ABD8304F188237D945EB3D1E678ED518744
              Function 0364F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $$$
              • API String ID: 0-233714265
              • Opcode ID: c41bc117ed7162076341a955c59028e4e2cc6c521d759bc0a91d0352d730e7f3
              • Instruction ID: 1060b068f425ea77d3a0190241a6fadc331c18ccc876f4f26073853ce85301e8
              • Opcode Fuzzy Hash: c41bc117ed7162076341a955c59028e4e2cc6c521d759bc0a91d0352d730e7f3
              • Instruction Fuzzy Hash: F361A675E0074ADFDB20EFA4C684BA9BBB5BF48304F18446DE515AF680CB74A941CB94
              Function 0363A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
              Download Yara Rule
              Strings
              • RtlpResUltimateFallbackInfo Exit, xrefs: 0363A309
              • RtlpResUltimateFallbackInfo Enter, xrefs: 0363A2FB
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
              • API String ID: 0-2876891731
              • Opcode ID: 5dcd71b91432a139db6f7fdf6ae244b573d3a57d303d306f1f8b4ebc9892e036
              • Instruction ID: 970e1e6c2eb5572221054081cb045306dc4f79b8e693fbf99f600cbcc0516843
              • Opcode Fuzzy Hash: 5dcd71b91432a139db6f7fdf6ae244b573d3a57d303d306f1f8b4ebc9892e036
              • Instruction Fuzzy Hash: 2541B034A04649DBEF15CF99C950BAAB7F8EF46304F2844AADC40DB3A5E335D941CB41
              Function 0366329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: .Local\$@
              • API String ID: 0-380025441
              • Opcode ID: c93007812512a8f47c54d277b154f11fc84f79e93fe3642663ae41977557109f
              • Instruction ID: 1eeef98b9222b5c2e4068286194c2290e8919a001eb6d77d27bba13261c55ff4
              • Opcode Fuzzy Hash: c93007812512a8f47c54d277b154f11fc84f79e93fe3642663ae41977557109f
              • Instruction Fuzzy Hash: FC31B37A508344EFC311DF28C980A5BBBE8FBC5694F58092EF59597360EA30DD05CB92
              Function 0363C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: MUI
              • API String ID: 0-1339004836
              • Opcode ID: 3d635077db32ab043391ab1d83842ce61f1b010174d51ec6212a2ac2cd4b1db1
              • Instruction ID: def04f2a4e08c6e44b639ae7ec58c3fd4a0cda41ca06e85e6e39239bf36bdefd
              • Opcode Fuzzy Hash: 3d635077db32ab043391ab1d83842ce61f1b010174d51ec6212a2ac2cd4b1db1
              • Instruction Fuzzy Hash: 3F824975E002189BDB24CFA9C980BEDFBB5FF4A710F188169E85AAB391D7309D41CB54
              Function 03682F28 Relevance: 2.0, Strings: 1, Instructions: 762COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: P`MwRbMw
              • API String ID: 0-3798419607
              • Opcode ID: 3097b659f3c0e12a4a67db8477c355f035d6f747438bc50806d54017c03a4a1f
              • Instruction ID: bdd28e9116e0171cc4b69c70332d2b31decd27e6efcac9248ed54c8a0f30740a
              • Opcode Fuzzy Hash: 3097b659f3c0e12a4a67db8477c355f035d6f747438bc50806d54017c03a4a1f
              • Instruction Fuzzy Hash: 0842F37DD04249AADF29EF68DA546BDFBB0AF0DB10F3C825AD441AB380D7748981CB54
              Function 0365FB80 Relevance: 1.8, Strings: 1, Instructions: 559COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: I_wI_w@4_w@4_w
              • API String ID: 0-3634609715
              • Opcode ID: 3c867be53c2c554a3f566d98594122699f75c8394f273a8fa809e1c6b3fb0a79
              • Instruction ID: 713a091efd85b061d5f0daae6aa6635ce90b7cb63c11f0220c2d48bebeec2b20
              • Opcode Fuzzy Hash: 3c867be53c2c554a3f566d98594122699f75c8394f273a8fa809e1c6b3fb0a79
              • Instruction Fuzzy Hash: B222C074900609EFDB14DFA8C990BAEB7B5FF48310F2485A9E814AB345E734EA41CF94
              Function 03637370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 60d3993411c8823ec46c496abefb167364dbb92d09aeaa0badcb3d0c38b155e4
              • Instruction ID: c72d7e21aa660630aab053b34df6614b7166a4c03696f19f6f4eac8964624f97
              • Opcode Fuzzy Hash: 60d3993411c8823ec46c496abefb167364dbb92d09aeaa0badcb3d0c38b155e4
              • Instruction Fuzzy Hash: 4DA18FB5608342CFD724DF28C580A2ABBE9FF89314F24496EE5858B351D730E945CB92
              Function 03652E90 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: 0
              • API String ID: 0-4108050209
              • Opcode ID: a23065dfd1f7c0bda078af53e8cac8e49f9103cb0f2687e8c8bec579f63a991a
              • Instruction ID: 6f20ff28364915122a468ccee0b0b540335eec60431b9d76cfb865f03a52b7c9
              • Opcode Fuzzy Hash: a23065dfd1f7c0bda078af53e8cac8e49f9103cb0f2687e8c8bec579f63a991a
              • Instruction Fuzzy Hash: 6BF19E79608745CFDB21CF24C590B6ABBE5AF88A50F29487DFC8A8B340DB30D945CB52
              Function 00416C1E Relevance: 1.7, Strings: 1, Instructions: 425COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: (
              • API String ID: 0-3887548279
              • Opcode ID: 51f37fcdfeb56654b1aaaf0f9dcf528166f1ba63b4207eb0f295e034aba672fe
              • Instruction ID: 11787c99c327d35e96af2d473ea530c8980ac7efe56d6a24d88c27d8638258e3
              • Opcode Fuzzy Hash: 51f37fcdfeb56654b1aaaf0f9dcf528166f1ba63b4207eb0f295e034aba672fe
              • Instruction Fuzzy Hash: 32021EB6E006189FDB14CF9AC4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80
              Function 00416C23 Relevance: 1.7, Strings: 1, Instructions: 423COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: (
              • API String ID: 0-3887548279
              • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
              • Instruction ID: 139f05f50c8232f9d8cd5ecb3960d770aff4bb5342a9fc9c005963e548a16490
              • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
              • Instruction Fuzzy Hash: B6021EB6E006189FDB14CF9AC4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80
              Function 0365FDC0 Relevance: 1.6, Strings: 1, Instructions: 390COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: I_wI_w@4_w@4_w
              • API String ID: 0-3634609715
              • Opcode ID: 8010ce45e0ca5b65d77275f35b6bc2585a90d57dca97f7c3348b01d0fd3c1fd6
              • Instruction ID: a5d9c1cc6756645560d32020e50053c85bd54a0cb99d226ebeca0b9decb8939c
              • Opcode Fuzzy Hash: 8010ce45e0ca5b65d77275f35b6bc2585a90d57dca97f7c3348b01d0fd3c1fd6
              • Instruction Fuzzy Hash: 1CF19E74900609DFDB14DFA8C990AAEBBB4FF48314F2885A9E805AB345E735DE45CF90
              Function 0366F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 908288775244fba5e7657664d9a15f1a7e495d0b5839d18e1909d4f8f0143b64
              • Instruction ID: bc99c930b40c4da76929bcfbd83a8513674420713844b09f3889f73e16352f97
              • Opcode Fuzzy Hash: 908288775244fba5e7657664d9a15f1a7e495d0b5839d18e1909d4f8f0143b64
              • Instruction Fuzzy Hash: 40414AB4900288AFDB20DFA9D580AADFBF4FB49340F54816ED959EB211D734A950DF60
              Function 03630100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: cfc405c0a1a7c7a04ecaf35f9db0f8b7c162ebbd600aa53015ab419d75e7064a
              • Instruction ID: 07159e96efa2cd17355f1abeb3b63d93af1dfa92dbd1209198c2ffa6f7f29da9
              • Opcode Fuzzy Hash: cfc405c0a1a7c7a04ecaf35f9db0f8b7c162ebbd600aa53015ab419d75e7064a
              • Instruction Fuzzy Hash: 36A15D35A083686BDF24DB688A41BFEA7B85F4B304F0840DDED876B381C6B5C949CB55
              Function 0366A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: GlobalTags
              • API String ID: 0-1106856819
              • Opcode ID: 1a44244ca997e04928b26640cd75a2126115a72ca856b0f3cb1cf4117fdd01a8
              • Instruction ID: e489b179006cfa1e171b88ac69ea38764c3d16dcfa29eb499e8209c49e8c2957
              • Opcode Fuzzy Hash: 1a44244ca997e04928b26640cd75a2126115a72ca856b0f3cb1cf4117fdd01a8
              • Instruction Fuzzy Hash: E9713975E0061A9FDB28CF9CD6946ADBBB5BF48740F18816EE806AB340D7709D41CF64
              Function 0363973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @
              • API String ID: 0-2766056989
              • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
              • Instruction ID: 1cfc58168302b2c59493645412338db0ecc247658966df5d6d3be76a11286db7
              • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
              • Instruction Fuzzy Hash: 11617D75D00219ABDF21DF99C944BAEFBF8FF85714F144A6AE810A7290D7B49901CF50
              Function 0362B2D3 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: 04_w04_wI_wI_w@4_w@4_w
              • API String ID: 0-4217632228
              • Opcode ID: 782cade38c00e67b85660adf96ad08f6b1d10f3eeb57d045d472455180263955
              • Instruction ID: db6e9885206f66aaeee56d51d372365531a1e5d1b64849edb898a59d71f7e5b9
              • Opcode Fuzzy Hash: 782cade38c00e67b85660adf96ad08f6b1d10f3eeb57d045d472455180263955
              • Instruction Fuzzy Hash: 69414531600B10AFD725EF25D980F26BBA8EF45760F1A846DE6099B350DB34DC01CFA4
              Function 036BF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @
              • API String ID: 0-2766056989
              • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
              • Instruction ID: de69738bca26aab09e451f26a3882d74ea14f9395ea660894c422b55e20d1718
              • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
              • Instruction Fuzzy Hash: 38517872604305AFD721EF54CD40FAAB7F8FB84B50F04092DBA809B2A0D7B1E954CB95
              Function 004024B0 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: gfff
              • API String ID: 0-1553575800
              • Opcode ID: 4d4dc45ee9f6ee4df8aabe82cccbd4511719aba03505df8b3d073d99eeb4b446
              • Instruction ID: 743106aa10faf3d981dd36b49f664af5034f0ef2dc92919d134031200b7d9439
              • Opcode Fuzzy Hash: 4d4dc45ee9f6ee4df8aabe82cccbd4511719aba03505df8b3d073d99eeb4b446
              • Instruction Fuzzy Hash: 1C412532B4011A17DB2C481D9EB83A66243E3E4314F58863BDC9AEF3C5E4BDAC43429C
              Function 0364E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: EXT-
              • API String ID: 0-1948896318
              • Opcode ID: 4b727eda413d6b17d6b9535ebb99220816a5a1de4fb35cb3d6c654595c926214
              • Instruction ID: 21f83fc0e2911a1b284390625cdc9e58a31a0de520c8bf6e8593683e988d60ba
              • Opcode Fuzzy Hash: 4b727eda413d6b17d6b9535ebb99220816a5a1de4fb35cb3d6c654595c926214
              • Instruction Fuzzy Hash: 26418076A083019BD710DB75CA84B6BB7E8BF88714F440D2DF985DB280EB75D904C79A
              Function 004024AC Relevance: 1.4, Strings: 1, Instructions: 148COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: gfff
              • API String ID: 0-1553575800
              • Opcode ID: 54c18c1fa2f24adcc22f8f4821ab7865668908591cb321008fb8f27d7ca52a8e
              • Instruction ID: dcb72006a73bc0b5e1c916c3c2504133bd43e491a14a90ebacffb8743a837355
              • Opcode Fuzzy Hash: 54c18c1fa2f24adcc22f8f4821ab7865668908591cb321008fb8f27d7ca52a8e
              • Instruction Fuzzy Hash: D9414932B4051613DB2C481DCEB83A66247E7E5314F58863BDC99EF3D5E8BDAD42428C
              Function 036EB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: PreferredUILanguages
              • API String ID: 0-1884656846
              • Opcode ID: 429f081783d11c63b27201517ee6105645ede39115fdab76c1cb3547c2d0eb9c
              • Instruction ID: 41d73c71cceed6cf726749f2e6388583aa4094814e69624f26ebc3b890213ad4
              • Opcode Fuzzy Hash: 429f081783d11c63b27201517ee6105645ede39115fdab76c1cb3547c2d0eb9c
              • Instruction Fuzzy Hash: 1041E636D05219ABCF11DA94C941BEEF7B9EF44710F05016AE911EB354DAB0DE48CBA4
              Function 036AC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: BinaryHash
              • API String ID: 0-2202222882
              • Opcode ID: e6d4eaa618891ffa01522ac999162f7e0c31a470fadd53387f9aa5ba82bf82e3
              • Instruction ID: 5050e1ac809b3756096bbe2c335ae7b4af01d888695b53cc4544b52ddb942a9e
              • Opcode Fuzzy Hash: e6d4eaa618891ffa01522ac999162f7e0c31a470fadd53387f9aa5ba82bf82e3
              • Instruction Fuzzy Hash: 2E4145B5D0062CABDB21DB54CC84FDEB77CAB45714F4045E9E608EB240DB709E898FA8
              Function 036B97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: verifier.dll
              • API String ID: 0-3265496382
              • Opcode ID: 9ae3b7526a365b293466ce1bd8841c921e15d89f547e2c05b9a7152c0bcb7cb2
              • Instruction ID: 0d6f0649fefcb7a4e82c02fea64c8bf698d9348f0b97a41022c05c5199b2e6d8
              • Opcode Fuzzy Hash: 9ae3b7526a365b293466ce1bd8841c921e15d89f547e2c05b9a7152c0bcb7cb2
              • Instruction Fuzzy Hash: 153180B5A403019FDB24DF699950AB6B6F5EB49310F98887EE6099F381E7318C818B94
              Function 00401000 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: gfff
              • API String ID: 0-1553575800
              • Opcode ID: 0cff5a9ed7b3346174c945a8c1656bb69db68467723196e66fe9c8053a312e7b
              • Instruction ID: b757db7fba9082504d6101b32004a180a59d19455fb442cfecb980e40ebac871
              • Opcode Fuzzy Hash: 0cff5a9ed7b3346174c945a8c1656bb69db68467723196e66fe9c8053a312e7b
              • Instruction Fuzzy Hash: 39312972B0015A03DB1C841EDC616A6A247C7E4345F5DC23BED4AEFBE5F83AAD018184
              Function 036636EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Flst
              • API String ID: 0-2374792617
              • Opcode ID: 1cdf4a0237750d30059002fb375216ce37e3c0f1c1d772a12f1314767932ef6a
              • Instruction ID: 4af63eb8ca623391cb8efb56aff8c7f097b3532c009b5dd5689292bbb993af26
              • Opcode Fuzzy Hash: 1cdf4a0237750d30059002fb375216ce37e3c0f1c1d772a12f1314767932ef6a
              • Instruction Fuzzy Hash: 7A4198B56053019FC314CF18C184A16FBE4EB89754F28856EE44A8F391DB31D942CF99
              Function 03629730 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: L4_wL4_w
              • API String ID: 0-4042522810
              • Opcode ID: 7cebd6000d66b6e2583145ea99ce1f9b199878e5d8c6c694a766d0d43a5fab1b
              • Instruction ID: e1e2340a3410421f8dd8261a6f8251a094379bdbec9ef6e6850f55ce31c32d8c
              • Opcode Fuzzy Hash: 7cebd6000d66b6e2583145ea99ce1f9b199878e5d8c6c694a766d0d43a5fab1b
              • Instruction Fuzzy Hash: E221AF7AA00B24AFD322EF588804B5ABFF5FBC8B54F160469EA559B341D774E811CB90
              Function 03635096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Actx
              • API String ID: 0-89312691
              • Opcode ID: f69a2859a1e5ac56c0f88511659ffabdf373a8f7619218792ca38fbe94be20d4
              • Instruction ID: 313eca75b1d8bfdd27de6b6c42c0c0b6de4610fd30712caa0cdb8affdd155dea
              • Opcode Fuzzy Hash: f69a2859a1e5ac56c0f88511659ffabdf373a8f7619218792ca38fbe94be20d4
              • Instruction Fuzzy Hash: E91160307096028BEB28C91D89546B6F6D9EF97264F3C852AE663CB391D773D8428780
              Function 036B106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: LdrCreateEnclave
              • API String ID: 0-3262589265
              • Opcode ID: 3bb02f52181d1ae565e87c0cd7d5bf62f2860f29af686cda255049f36c46e84e
              • Instruction ID: e22d107970d5fcf3c96b5fbb52aaa99cc56316aa6c842f6563b3f6a2b22e29a1
              • Opcode Fuzzy Hash: 3bb02f52181d1ae565e87c0cd7d5bf62f2860f29af686cda255049f36c46e84e
              • Instruction Fuzzy Hash: CF2134B1508344AFD320DF2AC804A9BFBE8EBD6B00F044A1EB5A08B250DBB09545CF96
              Function 0366E8F0 Relevance: 1.0, Instructions: 985COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9121aec9a241616c6dd17ab1de8bb016cfb392964efc9ce52f41e69be5bb271b
              • Instruction ID: 4a280fbc98fe7c4eea95c4e384acc1f402609275edffabcb9cca38965550c36a
              • Opcode Fuzzy Hash: 9121aec9a241616c6dd17ab1de8bb016cfb392964efc9ce52f41e69be5bb271b
              • Instruction Fuzzy Hash: AB822472F102188FCB58CFADD8916DDB7F2EF88314B19812DE416EB349DA34AC568B45
              Function 0367516C Relevance: .8, Instructions: 785COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 21346d3ade96e5cff4840e3212de7c87c4cd7ce695049781e712288dca8429a9
              • Instruction ID: d01f84273497d64d6f25ce0e25f88195a1948a6e79f2864fcc216c859a925533
              • Opcode Fuzzy Hash: 21346d3ade96e5cff4840e3212de7c87c4cd7ce695049781e712288dca8429a9
              • Instruction Fuzzy Hash: 66628F3290464AAFCF24CF08D5904AEFB72BA56314B89C6DCCA9B27704D371BA55CBD1
              Function 0368739A Relevance: .7, Instructions: 705COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c94790cd9ae216031a0d54be32fbcb594dfe7af4d9be41aba7a831c8ba66d9b5
              • Instruction ID: 9504580056d2e77c62b22c7735c85e61f7cb15c7a9476a0c4d3f9918c5fd4746
              • Opcode Fuzzy Hash: c94790cd9ae216031a0d54be32fbcb594dfe7af4d9be41aba7a831c8ba66d9b5
              • Instruction Fuzzy Hash: E642C275A006168FDB14DF59C580ABEF7B6FF8C314B28866DD552AB340DB34E842CBA0
              Function 03685AA0 Relevance: .7, Instructions: 652COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
              • Instruction ID: eb35deafee5a148e98e8bfd7d17763f272ec6adeb0cd97324e3dbf259a8d3c2a
              • Opcode Fuzzy Hash: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
              • Instruction Fuzzy Hash: 89128273B716180BC344CD7DCC852C27293ABD452875FCA3CAD68CB706F66AED1A6684
              Function 0365B2C0 Relevance: .6, Instructions: 629COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7e8bedf0ab1c44f63292438cd78a2988a66b23611060334857ab650ba675e3ba
              • Instruction ID: f26811ab4c5d29a51d2666c36dce220d8f4b6b8078d65854eea0a04cdbbb79b6
              • Opcode Fuzzy Hash: 7e8bedf0ab1c44f63292438cd78a2988a66b23611060334857ab650ba675e3ba
              • Instruction Fuzzy Hash: 6C32AC76E01219DBCF24DFA8C994BAEBBB5FF54714F18002AEC05AB381E7759911CB90
              Function 03642840 Relevance: .6, Instructions: 605COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 51fa90f2d6fc7e77e39bfeda8c69bf4a44f2136ea713ffea4c7b08cca53df2cc
              • Instruction ID: 284b4a40b1ba63394f27740b2aec2d0e1fdcd678752c98808c9f87a13c515515
              • Opcode Fuzzy Hash: 51fa90f2d6fc7e77e39bfeda8c69bf4a44f2136ea713ffea4c7b08cca53df2cc
              • Instruction Fuzzy Hash: 3432CD74A007558BEF24CF69CA547BEFBFAAF84314F28855EE4469B384D735A802CB50
              Function 036DA118 Relevance: .6, Instructions: 591COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7285ebbdc8d6d1625025dd5f817c950a4b7d4a9f7caee0f677c7c49bb6e47cba
              • Instruction ID: 71246390a9ed15d8ad398fd047a3d5282335d68fa9d79f4e3d270904c84e7079
              • Opcode Fuzzy Hash: 7285ebbdc8d6d1625025dd5f817c950a4b7d4a9f7caee0f677c7c49bb6e47cba
              • Instruction Fuzzy Hash: CE22DF74A08691CBDB24CFA9C294772B7F1AF44300F0C859AE886CF785E735E562CB64
              Function 036F16CC Relevance: .6, Instructions: 571COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a9ca1f758236a251bfed1a50216bfb3a6522f01011ad6bf9533e38a4539a7931
              • Instruction ID: fefc5ffeb383530c5e2180fd2e312fa1d8a101aa28224aed39ba449d7aceca20
              • Opcode Fuzzy Hash: a9ca1f758236a251bfed1a50216bfb3a6522f01011ad6bf9533e38a4539a7931
              • Instruction Fuzzy Hash: 3522D235A00216CFCB19CF59C590ABAF7B2FF8A354B28456DDA56DB344DB30E942CB90
              Function 036F1D5A Relevance: .6, Instructions: 559COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f3c9ed4017a950788a82ec1e33b39c764cc97a159b6fa27348b8f8f352682b8e
              • Instruction ID: f6a95d6246a762919c9bc2b7a830d9026c456047c68e0439d7a6c1d2335a00bf
              • Opcode Fuzzy Hash: f3c9ed4017a950788a82ec1e33b39c764cc97a159b6fa27348b8f8f352682b8e
              • Instruction Fuzzy Hash: 6522A0396047128FC718CF18C5A0A2AF7E5FF89314B188A6DEA96CB355D730E846CF95
              Function 03658DBF Relevance: .6, Instructions: 554COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 921b4d64fdf1f3747df45ebbf0b0b76e4727f4034c00df19a952bb80b22f996e
              • Instruction ID: 4eea2e779686f4d18fae863b40b9a6ef5343e1f97b2945d1547aa2154636d119
              • Opcode Fuzzy Hash: 921b4d64fdf1f3747df45ebbf0b0b76e4727f4034c00df19a952bb80b22f996e
              • Instruction Fuzzy Hash: E8222C70E0021ADBDF14CF95C5809BEFBFAAF48704F5980AAE845AB641E734D942CB64
              Function 036F2446 Relevance: .5, Instructions: 485COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 13bc9af504f2530e96f97f51d774b37fb01662b80aa5f0667db837b5a7e565b2
              • Instruction ID: 8c0abc78a8da9414d67baf34fc8c10ac618f3b6b71d50f8e6f646745f4709499
              • Opcode Fuzzy Hash: 13bc9af504f2530e96f97f51d774b37fb01662b80aa5f0667db837b5a7e565b2
              • Instruction Fuzzy Hash: C802F1386046518FDB24CF2AC560275FBF1AF85300B18899AEAD6CF385D734E996DF60
              Function 0370B16B Relevance: .4, Instructions: 450COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 76af3d37fb99fd25720d3d2cfbc5b7e11662ce655a14b4671dc3a543c1aab988
              • Instruction ID: f9ed8900d0aeb0feac583f280e43213b4e6b9345a3805a930769628e90632104
              • Opcode Fuzzy Hash: 76af3d37fb99fd25720d3d2cfbc5b7e11662ce655a14b4671dc3a543c1aab988
              • Instruction Fuzzy Hash: 96F1D572E006159BCB18CFA9C9A067EFBF5EF8821071D41ADD456DB3C1E674EA41CB90
              Function 004104E3 Relevance: .4, Instructions: 435COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
              • Instruction ID: 1eecd24a4e6a77db88770c4d53f1f1d29cda136bb14be5cb9f626c60a55da8b8
              • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
              • Instruction Fuzzy Hash: A4026F73E547164FE720DE4ACDC4765B3A3EFC8301F5B81B8CA142B613CA79BA525A90
              Function 0370A9A6 Relevance: .4, Instructions: 425COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 987e90e0317f7beebd37cfb0e00b4d08b2c0129b6aedab55b7fb7f44ae0aa99d
              • Instruction ID: b1aa32e138c63196a12cec60a54d469bd11cb139553bf05c460e55cca820a912
              • Opcode Fuzzy Hash: 987e90e0317f7beebd37cfb0e00b4d08b2c0129b6aedab55b7fb7f44ae0aa99d
              • Instruction Fuzzy Hash: 80F1A472E00626DBCB58CE68C5A15BDFBF5AF45210B1A426DD856EB3C0D734EE41CB90
              Function 03628397 Relevance: .4, Instructions: 380COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 97dcbc98dd073d32445dd83acc64614abdc571c4c56d133366cb7132bfb3e57b
              • Instruction ID: fc5695926bf62b9d70b73769767bef4fe7f839e459530ca2f36111d164f9f1ed
              • Opcode Fuzzy Hash: 97dcbc98dd073d32445dd83acc64614abdc571c4c56d133366cb7132bfb3e57b
              • Instruction Fuzzy Hash: 74D1D475A00B269BCF14DF64CD90ABEBBA5BF48304F0A862DE815DB280E734D951CF60
              Function 0365C6E0 Relevance: .4, Instructions: 367COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ee857fa14aabb1be21e19baf028e6706fa68c92290f976f78203a0ac7558595e
              • Instruction ID: 3b7e56ce361057f84eb1eda0137a8e6e57f663a650ececcc2bca19ba4394d633
              • Opcode Fuzzy Hash: ee857fa14aabb1be21e19baf028e6706fa68c92290f976f78203a0ac7558595e
              • Instruction Fuzzy Hash: 56D16D71E043198BEF28CE98C6847BDBBB5FB44304F18807AEC46AB394D7B58942DB45
              Function 036438E0 Relevance: .3, Instructions: 349COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 333c961a9cff4e48df7ab8e775c01a65bfe6ccee337e4c1d836dd67a6f2cbc31
              • Instruction ID: b207525476c52080fb5963b0f7b7b0a587839f7318416a3bd6bf9320df47fb20
              • Opcode Fuzzy Hash: 333c961a9cff4e48df7ab8e775c01a65bfe6ccee337e4c1d836dd67a6f2cbc31
              • Instruction Fuzzy Hash: ECE19E75A00205CFDB18CF58C980BAAB7F5FF58310F28819AE855EB391D734EA51CB90
              Function 0364CFE0 Relevance: .3, Instructions: 345COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 287cd1c4acbb309d98da8b721ef8c94e526c49b68e608b292af005a6315e051b
              • Instruction ID: 21494e1d54f3fa5a7f6f1bc991ab6dbec104cc975d0865bb23e5cb7f729d50f8
              • Opcode Fuzzy Hash: 287cd1c4acbb309d98da8b721ef8c94e526c49b68e608b292af005a6315e051b
              • Instruction Fuzzy Hash: 61D1A330E003299FEB25DF25C994BAAF7B5AB49704F0840EDD909AB342DB74AD85CF51
              Function 0363D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 405e4545d23e6fb1806599b31c255339c2895dcb403d3a20b6b260611907791c
              • Instruction ID: 81a68c6de8afb1d907fbccfbe3fa0bd8278a453d77ebdbbaf4a87c306e508e1d
              • Opcode Fuzzy Hash: 405e4545d23e6fb1806599b31c255339c2895dcb403d3a20b6b260611907791c
              • Instruction Fuzzy Hash: 23C19371E002159FEF25CF5AC940BAEFBB9EF55314F18826AD915AB390D770E942CB80
              Function 03640535 Relevance: .3, Instructions: 300COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction ID: 419b0005f14b0e3bf6aa7146815f086bd5a135973496a7311b4c7590387125fa
              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction Fuzzy Hash: 3BB11875A00655AFDF26DB68CA50BBEFBFAEF84200F190199D642DB381DB30D942CB50
              Function 036590DB Relevance: .3, Instructions: 287COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ceca652abe237944913a9097d39f7c91e3a77b9f3614988b18095d378dece6dd
              • Instruction ID: 4faea40c2820b22c5fcc7fac65593395a82cbd17494c5d58d54f318269d9e4d0
              • Opcode Fuzzy Hash: ceca652abe237944913a9097d39f7c91e3a77b9f3614988b18095d378dece6dd
              • Instruction Fuzzy Hash: B4A13B75900215AFEF12EFA4CC95BAE77B9EF46750F054068FA00AF2A0D7759C10CBA4
              Function 036383C0 Relevance: .3, Instructions: 281COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4221b2808ee087ba493f626103dd1ef2757fa7d8fe4cbc8f2c51a61941d6f1aa
              • Instruction ID: bdaff764204ba1014785d391d8eb2df08658de79e0794ff7b24941d0a5606772
              • Opcode Fuzzy Hash: 4221b2808ee087ba493f626103dd1ef2757fa7d8fe4cbc8f2c51a61941d6f1aa
              • Instruction Fuzzy Hash: 09C15874108341CFDB64CF15C584BAAB7E8FF89304F54496EE9898B391D774E909CB92
              Function 03670185 Relevance: .3, Instructions: 276COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 48bc216d829923493dd270a460af4106c0d14bddfc2769e2557a7001edde511e
              • Instruction ID: 2df9a3e8f7594e1d586e11595edcfc901b3f24a430b61e9a3bbf7f02362f5867
              • Opcode Fuzzy Hash: 48bc216d829923493dd270a460af4106c0d14bddfc2769e2557a7001edde511e
              • Instruction Fuzzy Hash: 28A1C275B0071ADBDB24DF69CA90BAAB7F5FF44314F544129EA059B381DB34E812CBA0
              Function 0364E3F0 Relevance: .3, Instructions: 261COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d180cd0e904b8d180ff9598c2c6c366115c1c5e119618fe4c662eb9b05f85a85
              • Instruction ID: e879bded4ebd538b1e04037936284470d3c8512bd5666b691589c0908e484ab7
              • Opcode Fuzzy Hash: d180cd0e904b8d180ff9598c2c6c366115c1c5e119618fe4c662eb9b05f85a85
              • Instruction Fuzzy Hash: 02914635E002118BEB28DB28D540B7EB7E9FF84714F1944AEE8059F340E736D842C761
              Function 03631131 Relevance: .3, Instructions: 259COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3cb5f7391e0fe50eabf392035cd150940a4dbb4700d0086fa58e00fd5f0cd7d9
              • Instruction ID: 41b5a84c715f62e2c60f16e53d6b9b55c0fc937b5ccf2a5d43878836a8fcd288
              • Opcode Fuzzy Hash: 3cb5f7391e0fe50eabf392035cd150940a4dbb4700d0086fa58e00fd5f0cd7d9
              • Instruction Fuzzy Hash: C2B11275A093408FD364DF28C580A5AFBF1BB89304F184A6EF899CB352D371E945CB96
              Function 03664750 Relevance: .3, Instructions: 251COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
              • Instruction ID: 94b9815d1a960a76b41378a3b9ce08b8e942fd6703b077cf29579abf751db6a8
              • Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
              • Instruction Fuzzy Hash: 51815A35E047969FDB22CEADC9C026EBF55EF52280F2C467ED4428B341CA64DC86CB91
              Function 0367DBF9 Relevance: .2, Instructions: 244COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
              • Instruction ID: 58df7eb7d6f137e6ce696f83bdaef88c361c0be0a56c0375513600389175f6c5
              • Opcode Fuzzy Hash: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
              • Instruction Fuzzy Hash: 0E915E72620A06CFD725CF2DC985666FBE0FF55324BA88E18E4E6DB6A0D375E511CB00
              Function 036FF7B0 Relevance: .2, Instructions: 242COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 851202130379acd59c86d2f68b7f993cd87ff14a86f1856e471556738efef0cb
              • Instruction ID: b2694a7e9168e3df326d95bc7eb6a888cea653db386469314faa4d7e9f77148c
              • Opcode Fuzzy Hash: 851202130379acd59c86d2f68b7f993cd87ff14a86f1856e471556738efef0cb
              • Instruction Fuzzy Hash: A891C272E00206AFDB14CF28C9807AAB7F5AF48310F188578EA65DF395D775E951CB90
              Function 036FF43F Relevance: .2, Instructions: 241COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 13072db3191975d68780cf433e347c59b2cdd669a4a35afab76843672bf2aa3d
              • Instruction ID: 8c895e4c701944a022572da94e3412ea33d8353cd91f3ee3896ca8a23fc6b787
              • Opcode Fuzzy Hash: 13072db3191975d68780cf433e347c59b2cdd669a4a35afab76843672bf2aa3d
              • Instruction Fuzzy Hash: 4C91D172A105158FCB18CF69C8916BEBBF1FF88310F19C6A9D915EB39AD634D901CB50
              Function 036F81CC Relevance: .2, Instructions: 232COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8d610b0706af8bc4bb234ecae75c18eebaf8b7ba9ef6ff6dcbdc89237cefb721
              • Instruction ID: c0fc5958b7db9b03d3cbbb57b51655d97cb2fa284e41ec2f1ac4b3e7a019f1f3
              • Opcode Fuzzy Hash: 8d610b0706af8bc4bb234ecae75c18eebaf8b7ba9ef6ff6dcbdc89237cefb721
              • Instruction Fuzzy Hash: 8A81C572E006199FCB14CFA9C8805AEB7F5FF88314B1843AAD925E7384D774E952CB94
              Function 03640E59 Relevance: .2, Instructions: 231COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cfcd2fae845ed1753c7806fd0dc16dce7a1da570da8912fd9aadb3cc032d8098
              • Instruction ID: a9b8d2871385d72c6a5496616e51ea7ee9702001330006b557ef07782a2fa7ad
              • Opcode Fuzzy Hash: cfcd2fae845ed1753c7806fd0dc16dce7a1da570da8912fd9aadb3cc032d8098
              • Instruction Fuzzy Hash: EB81B531E00669DFDB54CF69C9809AEFBB6FFC5210B28C2A9E9159B345D730E941CB90
              Function 036EE4F6 Relevance: .2, Instructions: 224COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e6ecadc6af6f6564b5b88e0b27afa5f9d4c09e0bddbdddaaed5eaee11a3c3a22
              • Instruction ID: 624a3f2d23c98f74624a83d947d5b359e19f1fec3def24c56df4bd01eda65fcc
              • Opcode Fuzzy Hash: e6ecadc6af6f6564b5b88e0b27afa5f9d4c09e0bddbdddaaed5eaee11a3c3a22
              • Instruction Fuzzy Hash: A3819E76E012159BCB28CF98C5906ADFBF1EF88310F1981AED816EF384D7359941CB90
              Function 036FAB40 Relevance: .2, Instructions: 222COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
              • Instruction ID: ff22e22474763143547d60868f56b409364860c9c314972ca1ffb0ef42e0d7a7
              • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
              • Instruction Fuzzy Hash: 09816E75A102099FCF18DF98C990AAEB7B6BF88314F18816DDA1A9B344D774E902CF54
              Function 0365D090 Relevance: .2, Instructions: 217COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
              • Instruction ID: f8037da70403c99489649c026d356e9af231e6c65b59dac8a39e5c8a44cbe037
              • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
              • Instruction Fuzzy Hash: 00818E76E001198BEF24CF58C9807AEFBB6FB84354F19816BD815BB384D6329A45CB91
              Function 0366E284 Relevance: .2, Instructions: 212COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6e4a74121a11b51bcf66b1f26568438ee62395aabf247e2c0118dbd40dd1ac2c
              • Instruction ID: 1a67cb47911470719adf8e82fc76fc8aa272ef0936939d76771c26d0d59d1e21
              • Opcode Fuzzy Hash: 6e4a74121a11b51bcf66b1f26568438ee62395aabf247e2c0118dbd40dd1ac2c
              • Instruction Fuzzy Hash: 2C815E75A00609AFDB25CBA9C980AEAF7F9FB88384F14442DE555A7250D731AC05CB60
              Function 0365B950 Relevance: .2, Instructions: 209COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 27bd6665eebbe9252200d9d72294f3ae764312e555e2d07ab8564476d4949803
              • Instruction ID: 0ae3eea919f807434a1953d7e50e4b019f2c5b91369d1de5c44610cbfdf9a765
              • Opcode Fuzzy Hash: 27bd6665eebbe9252200d9d72294f3ae764312e555e2d07ab8564476d4949803
              • Instruction Fuzzy Hash: 5271C7346047509EEB24CE2ACA40736B7E5EB85714F18856EFC96CB2C4D7B6E806CB61
              Function 0364C640 Relevance: .2, Instructions: 206COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bb0f011c51619f7cec4628a63d1ee9c49a6d7f692afe9c6647173d1907d2e3c9
              • Instruction ID: d78069826596cbd17330e0451963b1a27972ff8b0ea2748a3b3424b81ec231b4
              • Opcode Fuzzy Hash: bb0f011c51619f7cec4628a63d1ee9c49a6d7f692afe9c6647173d1907d2e3c9
              • Instruction Fuzzy Hash: 5171CDB5C01265EFDB25CF59CA90BBEBBB8FF59700F14815AE842AB350D7749805CBA0
              Function 036EDAC6 Relevance: .2, Instructions: 202COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f88b33934a605b52a66c14ba0c71ba7898b6c83f9b7fbf8b8ec90a9ac055b007
              • Instruction ID: 8b854468e276c8476428b1a367887518a6f4f2a1eebc4c13a754978c32bc8bd1
              • Opcode Fuzzy Hash: f88b33934a605b52a66c14ba0c71ba7898b6c83f9b7fbf8b8ec90a9ac055b007
              • Instruction Fuzzy Hash: 0C819C70D01295DFCB24CF69C544AAAFBF8EF4AB40F048499E495AB385D374D84ADF50
              Function 036F70E9 Relevance: .2, Instructions: 201COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 639fef1e490ce4c2c61962a0b95768f5e26272217cca1204fc4e69a4cc9fcc53
              • Instruction ID: b003d8db531e16824c7676788ddca76f53365e4caca47227c4874edc23a3fbb0
              • Opcode Fuzzy Hash: 639fef1e490ce4c2c61962a0b95768f5e26272217cca1204fc4e69a4cc9fcc53
              • Instruction Fuzzy Hash: E061E675E0031AAFCB14EFA5C9909BFB779BF44250F18443DEA11AB340EB70DA458B94
              Function 0364260B Relevance: .2, Instructions: 201COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 208346eb7f87a7c0ecb17b14af5c3a2d18d29146cdc4b81340e45a65a3cf7c2b
              • Instruction ID: decb789639a239043cab116933174a021144745e51cb887863042d431e93a760
              • Opcode Fuzzy Hash: 208346eb7f87a7c0ecb17b14af5c3a2d18d29146cdc4b81340e45a65a3cf7c2b
              • Instruction Fuzzy Hash: 2971FE35A042419FC711DF28C594B2AB7E5FF88310F1989AAF898CF351DB38D846CB95
              Function 036EF0CC Relevance: .2, Instructions: 199COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 04a3d5c1e8e25ba7574f272d288289ceab5831dd468fb67ec5a26ee6a8e3bd48
              • Instruction ID: e2468e63476af102b0709065359b63408975719935c7a0752c0d06d3852affa6
              • Opcode Fuzzy Hash: 04a3d5c1e8e25ba7574f272d288289ceab5831dd468fb67ec5a26ee6a8e3bd48
              • Instruction Fuzzy Hash: F3719E79A02626DFCB24CF9AC18017AF7F1FF44704B6A846ED8829B340D774E949CB54
              Function 036B035C Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction ID: 35b803e2ab36ec9705f0c9b3b70212a901829f2ee47b6f0d795e72b294d94cc6
              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction Fuzzy Hash: BB716B75E00619EFCB10DFA9CA84AEEBBB8FF48700F144569E505AB250DB34EA41CF94
              Function 036C62A0 Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 21bdefe6108605049e7dce725450c4a4b25fe5c7b578731b31581206d73de3d9
              • Instruction ID: d5c8f88d227f57253c383c21e2cc4e3cd425ba37781e207dfb3c8f7ea8e6b2f8
              • Opcode Fuzzy Hash: 21bdefe6108605049e7dce725450c4a4b25fe5c7b578731b31581206d73de3d9
              • Instruction Fuzzy Hash: D771E036210B41AFDB31DF14C954FAAB7F5EF44720F18892CE25A8B2A0D775E944CB68
              Function 036F7A46 Relevance: .2, Instructions: 193COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 68142294780f686403e4c1f7f1426f4e1bd83127541c79945fa94bdfc57a1e13
              • Instruction ID: ef162676e53af56f39261f11303c063ea0dfc95e5d7fade823796eb5625df1fc
              • Opcode Fuzzy Hash: 68142294780f686403e4c1f7f1426f4e1bd83127541c79945fa94bdfc57a1e13
              • Instruction Fuzzy Hash: 30513B75A002265FCB14DF69C9809BBB7F6EF89350B18416DEE54DB384DA74C902C7A0
              Function 036F132D Relevance: .2, Instructions: 188COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c91f650bbfc793c7a5bc2976267a9925a564d03caa64b514040a4e3b415c9ed5
              • Instruction ID: 15b7e737806495607a0bc157775fb08c7e72acf0169751ff5b7369b038bb5abb
              • Opcode Fuzzy Hash: c91f650bbfc793c7a5bc2976267a9925a564d03caa64b514040a4e3b415c9ed5
              • Instruction Fuzzy Hash: 49817E75A00205DFCB09CF99C590AAEBBF1FF89300F1981A9D859EB345D734EA41CBA0
              Function 036F903E Relevance: .2, Instructions: 186COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4331d8a31e5cb5cb2cc7cd155ea0b85705f69d271510c400e42f4e622ba6e5ac
              • Instruction ID: 461870715d29ca222a21e8ed430d8c9b956f787eb67ae72bde94843e4c71fe58
              • Opcode Fuzzy Hash: 4331d8a31e5cb5cb2cc7cd155ea0b85705f69d271510c400e42f4e622ba6e5ac
              • Instruction Fuzzy Hash: 6161CC75600715AFD325DF68C884BABBBE9FF88710F04462DFA698B240DB30E915CB95
              Function 036FFCF2 Relevance: .2, Instructions: 181COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: aacbb2bcef9e0108c42063119b455a88b1f9276dead03ad33f6aa0e00480cab5
              • Instruction ID: 7807df0a8832674cee8bc9b1807d3c546fdd6db239018dc83b736d27646e4232
              • Opcode Fuzzy Hash: aacbb2bcef9e0108c42063119b455a88b1f9276dead03ad33f6aa0e00480cab5
              • Instruction Fuzzy Hash: ED61DF31A0020AAFCB14DF68C880ABEB7F5FF48314F208569E615EF284D734A912CB94
              Function 03637703 Relevance: .2, Instructions: 179COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1c0531631bfa3d7f786e88e9e5ddfea147bb1bec59aa25da243d0d601c9f8663
              • Instruction ID: 222c25edfafa8b674be168b22a680d711611927cd274aecb31174e0bb7116505
              • Opcode Fuzzy Hash: 1c0531631bfa3d7f786e88e9e5ddfea147bb1bec59aa25da243d0d601c9f8663
              • Instruction Fuzzy Hash: 4D6171B5E00606EFDB18DF68C580AADFBB5FF49200F28816ED41AA7340DB34A941CBD4
              Function 036F92A6 Relevance: .2, Instructions: 174COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3066578dd15da2ecf962f46549d219b93af61dc0a8157b5cf2f12743e4eb8ba3
              • Instruction ID: 0e1f9ef6a2a6f5d0e59359404c383ed785f92965b5c88482d23fccbcfac008bc
              • Opcode Fuzzy Hash: 3066578dd15da2ecf962f46549d219b93af61dc0a8157b5cf2f12743e4eb8ba3
              • Instruction Fuzzy Hash: 6F6123366087828FD311CF68C994B6AF7E0FF90308F18446DEA858B391DB35E806CB95
              Function 036FCE93 Relevance: .2, Instructions: 172COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
              • Instruction ID: 7c1468e05b9f31db678fa29b6f3e63f490db3e028f827be93118f4daf0f1e0be
              • Opcode Fuzzy Hash: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
              • Instruction Fuzzy Hash: A1512532A0570A5FC714DE2D896076BFBD6AFC1250F1D846DEA95CB349DA30D80AC7A1
              Function 004102C3 Relevance: .2, Instructions: 165COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
              • Instruction ID: e82671514e6d504b4874043159b623d1472596ab17aadc8b612a8f8d473aa75f
              • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
              • Instruction Fuzzy Hash: 8E5182B3E14A254BD3188E09CC40631B792EFD8312B5F81BEDD199B357CA74E9529A90
              Function 036F7D73 Relevance: .2, Instructions: 160COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 12e32c0b87a895ce91df1aa249d19bdccc70af789c9d5979bb4bb0909ad7d13d
              • Instruction ID: aa344be711c2de1ba2d381045dfe9f6be60ee47bf3cd1b64c3736f1c280b8d40
              • Opcode Fuzzy Hash: 12e32c0b87a895ce91df1aa249d19bdccc70af789c9d5979bb4bb0909ad7d13d
              • Instruction Fuzzy Hash: EB51D336A1014A8FCB08CF78C580AAEB7F2EF98314F19827AD915DB355E734DA15CB90
              Function 03643740 Relevance: .2, Instructions: 159COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f40afd76d8d565180b37e4499208b3a0bba190d5996a4e092d487dd1788578ee
              • Instruction ID: faa70022b36dc77a4e0c06dab12faccfd0572e441dc1a8d62209a065a4dfe4dc
              • Opcode Fuzzy Hash: f40afd76d8d565180b37e4499208b3a0bba190d5996a4e092d487dd1788578ee
              • Instruction Fuzzy Hash: 90511179E00616AFC711CF68C5846A9F7B4FF04710F2882A9E895DB340E734E9A2CBC4
              Function 03637152 Relevance: .2, Instructions: 158COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fb90fda7ba80f7d8499ee4eace8020f4fdd81288cfe1f3049b024cc9006c28ec
              • Instruction ID: 7d2753ac1b5af3622ec39de07ed4d55cb8179e706136dd480b80266561563438
              • Opcode Fuzzy Hash: fb90fda7ba80f7d8499ee4eace8020f4fdd81288cfe1f3049b024cc9006c28ec
              • Instruction Fuzzy Hash: 3751F575A0060AEFEF15DF64CA48BBDBBB8FF06315F28416AE5129B390D7749911CB80
              Function 036B3A6C Relevance: .2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 548a3cca632219e9cd8638b15e69810c280806ac0908395f6cfeb75c8e1ce7af
              • Instruction ID: 721a16358ae03dbf56ae58306a7445d56037f8300cc94dab52905105b1bdc5cf
              • Opcode Fuzzy Hash: 548a3cca632219e9cd8638b15e69810c280806ac0908395f6cfeb75c8e1ce7af
              • Instruction Fuzzy Hash: AC51CE36E4012D4BEF24CA58D461BEFB3F2EB55310F580829E945BB3C4C2B66996DA50
              Function 036AD800 Relevance: .2, Instructions: 155COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ebe43908cfa6299bbf3e8eee1c86eedc2bb50e916672a1efa3989b7f22ebe0c4
              • Instruction ID: a09ada19a0000869de8e12cb7f28a110700b8ebe5769cd09dbe474f32f351aa0
              • Opcode Fuzzy Hash: ebe43908cfa6299bbf3e8eee1c86eedc2bb50e916672a1efa3989b7f22ebe0c4
              • Instruction Fuzzy Hash: 5951DF74A00A16ABCB14DF6DC5A0ABEB7B4FF45700B1841AAE881DBB90E734DD51CF90
              Function 036FD26B Relevance: .2, Instructions: 153COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
              • Instruction ID: 2fd7bebbd16a37d994dbf3d2a4a01dc0bf5cf676a1d52ec6765cc8d8f5e2f174
              • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
              • Instruction Fuzzy Hash: 84516C766087429FC311CF28C884B5ABBE6FFC8244F04892DFA948B344D734E905CB66
              Function 036F7571 Relevance: .2, Instructions: 153COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 171e25396b15af0846b0b071e51ed67e70c5ba1530437cbab5ece1acf4dbc6ea
              • Instruction ID: c4cdd14e5db27b95e89cf58162e458b7e65c6769af810efdbd9d2719d0222ca6
              • Opcode Fuzzy Hash: 171e25396b15af0846b0b071e51ed67e70c5ba1530437cbab5ece1acf4dbc6ea
              • Instruction Fuzzy Hash: 8151F531A00219AFCB15DF69D844A7EFBB9FF48380F088169EA01E7254DB74AD21CB80
              Function 036351ED Relevance: .1, Instructions: 149COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 122ae876d6ff0062b076d71d1045259fb5e2b1784f6ce163a955b639dfeee6d1
              • Instruction ID: 1082093f7c95a9d01b25a81fc827af86a955f38039b45dcd7e40f87ea4131398
              • Opcode Fuzzy Hash: 122ae876d6ff0062b076d71d1045259fb5e2b1784f6ce163a955b639dfeee6d1
              • Instruction Fuzzy Hash: B851CE35A05314DFEF21DBA9C940BADB7B8BF0B314F080059DA52EB250E7B49941CB9A
              Function 036B5BF0 Relevance: .1, Instructions: 145COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fc566c9632775125896b6a72df462e2765bbceb907eee8d866fbac63272fdc62
              • Instruction ID: 1ed46d2f211ff74268693781028ae5dc0caaf06fb71744a281a55921dbf8979c
              • Opcode Fuzzy Hash: fc566c9632775125896b6a72df462e2765bbceb907eee8d866fbac63272fdc62
              • Instruction Fuzzy Hash: CD411675F507149FCB25FFB89852AEEBAB19F06620B10452EE902EF341DB7488814F9D
              Function 0366F71F Relevance: .1, Instructions: 143COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ad0b6443e170e3536d9145e42aa38cf09a746b5908e8e34f5b696f0a25c51b38
              • Instruction ID: 4c65c2824555ea8ef85264724f2fbeab0a1398675af40600bf7bdcc10cc246fa
              • Opcode Fuzzy Hash: ad0b6443e170e3536d9145e42aa38cf09a746b5908e8e34f5b696f0a25c51b38
              • Instruction Fuzzy Hash: 2C416A76D04229ABDB11EBA8D944ABFBBBCAF05694F55017AE901EB300D634DE01C7E4
              Function 036601F8 Relevance: .1, Instructions: 138COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d81a3f8a790e7789bb9f01174c25539e48b1118e11ad885240bb97173c6d237c
              • Instruction ID: debba310208f16cd1a82f50b5d3354cab5fb10ae212b4bee4cf8caa082f5392c
              • Opcode Fuzzy Hash: d81a3f8a790e7789bb9f01174c25539e48b1118e11ad885240bb97173c6d237c
              • Instruction Fuzzy Hash: F341AD769042159BCB14DFA8C540AEEF7B8BF88750F18816AE816FB340D7359C41CBA8
              Function 03672750 Relevance: .1, Instructions: 137COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
              • Instruction ID: b3b157616bd89e908750c71b94d5e8ed0ca1d1aaa751516e8dc03b55ea6bd349
              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
              • Instruction Fuzzy Hash: 83512A75A00615DFCB15CF98C580AAEF7B6FF84710F2885AAD855EB350D734AE42CBA0
              Function 036AD1C0 Relevance: .1, Instructions: 135COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
              • Instruction ID: 02eb40b220c978dc89e89acbfd01f88bc164a7ac88214133482e52c89bab551a
              • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
              • Instruction Fuzzy Hash: FE512775A00606DFCB18CF68C5916AAFBF1FF48314B18816ED819A7745E734EA90CF94
              Function 03636154 Relevance: .1, Instructions: 133COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f273def9b9e1945961c2bcd4e2af1ff23cef55f4584d0b88565d72d55a93da89
              • Instruction ID: 9a788a4c9f965f7b1af20188744243cbced872d2beb3577c613879583b1c7773
              • Opcode Fuzzy Hash: f273def9b9e1945961c2bcd4e2af1ff23cef55f4584d0b88565d72d55a93da89
              • Instruction Fuzzy Hash: E0512970904616EBDB25DB24CD54BA8BBB5FF02314F1982EAD4259B3C1D7789981CF88
              Function 0362B136 Relevance: .1, Instructions: 131COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b67d68022d66fa06cc01659ba2967865d2344f060b8f2dfc46bc4196688080ec
              • Instruction ID: 3fccd3aba55d79927c02f78ed7c2a65a21e9fd620b739825b5d92540c1e51367
              • Opcode Fuzzy Hash: b67d68022d66fa06cc01659ba2967865d2344f060b8f2dfc46bc4196688080ec
              • Instruction Fuzzy Hash: 6941CCB5641B11EFDB21EF68C984B2ABFE8EF05794F098479E5119B290D774D800CFA8
              Function 036FF0E0 Relevance: .1, Instructions: 129COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8668bcc51ddf247ef8e0333cf7d655999b817e5156124e42bfce94729749b6c2
              • Instruction ID: 62ce54444d58db12cddb00c34901aca9232bc58a2031df96da8b1426f4526fa6
              • Opcode Fuzzy Hash: 8668bcc51ddf247ef8e0333cf7d655999b817e5156124e42bfce94729749b6c2
              • Instruction Fuzzy Hash: DA41E1752183418FC704CF25D8A587BBBE1FF85225F088A5EF9958B382C730D809CB61
              Function 036F866E Relevance: .1, Instructions: 129COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
              • Instruction ID: 9a6ccf72aff78202b30a598412f5084420bb3dc5687d8c1ede6938b7cf894e7c
              • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
              • Instruction Fuzzy Hash: BF418475B00219AFDB15DF99CD85ABFBBBAAF88600F1840A9EA04A7341D770DD01C7A0
              Function 036DD5B0 Relevance: .1, Instructions: 128COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: df6a9ae266ec2a942b427eeeba0703b0dd5d946f9a87816e35ae1985faedc55d
              • Instruction ID: 3de7a3bac1067162d11498fa96392c7a6c34f5eec1e0c2db2e277948e3ec77d1
              • Opcode Fuzzy Hash: df6a9ae266ec2a942b427eeeba0703b0dd5d946f9a87816e35ae1985faedc55d
              • Instruction Fuzzy Hash: 3441D030E08295AFCB14EF29C495ABAFBF1EF59300F098499E4C58F345D735A466DBA0
              Function 0365D6E0 Relevance: .1, Instructions: 126COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a40c5f678e38c48d02316e2cee1ed43fd82cb9ca6e7ac33f80fd768b0da6e3b0
              • Instruction ID: 265a806a6c8e4e2291fe2a15e0eb1ed0c2b1006f4587add062a44c289c1d02ec
              • Opcode Fuzzy Hash: a40c5f678e38c48d02316e2cee1ed43fd82cb9ca6e7ac33f80fd768b0da6e3b0
              • Instruction Fuzzy Hash: E541E0795043009FDB24EF66C990F6AB7A8EB59320F01462EF8158F290CB34A841CB99
              Function 0362A020 Relevance: .1, Instructions: 122COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction ID: d15a16ea184608389217507043f45aec998b574930675014a11e2a20dc0c0e76
              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction Fuzzy Hash: 34414A31A00621DBCB20EFE4C5407BAFB72EB44758F1A816AE9458F380DA719D81CF90
              Function 03660710 Relevance: .1, Instructions: 121COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
              • Instruction ID: b8597461f0a42ba787aa2e791db0a42892a580a6bd12fcbe00a4bfe3af91bd31
              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
              • Instruction Fuzzy Hash: EC410575A04705EFCB24CF98C990AAABBF8FF08740B20497DE556DB690D730AA45CF90
              Function 0363262C Relevance: .1, Instructions: 119COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 528808e32c4051b6647d1a1d583b96bb11b521620be5c7dc083f543564567ef2
              • Instruction ID: 0773c4b45681d7d309f9d9b338c3fde05f9b655d62541d8d525fcc3eac061bd7
              • Opcode Fuzzy Hash: 528808e32c4051b6647d1a1d583b96bb11b521620be5c7dc083f543564567ef2
              • Instruction Fuzzy Hash: 8B41BE74901714DFCB21EF28DA54B69BBF5FF4A310F248AAEC4169B3A1EB309941CB51
              Function 036FFFB1 Relevance: .1, Instructions: 117COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bb8e568de2e2979ad0e9c506bd4d7c3ffecd24b682a0623bd53e6023dddb801f
              • Instruction ID: 161773287e11ab05c1fa6663dcea18c3a3291dd9ff5fe29be1b0abb49cc3efe5
              • Opcode Fuzzy Hash: bb8e568de2e2979ad0e9c506bd4d7c3ffecd24b682a0623bd53e6023dddb801f
              • Instruction Fuzzy Hash: 7D414731A042599BC740CB26D4A0BBBBFF1EF85219F0CC1AAD881AB386D639C506D770
              Function 036B07C3 Relevance: .1, Instructions: 114COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 62645aefa0ebc3412e9352e28426e866f425436edbf6c808e40ba58f42034a6b
              • Instruction ID: 350b7c686341beb0317ee02019fc527509e134fada71b9d7d4cd5a2c8286f9ce
              • Opcode Fuzzy Hash: 62645aefa0ebc3412e9352e28426e866f425436edbf6c808e40ba58f42034a6b
              • Instruction Fuzzy Hash: B1419D726083009FD720EF29C845B9BBBE8FF88664F008A2EF598D7251D7709944CF92
              Function 036FFA49 Relevance: .1, Instructions: 113COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0ee558be41831cbeabd19e2b9e48b094ff53e9db53e1b0c9c491a5219625db41
              • Instruction ID: fea28a1db2580d936adc6f48cf65c5cedce7e5570af1a2d2780373552e71ad56
              • Opcode Fuzzy Hash: 0ee558be41831cbeabd19e2b9e48b094ff53e9db53e1b0c9c491a5219625db41
              • Instruction Fuzzy Hash: D03109367141069FC718CF29CC44AA7BBA9EF89750F088678EA18CF385E7B4D945C794
              Function 036FEEDB Relevance: .1, Instructions: 113COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8f7161c0df1f2db5f0a7904fbc74a6fd89d0ae65b2da0ff5356d4eaba66d9c61
              • Instruction ID: 80a7eb6ce447fe513e243b63fc2657083c620cf2d3c476d8064b9b9910fd307d
              • Opcode Fuzzy Hash: 8f7161c0df1f2db5f0a7904fbc74a6fd89d0ae65b2da0ff5356d4eaba66d9c61
              • Instruction Fuzzy Hash: F441BF33E0402A8FCB18CF68D49197AF7F1FB48304B9642BDD906AB295DB34AD05CB90
              Function 036FFB76 Relevance: .1, Instructions: 109COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b166827137602c44fa51ac4aea1a1465eaec3724278c277d83401e947cc95345
              • Instruction ID: 801f06ebc89de2a430525b577747d8157cd56aedaeffaf012400a0a426c08874
              • Opcode Fuzzy Hash: b166827137602c44fa51ac4aea1a1465eaec3724278c277d83401e947cc95345
              • Instruction Fuzzy Hash: B731F236A10215AFD714DF29CD44AABBBEAEF8D350F448468FA08CF241DA34E901C794
              Function 0040E563 Relevance: .1, Instructions: 108COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
              • Instruction ID: 2b3e1c5592cb0699157a6d1260a6614b2f7bc26e8d5adcb86a061b103ca4ee51
              • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
              • Instruction Fuzzy Hash: E231921165C6F10ED30E836E08BD675AEC18E9720174EC2FEDADA6F2F3C4888418D3A5
              Function 036402E1 Relevance: .1, Instructions: 106COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction ID: 71a6d67ebdf680cf3c1c9f2f8117f5b5dff19ea1a3f197bee210b762d9bacffe
              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction Fuzzy Hash: 55314632E04254AFDB22DB68CC40B9AFFE8FF05310F0885AAE815DB351D6749885CBA4
              Function 03659274 Relevance: .1, Instructions: 105COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c7d4ca5ea89d3dc41ff486a0cdbb88306fc2e98176bd7c67868c48e475653b4c
              • Instruction ID: 07847718598e04e8339a750287767f07e2b49c445f40e67cf8e9e94f8f277898
              • Opcode Fuzzy Hash: c7d4ca5ea89d3dc41ff486a0cdbb88306fc2e98176bd7c67868c48e475653b4c
              • Instruction Fuzzy Hash: D3315075A00328EFDB25DB24CC40B9AB7B9EF86710F5501A9B94DAB280DB309E45CB95
              Function 03635702 Relevance: .1, Instructions: 104COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8d376ed4d6ea837d79d819f1f5a473c7a13673cb0df71f63fb4d0aa89d32ed84
              • Instruction ID: 864fa255551eae5ba7f9aa9e63d4fbc85ad4cd71ae6461eb2d6fc905b442eeab
              • Opcode Fuzzy Hash: 8d376ed4d6ea837d79d819f1f5a473c7a13673cb0df71f63fb4d0aa89d32ed84
              • Instruction Fuzzy Hash: 3131AE35701A06EFDB51DB24CA84AA9FBB9BF46354F045069EA428BB50DB70E821CBD0
              Function 03634260 Relevance: .1, Instructions: 102COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 80ff27fd3bce9331222c949b33cd466a6c2fb83aa8dff8acf64ba847be10ebf1
              • Instruction ID: 400bdc7c8cd4f2900dd224aadb92f119e71fe95772b27eb1c854287ad4ff5913
              • Opcode Fuzzy Hash: 80ff27fd3bce9331222c949b33cd466a6c2fb83aa8dff8acf64ba847be10ebf1
              • Instruction Fuzzy Hash: 1A419F35200B45DFDB22DF25C981BD6BBE9AF46714F14842EE59A8F350CB74E804CB94
              Function 036550E4 Relevance: .1, Instructions: 101COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
              • Instruction ID: f9b394f749e9ed18dcfca74dd1417386c22b9788c74fdc152c63fd15dc16c0b5
              • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
              • Instruction Fuzzy Hash: 1031D4316083419BDB31DA28C904767BEA9AB86754F0C857EFE878B385D674D841C792
              Function 036F61C3 Relevance: .1, Instructions: 97COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1bee867120131c845fd1ced90d4ff23a686bb015986df51b6c3f3c4c637090ea
              • Instruction ID: ced5efbfd359d9a295c5873b8a0881cb61175a1064dfacb4dc7b8381900af436
              • Opcode Fuzzy Hash: 1bee867120131c845fd1ced90d4ff23a686bb015986df51b6c3f3c4c637090ea
              • Instruction Fuzzy Hash: BF31B276A00215EFDB15DFA8CD44BAEB7B5FB44740F454169E500AB244D774ED01CBA8
              Function 036F6BD7 Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a64fb45376e1bb725fa96dad7db02a88e94aa1ce8f340a5d9d75c24d5d09b6bd
              • Instruction ID: 58cc671dcf3785253f7e21099107cb92389bd0b7945cedb4e481f2fa8749abae
              • Opcode Fuzzy Hash: a64fb45376e1bb725fa96dad7db02a88e94aa1ce8f340a5d9d75c24d5d09b6bd
              • Instruction Fuzzy Hash: 06316C316002049FCB24DF2AD985A9B7BF4FF4D340B858469E908DF24AD670E945CBA4
              Function 036F60B8 Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4459a0f7ceb5672f98aa34bf28ff158abaa6c78d8af5ae1f91041e06ee757332
              • Instruction ID: 9bd2d3a09d0131745696f18972d9d2716102402659dda2ede146736186cbc0a7
              • Opcode Fuzzy Hash: 4459a0f7ceb5672f98aa34bf28ff158abaa6c78d8af5ae1f91041e06ee757332
              • Instruction Fuzzy Hash: 6631E075B00215AFDB22EBA9C950B6EBFB9AB44314F1440ADE641EB342DA30DC018B90
              Function 036307AF Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e8f3c38ac00e96ae4ce541b08c3c244ca9298a7d091460686ec9458eb67c988b
              • Instruction ID: d889fedf21ba9480ae87dc92ff31182635a91622974fb1316494510db0a45cdc
              • Opcode Fuzzy Hash: e8f3c38ac00e96ae4ce541b08c3c244ca9298a7d091460686ec9458eb67c988b
              • Instruction Fuzzy Hash: FD31D776A04751DBCB11EF248880E6BBBA9EF86660F06452DFC579B310DB30DC1987D5
              Function 0362D6AA Relevance: .1, Instructions: 93COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
              • Instruction ID: 8201191b22ca0430c3be198f3718c428a31169d06596c3ccec97cabf4c79b354
              • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
              • Instruction Fuzzy Hash: 9231C536A00E24AFDB21DE54CA88B6ABBB9DB84750F1E8469ED259B350D338DD41CF50
              Function 0042F0E3 Relevance: .1, Instructions: 93COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1df1a272bfd0f5a65a9182e24bdaa51c06ba6a790db9a7010779de6b98fd5f96
              • Instruction ID: 85686992a7d04ce1319d00b456006d967a043a8e09c626ef61504dad38771a44
              • Opcode Fuzzy Hash: 1df1a272bfd0f5a65a9182e24bdaa51c06ba6a790db9a7010779de6b98fd5f96
              • Instruction Fuzzy Hash: 8C31C072B006269BD754CE7AE880656F7E1FB88310B94863AC918C3B40E778FD65CBD0
              Function 036357C0 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 00e8d71cf2be50e93405d714a0cb42b90ceabd5393882e4078d172d4ad9cc9c3
              • Instruction ID: 0cb04671c39df379e6d09794981bb0e6cfca1c204bd3392ba2bc5c2c3749e92c
              • Opcode Fuzzy Hash: 00e8d71cf2be50e93405d714a0cb42b90ceabd5393882e4078d172d4ad9cc9c3
              • Instruction Fuzzy Hash: 9C319239715A09FFDB51DB24DB44AA9BBAAFF46310F54506AE9028BB50D731E831CBC0
              Function 0366A6C7 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
              • Instruction ID: 1d54de1acf0eca5360f867f49c80eb1d2371359ee03901e61c999fbe9a6a3572
              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
              • Instruction Fuzzy Hash: 6A310FB6B00B01AFD764CF69DE45B57BBF8BB08690F18452DA59AD3750E630E900CB64
              Function 00403340 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1764717633.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0e19bf5871abd42b4c0e5ee2712885d3ed50ee2c8f6d436eafebe2ac1d54b62a
              • Instruction ID: 5e1b51a915c25e99fed06b708827882523540836c8763832366d26fb58ff5566
              • Opcode Fuzzy Hash: 0e19bf5871abd42b4c0e5ee2712885d3ed50ee2c8f6d436eafebe2ac1d54b62a
              • Instruction Fuzzy Hash: B7319F72A14A148FD368CE7DD841657B7E5EB88350B014A2EE89AD7781DB78E901C784
              Function 0365438F Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0441c3a238080520459250624a605412036bbadbfd2534a6d172fdee32ce4ecd
              • Instruction ID: cdf82f82e0727f945692e2908a2c4f3689bb5230f0ea9846403e84b49d9f5a77
              • Opcode Fuzzy Hash: 0441c3a238080520459250624a605412036bbadbfd2534a6d172fdee32ce4ecd
              • Instruction Fuzzy Hash: CC31D631B003059FDB21EFA9C980A6FB7F9EB84305F00857AE845D7254DB30E985CBA0
              Function 036392C5 Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
              • Instruction ID: cac8d83aa08e1b49880c9c8018781a24649a2448298b687a247937402bf52094
              • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
              • Instruction Fuzzy Hash: 1F319CB56083099FDB01DF18D940A9ABBE9FF89310F04096AF8519B3A0D730DC15CBA6
              Function 03687190 Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
              • Instruction ID: f31aa4fac2b259c1e62ec93dcf1578a7dc8e7ab6166ef008b628589629761313
              • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
              • Instruction Fuzzy Hash: 71318A75604206CFC710CF18C580956FBF5FF8D350B2986A9E9989B325EB30ED06CB91
              Function 036EC3CD Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction ID: caff551f300f700a89024828975f6dd61dadb9ef4dc3b67a18d2c364f0a896f7
              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction Fuzzy Hash: 0321083F601755AACB25EBA58800ABEF7B4EF40610F40801EFDA68B691E634D954C774
              Function 0362C156 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fe2133a2820354d41b1e79edfef5069e8f18e57d8ad8156936cc8a51bce6aa9d
              • Instruction ID: c19ae07faeaaa4c241daf3b67227c2f46200cb3c9878d651d0c6d7e2938b0a96
              • Opcode Fuzzy Hash: fe2133a2820354d41b1e79edfef5069e8f18e57d8ad8156936cc8a51bce6aa9d
              • Instruction Fuzzy Hash: F931E5755003108BDB34FF24C845BA9BBB8AF45314F5882ADD9469F3C1DA749986CBA4
              Function 037003E6 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 12a67896621a3c2b6a5a6a31ab9882f18098fcb939a490ece4fbbd8395b78f8e
              • Instruction ID: 132c2408ac0f4465ec540a8d11c6b1ef10cc522ef4f4c2316f79199d36bd1674
              • Opcode Fuzzy Hash: 12a67896621a3c2b6a5a6a31ab9882f18098fcb939a490ece4fbbd8395b78f8e
              • Instruction Fuzzy Hash: CF313E71A00119EBCB18DBA5D898F9FBBB9FB8D214F454169E905E7241DB30AE04CBA4
              Function 0362E388 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction ID: 45bddeec9d56b6027aad9540e24f39243b4fc3894dd3fbabdcdd04d9166e5cfe
              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction Fuzzy Hash: DB31A935600A14EFDB21DF68C984F6ABBF8EF84354F1545A9E5128B390E730EE02CB60
              Function 036AE609 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5a1488e139124588e49a482fe9cb6ab02ae82e63c10556d035c69d3b1d4d2118
              • Instruction ID: bb1f0d6ccf6016fff85e9d0a096afdc314d4fccf84c1a5a266b88627b94534b4
              • Opcode Fuzzy Hash: 5a1488e139124588e49a482fe9cb6ab02ae82e63c10556d035c69d3b1d4d2118
              • Instruction Fuzzy Hash: E1316D75A00605DFCB14CF1CC984DAEB7B5EF88304B15895AE8059B391E772EE61CF94
              Function 03633616 Relevance: .1, Instructions: 84COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 58dcaef159e4288099b50cfc97d7db574937aeb7fcef4f6eda0e4234b536d67e
              • Instruction ID: cfa31418923293abc369ac92ae038b7722c01b57bf94478eae1a415d150f794e
              • Opcode Fuzzy Hash: 58dcaef159e4288099b50cfc97d7db574937aeb7fcef4f6eda0e4234b536d67e
              • Instruction Fuzzy Hash: 2C21F2392457609FCB61EF04CA58B2ABBA4FF83B10F29486DE9410B751C7B0E854CB91
              Function 03700591 Relevance: .1, Instructions: 84COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2d27681a8c565a9b783fe6ed71702170c09da9cb81127b10cb3d31315d9ddcb6
              • Instruction ID: 691291992e3dd7008a497aa4083e01a13afd145ab27b45a863d75e133f53679b
              • Opcode Fuzzy Hash: 2d27681a8c565a9b783fe6ed71702170c09da9cb81127b10cb3d31315d9ddcb6
              • Instruction Fuzzy Hash: C1218B32614205CFD728CE29D880BAAB7E6EFD4320F998478E915DB2C5DB74F855CB90
              Function 0365F32A Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
              • Instruction ID: db17d7b879803c4a79718cb7173ae3a8f87680c043f2676902b0746ffbdeed96
              • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
              • Instruction Fuzzy Hash: 99217972200700DFD719DF15C545B6ABBE9EF95365F15817DE90A8F3A0EBB0A801CAA8
              Function 036B06F1 Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c26d4f4ec19aec5025eb50faf0da88b1cb84877905d3e1d85d469d109d1139a3
              • Instruction ID: ecba113edbea4c97ffabbc53a7484993dea8aa255be3e438755b1d7d06ca5260
              • Opcode Fuzzy Hash: c26d4f4ec19aec5025eb50faf0da88b1cb84877905d3e1d85d469d109d1139a3
              • Instruction Fuzzy Hash: 3E21AD75A00229ABCF20DF59C881ABEFBF8FF49740B540069E541AB240D778AD42CFA4
              Function 036B019F Relevance: .1, Instructions: 78COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b4811e943bdf3fc03344e573d3725470c32d39519d85b88e566411c8c546045
              • Instruction ID: 8812e70f154a6ac0dde641ab8ecda89f1512202ac7c2d5cf03842ea5f8320859
              • Opcode Fuzzy Hash: 2b4811e943bdf3fc03344e573d3725470c32d39519d85b88e566411c8c546045
              • Instruction Fuzzy Hash: 4921AE75A00644AFC715DBA8C940FAABBB8FF48740F140069F944DB7A1D734ED50CBA8
              Function 03669660 Relevance: .1, Instructions: 78COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1f71265f7cde3c099c0f100f119c9e662f656e8535d0d4040279d83c450222d3
              • Instruction ID: 7c8507317813c41c3db950788b07291fdcea242b68be1ae0ee61f933e6fead70
              • Opcode Fuzzy Hash: 1f71265f7cde3c099c0f100f119c9e662f656e8535d0d4040279d83c450222d3
              • Instruction Fuzzy Hash: 6921F330100B01DBEF31EB24CA10B2677E6EB41364F18465AED92CA7A0D731AC62DF55
              Function 036B0283 Relevance: .1, Instructions: 74COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b2c6c8be19fbff6f0f592a74bc9b25541a1cdc93e28366fc7ea87ecc3c48f6b9
              • Instruction ID: 6aa627503e46fa8fe4d7221dec95c0d75cb66edc1ef9eb722e4fa7233f9b145f
              • Opcode Fuzzy Hash: b2c6c8be19fbff6f0f592a74bc9b25541a1cdc93e28366fc7ea87ecc3c48f6b9
              • Instruction Fuzzy Hash: AD21B6769043469BC711EF59C948B9BFBECBF81240F08445ABD80CB351D734D989CBA5
              Function 036D71F9 Relevance: .1, Instructions: 74COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9256af4cdb8b0ca533b0c937f28e3c0098c88032c247f92a019469878a893514
              • Instruction ID: 841bcc3f5e53e154b27d656238b8f46287214772262f582dc13a67658f638e3c
              • Opcode Fuzzy Hash: 9256af4cdb8b0ca533b0c937f28e3c0098c88032c247f92a019469878a893514
              • Instruction Fuzzy Hash: 3E21F531E047908BC320DF658940B2BB7E9EFC5324F18496DF8A697250DB70E985879A
              Function 036AD0C0 Relevance: .1, Instructions: 73COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
              • Instruction ID: 832f59bdba189dcd17484622e88c6781ccb14e59f933afa52ac9f30a47815be2
              • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
              • Instruction Fuzzy Hash: 0321B072644B00ABD311DE1CCC51B5ABBA4EB89720F14052EF9459B7A0D730DD018BA9
              Function 037001AA Relevance: .1, Instructions: 71COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: db6dc73fa20726821c8ef2134f69c9d3cc6227f3587657448270833cb3061308
              • Instruction ID: ac33395f31e7ffe21da3d40b559f3aa9079ca44f8bd5e27777a296092684a14d
              • Opcode Fuzzy Hash: db6dc73fa20726821c8ef2134f69c9d3cc6227f3587657448270833cb3061308
              • Instruction Fuzzy Hash: F521E4612142504FD745CB1AA8B54B7BFE5EFC6125B09C2E6D884CB346C134D907C7B0
              Function 0366A30B Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3db66cb10b7f14f713f78c98ff9e49f00b70e694fb2ab8972d13b84e85708b5f
              • Instruction ID: 989ad3127142e0e101528bd26d9428647bbc4d35c061c358d762a309f3bbd5e9
              • Opcode Fuzzy Hash: 3db66cb10b7f14f713f78c98ff9e49f00b70e694fb2ab8972d13b84e85708b5f
              • Instruction Fuzzy Hash: 55217C79600B109FC725DF69CD01B56B7F5AF48744F2884ACA91ADB761E331E842CF98
              Function 0362B765 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 001001e56ffeab1d921d1d8efe76b1c270c0ea4a88fd635c5631c0dc3820c9ee
              • Instruction ID: 2f4c86d54758bef1c46dc066bd8b98ca4cdb6b143e332597790a0b65e63621f1
              • Opcode Fuzzy Hash: 001001e56ffeab1d921d1d8efe76b1c270c0ea4a88fd635c5631c0dc3820c9ee
              • Instruction Fuzzy Hash: B1215776510B10DFC721EF68CA40B19BBB5FF18708F19896DE00A9BAA1C738A810CB48
              Function 036FEE26 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c3829acc8dd8b3676ba214999cdeb071b47e9b114fde86ecc43f2e064d4c290b
              • Instruction ID: a223ce5161597b3e1ec59c0a2b883564d7f98e1536d1d0f8a7b627b7c9fcebc8
              • Opcode Fuzzy Hash: c3829acc8dd8b3676ba214999cdeb071b47e9b114fde86ecc43f2e064d4c290b
              • Instruction Fuzzy Hash: AB21B433A104119F9B18CF3DD804466F7E6EFDD31436A827AD512EB269D774BD118A84
              Function 03660124 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction ID: ccbe6fd37882f8294f07a3dbc90c3d22420ddf116d670c5fac300895bb27ef69
              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction Fuzzy Hash: 1A11EF76600704BFD722DF84CC40FAABBB8EB80794F140039EA008F280D675ED44CB64
              Function 03638770 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: efde14bc4fe99377bd980469690b7a851cdeb11ddc8672bb2ad8f189927d8fb8
              • Instruction ID: 6cecf36673a7f96792fc307693a341d8138d25ee980d569e07167f348217fd91
              • Opcode Fuzzy Hash: efde14bc4fe99377bd980469690b7a851cdeb11ddc8672bb2ad8f189927d8fb8
              • Instruction Fuzzy Hash: F611BF75701620DBCB11CF59C684AAAB7FAEF4B750B18806DFD08DF305D6B2E9068790
              Function 03633720 Relevance: .1, Instructions: 67COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 387d17f4c7eb774c0096d01f92790b3409a79e69b5eab979495194718c61872f
              • Instruction ID: ae06daeba659944d05ae379434195ab82174bac3f1294cc5a6af0ac197641fcb
              • Opcode Fuzzy Hash: 387d17f4c7eb774c0096d01f92790b3409a79e69b5eab979495194718c61872f
              • Instruction Fuzzy Hash: 1B21C578A002098BE725DF6DD1487EDB7B4EB8A318F2D802CD812573D0CBB89945CB59
              Function 036380E9 Relevance: .1, Instructions: 66COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a8fdb770a6444826a418c1e2e3cdf961e2ba64d968b97cf2febae6fdc31b4fed
              • Instruction ID: e1d860e05db586eca38e364d5d06ad31f77435a620e2c5024f8cd45ed2d75fec
              • Opcode Fuzzy Hash: a8fdb770a6444826a418c1e2e3cdf961e2ba64d968b97cf2febae6fdc31b4fed
              • Instruction Fuzzy Hash: BC216D75A00206DFCB14CF98C681AAEBBB5FB89318F24416DE105AB310CB71AD0ACBD0
              Function 0366674D Relevance: .1, Instructions: 65COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 730944cbdf0b446fc85ba6c0f690e15de8c4d08cba9d6a019ce8463eefc694cf
              • Instruction ID: 6359178d84a8cb1e3d12b440669b8404d9a508b867f860ea5b129a47c91596bd
              • Opcode Fuzzy Hash: 730944cbdf0b446fc85ba6c0f690e15de8c4d08cba9d6a019ce8463eefc694cf
              • Instruction Fuzzy Hash: 35218975600B00EFC720DF69D881B66B7E8FF84290F44882DE4AAC7250DA70EC50CBA4
              Function 03629240 Relevance: .1, Instructions: 64COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 74d5e26b06938c8465994b5ddc171734341058e8d770ca7bb2abca1ca3ac58bf
              • Instruction ID: 5c123ea6e1197e3a57b8738e3ae147fcff2df3f4bd852b8322accb0dd5c5cfe7
              • Opcode Fuzzy Hash: 74d5e26b06938c8465994b5ddc171734341058e8d770ca7bb2abca1ca3ac58bf
              • Instruction Fuzzy Hash: 0D11D33E020640ABE734EF65D941B617BA9EBA8780F14812AD8009B354D63CDD01CF69
              Function 036FFF09 Relevance: .1, Instructions: 60COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 14ee82c43bbb2712d7fb3ea71fa0787250634a69ba520bb0164bc7ca2bff3c7d
              • Instruction ID: 3bce0ad1e3279f2673e37aeed7081558088a34cefa272552ba1657d54b9d82bf
              • Opcode Fuzzy Hash: 14ee82c43bbb2712d7fb3ea71fa0787250634a69ba520bb0164bc7ca2bff3c7d
              • Instruction Fuzzy Hash: 6D2152B1A102059FD754DF2AE884A42BBE5FB5D210B85C5BAE90CDF24AE770D844CB94
              Function 036527ED Relevance: .1, Instructions: 58COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d7234c0e36138c5ee95c7c094e2d0638558b8b7f7ef95b4fbebbe3739b6007be
              • Instruction ID: d5757356a5bffc658716f28ebdd33fbff3f2c89d6d47965b3d082659d010ce26
              • Opcode Fuzzy Hash: d7234c0e36138c5ee95c7c094e2d0638558b8b7f7ef95b4fbebbe3739b6007be
              • Instruction Fuzzy Hash: 9B010476605644ABE716E2AADD54F67AADCEF41394F19047AF8008B240DA24DC05C2B1
              Function 0365B052 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1320547319e34a74ca98e5c9bae704e1e5925d84f5392940f26083fd1c94be86
              • Instruction ID: 3df2c6eb176f822cfc44408b93fd60353daf0f9de6807bb961c7602bcfb98ff2
              • Opcode Fuzzy Hash: 1320547319e34a74ca98e5c9bae704e1e5925d84f5392940f26083fd1c94be86
              • Instruction Fuzzy Hash: 79019676B04740ABD711EBA99C81F6BBAE8DF84614F04043DFA05D7241EA70E9018665
              Function 036ED6F0 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
              • Instruction ID: 79730bb3456e0b63c49aedf218cc671b6a27d2db7463610b0229f11b71cee44d
              • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
              • Instruction Fuzzy Hash: CD01A179711209AF9F04DBA6CA48CAFBBBDEFC4A44F050019E911C7200EB30EE05DB60
              Function 03666620 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e58331a4d015ed5d7a82063b2935f32fb76dad2d2483762225466be67bf97d3a
              • Instruction ID: 62a7f2e604b14d8e9628bada4d57fb823135de54d8668689e1f0564d3dc81d94
              • Opcode Fuzzy Hash: e58331a4d015ed5d7a82063b2935f32fb76dad2d2483762225466be67bf97d3a
              • Instruction Fuzzy Hash: DD11E576A00715ABDB21EF59EA80B5EF7B8EF45790F540059D901EB300D730AD118BA5
              Function 03627330 Relevance: .1, Instructions: 55COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 65dc16eb65316bc33c18d7ac784f712d26694a26981c94ec320b4ab3fb13d482
              • Instruction ID: b9dfe25ed5645a178e4454f402c949c7dee7481f14243209b60901f191ec4c23
              • Opcode Fuzzy Hash: 65dc16eb65316bc33c18d7ac784f712d26694a26981c94ec320b4ab3fb13d482
              • Instruction Fuzzy Hash: 83119E71600B249FD721CF69C941F6B7BE8EB44304F064429E985CB352D735EC018FA5
              Function 0365F2D0 Relevance: .1, Instructions: 54COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 792cbea7a19a7883f77bcaf3e732204a7a35263733305251adaed6bd6a338599
              • Instruction ID: d55aea130ea29483b70aeda9da93d70c8542ff0721de9e09cdd2196050b803d9
              • Opcode Fuzzy Hash: 792cbea7a19a7883f77bcaf3e732204a7a35263733305251adaed6bd6a338599
              • Instruction Fuzzy Hash: 7711CE75A00B48DBD720DF69C984BAEB7A8FF45700F1804BAE901EB341DA79DD01CB94
              Function 036C72A0 Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
              • Instruction ID: c47b38a11b4b2ced49e2f22c6b446dd716dcf662f502622a2781bfc266990c62
              • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
              • Instruction Fuzzy Hash: A401D27A240649BFD711EF26CD90E62F77DFF44795B544929F10046660C721ACA0CAA8
              Function 0362A250 Relevance: .1, Instructions: 52COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction ID: d2a69944046b4c13da99ae5e2757955db829190e673c313676727ad58ca38b17
              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction Fuzzy Hash: 5E01D671506B219BCB30CF95D940A36BFA9EF4576070A8A6DFC958B680DB31D821CF68
              Function 03636259 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0d1dfef05b5e5671058fd236a2123eaa2796aef3a660cce4f89e7479de47974a
              • Instruction ID: 3ba358f9c6cbcc446a2efba3180ffbbe174ef7bf72d7a811d78cc2bf68621afa
              • Opcode Fuzzy Hash: 0d1dfef05b5e5671058fd236a2123eaa2796aef3a660cce4f89e7479de47974a
              • Instruction Fuzzy Hash: 13117074541318ABDB25EB64CD51FE9B378EF04714F5045D9A314AA1E0DB709E91CF88
              Function 036AE1D0 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f1e09af32990e6be43dc215d65125846c9d267e3be81c5c6b46d3d229d77fa55
              • Instruction ID: ade2dac80f6f7fb44341037e397f779a75a98271d92ee7d2c7d78ac660f4ffd9
              • Opcode Fuzzy Hash: f1e09af32990e6be43dc215d65125846c9d267e3be81c5c6b46d3d229d77fa55
              • Instruction Fuzzy Hash: 92118B36641740EFCB15EF18C980F16BBB8FF48B44F240069E9059F6A1C236ED01CAA4
              Function 0363208A Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction ID: ab40db373c732af89c4fb54f4e3d40a8321ec40f316175d99be1678828b75fbb
              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction Fuzzy Hash: 640124366002108BDF10EA29D990BE6B76ABFCA700F1949A9ED018F345EB71D881C7A0
              Function 0362C020 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction ID: 292d84985a1ea3a99ed9d95cc4ebb95b8ef9e3f8a07c73df9728dc6de76e6b82
              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction Fuzzy Hash: 93012832100B449FDB22E766C900EABB7EDFFC4254F09451EA9468B680DE71E402CB61
              Function 036720F0 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d9ca2c8fef75fbfe160ed619a0a8349c6392c8bfa66e07faea3c5be0e23179cc
              • Instruction ID: c88ad64898c5cc1771e5e4fe16d1f038eb2dd18c91a077b61eeab28567a77b42
              • Opcode Fuzzy Hash: d9ca2c8fef75fbfe160ed619a0a8349c6392c8bfa66e07faea3c5be0e23179cc
              • Instruction Fuzzy Hash: B6116935A0020CEBDB05EFA8C954FAE7BB9FB48244F004099EA019B390DA35EE11CB90
              Function 03629353 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
              • Instruction ID: c4336b39ccda30246c053e80c8c6f66b341711bc3bfa2cf2541de428d6e7dd3e
              • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
              • Instruction Fuzzy Hash: 63117C32900F129FD721DE15C980B22B7E4BF807A2F1A886CD4894A6A5C374E891CF10
              Function 036533A5 Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
              • Instruction ID: da4e91cf17d8bac2ae839b41f46928180603259a342dec4f6d3768e879d0f888
              • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
              • Instruction Fuzzy Hash: 0401863A700205A7CB12DA9ADD00F5FBA6C9F94A81F254439FD15DB360EA30DD02C774
              Function 0366D1D0 Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
              • Instruction ID: f76244ab344fb4df30b3066303bed062fbfa626ef1648158eb5d951b3710a666
              • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
              • Instruction Fuzzy Hash: 1D0147BAB106049BD711DA54E804F65B3ADEFC4668F144159FF128F380CB34DC01CB98
              Function 0362826B Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 457b4f43a5e5d9c577d627971690c07d19d696b6a9381d934377f3d6e4edc0aa
              • Instruction ID: 5f040be70e1cdfb4621725d596098f9da005aed60bd61063cb8d91650e8ea516
              • Opcode Fuzzy Hash: 457b4f43a5e5d9c577d627971690c07d19d696b6a9381d934377f3d6e4edc0aa
              • Instruction Fuzzy Hash: 56012035701A14DFD714EF65DD109AFBBB8EF45210B1A402DD902AB641EE30DD01CBD9
              Function 0364E016 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction ID: 9f051f0cafd11d7db0c96c9f31171ffbe7030b27eadd47ede9db5802b45d4cb0
              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction Fuzzy Hash: 91015672600A809FD322D71DCA48F76BBECEB49B50F0D04A6E815CBBA2D729DC51C625
              Function 036EF367 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 28eb0563d2d3d1be69d1a7ca1f472b6d9734c01e78e3bfd62b72e92d8b014205
              • Instruction ID: 4704847243fe61f21450171e2ff5355f1a94bd49ae16f9d525b6314846639869
              • Opcode Fuzzy Hash: 28eb0563d2d3d1be69d1a7ca1f472b6d9734c01e78e3bfd62b72e92d8b014205
              • Instruction Fuzzy Hash: 55018F75A11358EBDB10EBA9D805FAEBBB8EF44700F44406AB500EF380DAB4D901C7A4
              Function 036F972B Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
              • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
              • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
              • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
              Function 03705636 Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fc8b07abd60fb71f9e7d644ca86fdc3e78e5a6f765da5a35bc196ecdce60ed25
              • Instruction ID: b9f5f8f316792b186578b9b949e6980f17c3857c257f0498157b5a3da0a28c24
              • Opcode Fuzzy Hash: fc8b07abd60fb71f9e7d644ca86fdc3e78e5a6f765da5a35bc196ecdce60ed25
              • Instruction Fuzzy Hash: 4C118078D10249EFCB04DFA9D444A9EB7B4FF18704F14805AB814EB381D734DA02CB95
              Function 0362C310 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction ID: 8767c2154e4d7291eb75b7148949b1237a59a9d8ec0ef9d18f121c0e3c5de0cd
              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction Fuzzy Hash: 45F0FC37244F329BC732DA594880F6FAD998FC9AA4F1B0439E1099F304CA658C025ED1
              Function 03705152 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c6f4f05671e9f1230e162b98a860251649f6ffc591254f8c8c4ca7feb48caad2
              • Instruction ID: 1736252855047ee0d8d12a2bd90f1a2f6c2feff6d1071f91daea75b88f444b57
              • Opcode Fuzzy Hash: c6f4f05671e9f1230e162b98a860251649f6ffc591254f8c8c4ca7feb48caad2
              • Instruction Fuzzy Hash: 87012C75A10209EBDB00DFA9D941AEEBBF8FF49310F14405AE900EB380D674AA018BA5
              Function 03705060 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 949e36def529ad5df9f9ddb4d32baef4e23082be5d0dd99124e6adfd80ec623f
              • Instruction ID: 5332e48169bb9aede17028dc8e2fdd59d3df02fb0bf514b7223fdde0bb982519
              • Opcode Fuzzy Hash: 949e36def529ad5df9f9ddb4d32baef4e23082be5d0dd99124e6adfd80ec623f
              • Instruction Fuzzy Hash: B5012C75A1030DEBDB04DFA9D941AEEB7F8EF49310F50405AF901EB381D674AA018BA5
              Function 0365C073 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction ID: 52ede60d94fa9432c90626fc0e199e3fd3d42f54b7b09238c7f9041e4b0765d1
              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction Fuzzy Hash: 65F0AFB3A00610ABD324DF4D9940E57F7EADBC0A80F088128A905CB320EA31DD04CB90
              Function 037050D9 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: edfcb549e1edbcc164ce3daae0ab61b33f836980f8244fec9b7d94a202dbdb93
              • Instruction ID: 838d6c660a36fead370756d490107e3cdf8ef0aba0ddeb654130ff6b08563926
              • Opcode Fuzzy Hash: edfcb549e1edbcc164ce3daae0ab61b33f836980f8244fec9b7d94a202dbdb93
              • Instruction Fuzzy Hash: E4012CB5A00309EBDB00DFA9D945AEEB7F8EF49310F50405AE500FB381D674A9018BA5
              Function 03665734 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
              • Instruction ID: 77c2a80cff380f4130b742b7b289696d53c673ae205bc3cc8560869e5803852c
              • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
              • Instruction Fuzzy Hash: 62F0FF72A01214BFE319CF5CC945F6AFBEDEB46690F094079D602DB231E671EE04CA94
              Function 036EF78A Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f80d8643c94853e10e5306c1c2fdc016f314b3c23483181dbad9838823764ca4
              • Instruction ID: 71907c388c790b3d811d7a416b77160e9ae5f2195d0bf026fa2f2b3d2ae6f5e4
              • Opcode Fuzzy Hash: f80d8643c94853e10e5306c1c2fdc016f314b3c23483181dbad9838823764ca4
              • Instruction Fuzzy Hash: C0010CB4E01749AFCF04DFA9D545AAEBBF4EF08304F10806AA855EB341E674DA00DB95
              Function 036EF2F8 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bf1653923784b0b0c6f54cc93ba63c63fb01472394b1b66733c5e30343ecc6ca
              • Instruction ID: f93f63f241f8d96483ee9a6d12696d48df59eb776cbc85be8c11dcca7fffcee1
              • Opcode Fuzzy Hash: bf1653923784b0b0c6f54cc93ba63c63fb01472394b1b66733c5e30343ecc6ca
              • Instruction Fuzzy Hash: E9F0C876F11348ABDB04DFB9C905AEEB7B8EF44710F00805AE501EB380DA75D9058795
              Function 037061E5 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3369c335e10458e447d0b5fa57f19f15a4a035caee9f9d756c5098b80ccddbb1
              • Instruction ID: 0799bd445c09edaad23514940cc2d6f1d7235c922086bb68c02ec2ade1eea6f6
              • Opcode Fuzzy Hash: 3369c335e10458e447d0b5fa57f19f15a4a035caee9f9d756c5098b80ccddbb1
              • Instruction Fuzzy Hash: 7E018F71A00258DBCB00DFA9D855AEEB7F8EF48310F14405AE500AB380D778EA01CB99
              Function 0366724D Relevance: .0, Instructions: 40COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
              • Instruction ID: 4f5266759d88b01cf4f50f0b064c4e734ef84f12d55654f4f75e6fdde86c2268
              • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
              • Instruction Fuzzy Hash: B4F0F675A11355ABEB10D7AACA40FABFBAC9F80658F088595F9029B240DA30E940C758
              Function 037053FC Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 01c7c2cdad686d23e45db5bfd9538ef580b1af2983026a07dc9e34b7524183fe
              • Instruction ID: 85cde8ca7345db8d7609492d8f6b59a104e160e9d3fa04962e559082716be653
              • Opcode Fuzzy Hash: 01c7c2cdad686d23e45db5bfd9538ef580b1af2983026a07dc9e34b7524183fe
              • Instruction Fuzzy Hash: 7B011A74E00209DFDB04DFA9D545B9EF7F4FF08300F148269A519EB382EA749A40CB95
              Function 0362C0F0 Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0622290fbb8df94890b676cf30aa8ffe978b2e3855a4d0dacbbcda034e23dd33
              • Instruction ID: c7c0a44260b78f7450a14d4b3f81b058a4e654f1e5648f5a8e687b45fcb62ac7
              • Opcode Fuzzy Hash: 0622290fbb8df94890b676cf30aa8ffe978b2e3855a4d0dacbbcda034e23dd33
              • Instruction Fuzzy Hash: BBF02B712047245BE315D659DD17B673E99DBD0651F2A806AE7058F3C0EE70DC018794
              Function 03703749 Relevance: .0, Instructions: 38COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
              • Instruction ID: 31de4e04013b1c4ec6057ee7d59a0a6ab8350afb0833a2672a65de447cabcf76
              • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
              • Instruction Fuzzy Hash: 2AF04FBA940304BFE711EBA4CD41FDA77FCEB04714F10016AAA16DA1D0EA70AA44CB94
              Function 036D437C Relevance: .0, Instructions: 37COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction ID: 331030cd5d91319d6643b8eea1c28c16f97d2fead2788fc95f51a39167ab1f96
              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction Fuzzy Hash: DEF08935B41B2247DB77EA6F9510B2EE2559F80A50B4F052C9556CFF40DF70DC018794
              Function 036EF3E6 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e1c2db69c223cf5b712f0009a9c9c2f9102ad27a7f4679d6ffbee406bccf048b
              • Instruction ID: e16628462a0112ea6cab47178ff2d38b8999c1dbd2c6b105ec2074b6355b2ed9
              • Opcode Fuzzy Hash: e1c2db69c223cf5b712f0009a9c9c2f9102ad27a7f4679d6ffbee406bccf048b
              • Instruction Fuzzy Hash: 5DF04F75E01348EFCB04EFA9D545A9EB7F4EF08300F508069B945EB382D674DA01CB55
              Function 036292FF Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2ee942ddc1b6bf002d11563af606e355c8b228b598197ad8cce22de3d1396f20
              • Instruction ID: 321ac88067a363630f58c84dc12ae148087275ad6c1b33801905834a9105faca
              • Opcode Fuzzy Hash: 2ee942ddc1b6bf002d11563af606e355c8b228b598197ad8cce22de3d1396f20
              • Instruction Fuzzy Hash: F7F0FA32200B40ABC731EB09CD04F9ABBEDEFC4B00F19012DA94283290C7A1A908CAA0
              Function 036347FB Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ad5bf681d77475fe1f3a5c0182c9de2b686f9fac84c58a70a42ec50d79320987
              • Instruction ID: 268d06df24e9fd3ace0d8f1f16e42549a1d46b42b3445e9da42dcd89a2a00756
              • Opcode Fuzzy Hash: ad5bf681d77475fe1f3a5c0182c9de2b686f9fac84c58a70a42ec50d79320987
              • Instruction Fuzzy Hash: AFF090399127D09ED723CB5ACA44B21F7D8DB03664F0C89AAD48A87641CF34D881CA50
              Function 036EF6C7 Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cdfd0fa44d5ed51b69b90b7dfbb1e7418d677247e76ae7802a259ca2672a66f7
              • Instruction ID: c441be79009d867f33cd99f52a975aa3add421d3466b1f7b7d070cb1d1bf6bca
              • Opcode Fuzzy Hash: cdfd0fa44d5ed51b69b90b7dfbb1e7418d677247e76ae7802a259ca2672a66f7
              • Instruction Fuzzy Hash: 55F06D79A10348EBDB04EFA9D909EAEB7F4EF08304F404069E501EB381EA74D901CB58
              Function 036F0115 Relevance: .0, Instructions: 32COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cef8353970f5f15c084f3c096543240baa731534450aa606ced8581e6dff8381
              • Instruction ID: f7b71183d1876fd437421208d4d15b3b308495d3a6aa0e63819d0b1dabaee533
              • Opcode Fuzzy Hash: cef8353970f5f15c084f3c096543240baa731534450aa606ced8581e6dff8381
              • Instruction Fuzzy Hash: 01F0273A4167C04ECF31FB68A650391AF599752014F1D108EC5E15B306C9B88483C624
              Function 0370539D Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d8834f43084d3a8aa023cc17cb21fab90b08f3c6a9f512e18630ca5a591c12b9
              • Instruction ID: f93adc97dbb723d6e36df74681b44b904dec480ed4b1affb6dec77a1dc374b85
              • Opcode Fuzzy Hash: d8834f43084d3a8aa023cc17cb21fab90b08f3c6a9f512e18630ca5a591c12b9
              • Instruction Fuzzy Hash: F8F03A74A14348EBDB04EBB9E545AAEB7B4EB08204F608059A501EB281DA74D9019B69
              Function 037052E2 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a8a583e2cd2c83fe574c0afc55df1cd5f983ee96a56343f9064cdb6fac9f776c
              • Instruction ID: 9c614fec6fe38492424ff415325c5cf53237f99c70eea97b869d51d76fefdd63
              • Opcode Fuzzy Hash: a8a583e2cd2c83fe574c0afc55df1cd5f983ee96a56343f9064cdb6fac9f776c
              • Instruction Fuzzy Hash: 18F0BE74A10348EBDB04EFB9E905EAEB3F4EF08304F544058A401EB3C1EA74D900CB58
              Function 03705283 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4001dfbc9816aa390cef83ffcf6f01e3c1189e5e2e2015b80ad45b1e37276767
              • Instruction ID: d5817461df512921e0bd17e07e18c31dbbaa68a09ba00614cba185cd5f094340
              • Opcode Fuzzy Hash: 4001dfbc9816aa390cef83ffcf6f01e3c1189e5e2e2015b80ad45b1e37276767
              • Instruction Fuzzy Hash: FCF05E78A14348EBDB04EBB9D905EAEB7F4FF09300F544459A541EB3C1EA74D9009B55
              Function 03672619 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
              • Instruction ID: c36a9c33b2ca430ead0b883c812cc505e451a61c2c1b9759280d46c758feee7c
              • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
              • Instruction Fuzzy Hash: 96E092723006002BD721EE59CCD0F4777AEAF82B10F44047EB5045E252CAE29C1982A8
              Function 03705341 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b9004c15fce1af9fc9e3e9ba51a63370c765181f51bb171a0e858f753c72e17a
              • Instruction ID: 045f4f238270bb687eb8358d96a93e018f852b528884e8617524413405d48649
              • Opcode Fuzzy Hash: b9004c15fce1af9fc9e3e9ba51a63370c765181f51bb171a0e858f753c72e17a
              • Instruction Fuzzy Hash: 13F0A074A0434CEBDB04EBB9D949E9EB7F8EF0A304F640059E502EB3D1EA74D9008B19
              Function 03705227 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dff14156f6bf2e6c8c644882bbcae77e5fc931c7f9e19120c7ccfeaf89162f07
              • Instruction ID: 7afed989c21a332b914b2b30b708f3810326a707bb68fcf4b66cb5cc758eeb52
              • Opcode Fuzzy Hash: dff14156f6bf2e6c8c644882bbcae77e5fc931c7f9e19120c7ccfeaf89162f07
              • Instruction Fuzzy Hash: ADF08274A14348EBDB14EBB9D905EAEB3F8EF04704F540458A901EB3C1EA74D9008759
              Function 03667208 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cc4b5e256cb3d8e99aa5b7bc2b0d4058efce7024642ac4284b2da8019798e104
              • Instruction ID: d00ab186725895ab7102e999d74e34d240c450f24b2ea2356488bbb9a5f36660
              • Opcode Fuzzy Hash: cc4b5e256cb3d8e99aa5b7bc2b0d4058efce7024642ac4284b2da8019798e104
              • Instruction Fuzzy Hash: 8DF02071911A849FC723C72ECA84B22B3DD9F01BB4F0C80A0D4098F701CFA8CC80CA90
              Function 037051CB Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5cf0e3bd718d101eaae9fc536793a6022e1fa565dcf991ad2415c29802d213e0
              • Instruction ID: 644aea16501c4773e692f8fc2a776c7e3d4c5fdf4c32d6d7d4a1bd91950d6c9c
              • Opcode Fuzzy Hash: 5cf0e3bd718d101eaae9fc536793a6022e1fa565dcf991ad2415c29802d213e0
              • Instruction Fuzzy Hash: EBF082B4A14248EBDB04EBB9D905E6EB3F4EF04304F540059A901EB3C1EA74E900CB59
              Function 036AD070 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
              • Instruction ID: 5297cc75422348fc23b988c0c29b3b1707e1ad94aca4c50052a918f098b4bc9b
              • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
              • Instruction Fuzzy Hash: 1AF0E53360461467C330AA0D8C15F5BFBACDBD5B70F20431ABA249B2D0DA70A911D7DA
              Function 036EF72E Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 29eb063e0ff56d2629be013ed7575b20f267b818822edeb5b476ec8fba3bb552
              • Instruction ID: 8f7f7a54388f16d40468366491359ca44aeeb5c15045de2da7f0d70a4fbb8787
              • Opcode Fuzzy Hash: 29eb063e0ff56d2629be013ed7575b20f267b818822edeb5b476ec8fba3bb552
              • Instruction Fuzzy Hash: 89F0E274A11348ABDB04EBB9D549E9E77B4EF08700F410058F101EF380D974D9019718
              Function 03630710 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
              • Instruction ID: c8a76dd76166bd055a517a04fc9b68d60e40d03babd9cc9a09acfa8f61b3c8d5
              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
              • Instruction Fuzzy Hash: AAF0ED3E2043409BDB16DF19C540AA57BB8EB4A360B1400D8E8428B300EB32E986CB84
              Function 037037B6 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
              • Instruction ID: 667646c4acd9c90df5db0835e992e47794fb80a9e82e5a33178599539b90fce5
              • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
              • Instruction Fuzzy Hash: 35E06D76210200AFE764DB58CD45FA673ECEB01720F540258B115971D0DAB0AE40CA64
              Function 036B4000 Relevance: .0, Instructions: 22COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
              • Instruction ID: adb0d2ca0486b4bdf3251fadb0e218c67638328b78afbe087292a9e61e5a14df
              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
              • Instruction Fuzzy Hash: 3FE0C2343003058FD716CF1AC140BA2B7B6BFD5A10F28C068A8488F306EB32E882CB40
              Function 036EB3D0 Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
              • Instruction ID: 324ce669774715bd7523f383deaab3ad2220d0cc93b8e71b337ecbbcd759d54f
              • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
              • Instruction Fuzzy Hash: 55E0CD35245714B7DB22AA40CD00F697B15DF507D0F108035FA085F750C5719C55D6D4
              Function 0362823B Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction ID: 834d9d46293665bc714a4952a0fee6aea5080fbeb180ccfb76e4a3b2355934a0
              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction Fuzzy Hash: 6EE08C35502A20EEDB31EF11DD14B527AB5FB88B10F26896DE0810B5A487B0A892DE8C
              Function 036B92BC Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e73b94475550c6a3cdf18838e5e83ccdfd1444e4c3d6ebe705afbddb7c31e449
              • Instruction ID: 4fc80d0275829fe69c39a1ac3eb2d17e58b6e379bd7d2cefe220812c93006c69
              • Opcode Fuzzy Hash: e73b94475550c6a3cdf18838e5e83ccdfd1444e4c3d6ebe705afbddb7c31e449
              • Instruction Fuzzy Hash: 05F0E535651B84CFE72ADF08C2E2B91B7F9FB55B40F504458D4468BBA1C73AA982CF40
              Function 03632050 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bab4011fdeb0f07e60481eab7e94cb91a9ab15f20f954a9dab46cfa851d51685
              • Instruction ID: 3f03268d082549aa26ce4025d68eafaacb6b2add09ddbdc6fdd8da8a1a2f0dff
              • Opcode Fuzzy Hash: bab4011fdeb0f07e60481eab7e94cb91a9ab15f20f954a9dab46cfa851d51685
              • Instruction Fuzzy Hash: C9E0C2322006506BC322FB5DDD10F4A739EEFA6360F104129F1508B6D0CA64AC10C798
              Function 0362A0E3 Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction ID: d3de3aa9678e021175f0947359b12a437c95e03ed9ad89388b6dc1abe070a9ed
              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction Fuzzy Hash: 38D0223231243093CB28E690A904F63AD059B81AA4F1B002C380AD3A00C8048C43CAE0
              Function 036402A0 Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
              • Instruction ID: 8bd5c1e0bd502fe523ba95dac60c23bdcf5ef5e396790d1cbbcdc18959c8f268
              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
              • Instruction Fuzzy Hash: 9CD0C935612E80CFD71BCF0DC6A4B16B3B8BB44B44F8504D0E501CBB61D66CD940CE04
              Function 036B930B Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
              • Instruction ID: 52208dc3bd3bb9504633463a0321448ccbdca99ade4cec2e0de288df4d999b65
              • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
              • Instruction Fuzzy Hash: 22D05E35945AC4CFE727CB18C265B907BF8F705B40F890098E04247BA2C37C99C4CB50
              Function 0366C700 Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
              • Instruction ID: 142202c581ec9fb6b0fdeb4b43bf4ed0287658d7f429c13d5e3ffbf13a924662
              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
              • Instruction Fuzzy Hash: 79C08C3B290748AFC712EF98CD01F027BA9EB98B40F104021F3048B670C631FC20EA88
              Function 03650310 Relevance: .0, Instructions: 11COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction ID: 7b133768ff382e91061a2b238a6dde3637b3062e847eb15f81908f712d765a28
              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction Fuzzy Hash: 40D01236100248EFCB01DF41C890D9A772AFBD8710F148019FD190B6108A31ED62DA50
              Function 03630750 Relevance: .0, Instructions: 9COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
              • Instruction ID: f7560e59d52c7628f4e291dd9aaa5755ee699e022ef6aff0f5a2646e5223fa01
              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
              • Instruction Fuzzy Hash: FBC04879B01A418FCF15EB2AD394F8977E8FB48740F2918D0E805CBB21E624E811CA10
              Function 03674340 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 220226324abee41323fabff9899d2359fe1387d4f3b373e1cee263fcacd492e0
              • Instruction ID: 809977f9366c9fbda9797c0c7b21ec1f7a491882b24f294b8462c3611699f634
              • Opcode Fuzzy Hash: 220226324abee41323fabff9899d2359fe1387d4f3b373e1cee263fcacd492e0
              • Instruction Fuzzy Hash: 15900231605804129140B65848C4586400697E4301B95C111E0424658D8B548A565361
              Function 03673010 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5ffe97900863f1f6ff1fb622b6e799d50167bfc579d0f4b73415c3792cafc80a
              • Instruction ID: 1243aa40728cc219c0e853640e3437e38871ba296fc17e87c24475fa547900fe
              • Opcode Fuzzy Hash: 5ffe97900863f1f6ff1fb622b6e799d50167bfc579d0f4b73415c3792cafc80a
              • Instruction Fuzzy Hash: C390022120184842D140B7584844B4F410687E5302FD5C119A4156658DCA5589555721
              Function 03673090 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3484f65dd6c4792e7194fb63c30e54d09e656ec6a7b9dc6b120d8ad9b1bb012f
              • Instruction ID: dde3a08161755d95cfd4ceaf3303ddde0fd82be681a6119467755975f2868bc9
              • Opcode Fuzzy Hash: 3484f65dd6c4792e7194fb63c30e54d09e656ec6a7b9dc6b120d8ad9b1bb012f
              • Instruction Fuzzy Hash: 3690022124140C02D140B65884547470007C7D4701F95C111A0024658E87568A6566B1
              Function 03674650 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 847cbb0c131c6079d94eee7b445a3d08d2fc4e92f06adea91e87819f2162aca8
              • Instruction ID: 2adb74a592e17b02683643e347870d444cf33e8ca16646f475d114a35ec6c132
              • Opcode Fuzzy Hash: 847cbb0c131c6079d94eee7b445a3d08d2fc4e92f06adea91e87819f2162aca8
              • Instruction Fuzzy Hash: CD900261601504424140B6584844446600697E53013D5C215A0554664D875889559269
              Function 03672BE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0d626bd91d65d7d372195edb5faf2278834fd64f8a997008c243e8304fa74afa
              • Instruction ID: 45fe79f86ada4a08304903ed8f6a16fdb893b5eff3353011f0b806c660d03e00
              • Opcode Fuzzy Hash: 0d626bd91d65d7d372195edb5faf2278834fd64f8a997008c243e8304fa74afa
              • Instruction Fuzzy Hash: 5190023120544C42D140B6584444A86001687D4305F95C111A0064798E97658E55B661
              Function 03672BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c4ddd402f7adcbc87f20f0d8804259ccab9924af19a446120d43bc84c95672c4
              • Instruction ID: 9b1f26a2aaeee0eb726926c5200498220773c51982f232afdb7d29ea440c4cce
              • Opcode Fuzzy Hash: c4ddd402f7adcbc87f20f0d8804259ccab9924af19a446120d43bc84c95672c4
              • Instruction Fuzzy Hash: D890023120140C02D180B658444468A000687D5301FD5C115A0025758ECB558B5977A1
              Function 03672BA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ba51f4069295b75a70f253e196f475a8fe8e23e9bd12d9cd149cb58aef0ef2c4
              • Instruction ID: e255ac6017c0f8023d8087a68b876ccfe483b10b3dd1a74a8bc27fc882ffe6f0
              • Opcode Fuzzy Hash: ba51f4069295b75a70f253e196f475a8fe8e23e9bd12d9cd149cb58aef0ef2c4
              • Instruction Fuzzy Hash: 3E90023160540C02D150B6584454786000687D4301F95C111A0024758E87958B5576A1
              Function 03672B80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2e336c2bae22b68fa82394d434983f0582b9d98caba37d89976c90496bba4b11
              • Instruction ID: d27d50eb9e267a84cd43bdfbd004b7f2e4d9746ac91feac522289bbceca1fa9f
              • Opcode Fuzzy Hash: 2e336c2bae22b68fa82394d434983f0582b9d98caba37d89976c90496bba4b11
              • Instruction Fuzzy Hash: 6990023120140C02D104B65848446C6000687D4301F95C111A6024759F97A589917131
              Function 03672AF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9865da355708da3dee31bec0f9514a92978feab2fe243d9eb4a2459ada50ae9d
              • Instruction ID: 1876c73531c03fd5f33fb72b88d5b2296e29a5202e95ac72e0d702bfd56775b3
              • Opcode Fuzzy Hash: 9865da355708da3dee31bec0f9514a92978feab2fe243d9eb4a2459ada50ae9d
              • Instruction Fuzzy Hash: 87900225221404020145FA58064454B044697DA3513D5C115F1416694DC76189655321
              Function 03672AD0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2cadfc41327b4bb12c4be7e172952bb3ff4bd0c15ff566897a5d3e929471c4f4
              • Instruction ID: 5c99afa0f746733a33a2d0d181c16d202c37b6c620a31395c28dca174068b168
              • Opcode Fuzzy Hash: 2cadfc41327b4bb12c4be7e172952bb3ff4bd0c15ff566897a5d3e929471c4f4
              • Instruction Fuzzy Hash: FA900435311404030105FF5C07445470047C7DD3513D5C131F1015754DD771CD715131
              Function 03672AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4fe177197ea429e200ca16a264de4a8484007e0c328eaa6aceb1b52ffcc73c68
              • Instruction ID: a5514a58808e01875ab92ee86d1382bcba904d50a5c1e4240ddb71d473100e17
              • Opcode Fuzzy Hash: 4fe177197ea429e200ca16a264de4a8484007e0c328eaa6aceb1b52ffcc73c68
              • Instruction Fuzzy Hash: 099002A1201544924500F7588444B4A450687E4301B95C116E1054664DC66589519135
              Function 036739B0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3017c3c725664d8964b22ba38fe065551955177301b43a76e6bb452047da1bc0
              • Instruction ID: b91b390339b3ce60c56b9f67de7451120a0410e939cc0a370b205825e8be5faf
              • Opcode Fuzzy Hash: 3017c3c725664d8964b22ba38fe065551955177301b43a76e6bb452047da1bc0
              • Instruction Fuzzy Hash: AD90022124545502D150B65C44446564006A7E4301F95C121A0814698E869589556221
              Function 03672F60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bc50fdbdb35479085fcb93b29b35b7546b92f2e75d72c13a61f241a31d19a837
              • Instruction ID: dedf5f136aad4d1561ab92e674ea2aae08af5c11f3155595e8e5fe61118c5127
              • Opcode Fuzzy Hash: bc50fdbdb35479085fcb93b29b35b7546b92f2e75d72c13a61f241a31d19a837
              • Instruction Fuzzy Hash: 4090026121140442D104B6584444746004687E5301F95C112A2154658DC6698D615125
              Function 03672F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 40dde0c8389298ad797ae564f8d4a8148028744fb6309ae09c708644ea90493b
              • Instruction ID: 4cf9eaf36b44b2e0c33c4b9db8789212870a99f51b200a27fb2f26bb02034f24
              • Opcode Fuzzy Hash: 40dde0c8389298ad797ae564f8d4a8148028744fb6309ae09c708644ea90493b
              • Instruction Fuzzy Hash: 3B90026134140842D100B6584454B460006C7E5301F95C115E1064658E8759CD526126
              Function 03672FE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b7d77cbb24993b8e9b22c03e2ab0a95b5023f68450dab8eaf4f102ea49a633bb
              • Instruction ID: 33800ff4ef5930c83dd1e0d9663238ba41a3c577db1de7273f67c2703e97dc23
              • Opcode Fuzzy Hash: b7d77cbb24993b8e9b22c03e2ab0a95b5023f68450dab8eaf4f102ea49a633bb
              • Instruction Fuzzy Hash: D6900221211C0442D200BA684C54B47000687D4303F95C215A0154658DCA5589615521
              Function 03672FA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a16abbccfafa53485995b015bced318b8554390a1a54b6a1ef4a67d89ea85116
              • Instruction ID: 08ba8383abdcda55cd4713981f4300cb836be1f6ecaf7edb84538028a7d6f747
              • Opcode Fuzzy Hash: a16abbccfafa53485995b015bced318b8554390a1a54b6a1ef4a67d89ea85116
              • Instruction Fuzzy Hash: 9C90023120180802D100B6584848787000687D4302F95C111A5164659F87A5C9916531
              Function 03672FB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 951bdee1c65164b812762a832030fd755912015f1b61fc8309d360fda7d38383
              • Instruction ID: 6005ef6f093c2f0f46cd85166790aa9ef261c7d3b9e208cde4e5076d827fb4b6
              • Opcode Fuzzy Hash: 951bdee1c65164b812762a832030fd755912015f1b61fc8309d360fda7d38383
              • Instruction Fuzzy Hash: ED900221601404424140B66888849464006ABE5311795C221A0998654E869989655665
              Function 03672F90 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f6090204143d90c409afb99da9eff6d3e0d5cce45aa91614536ebdad61f66d59
              • Instruction ID: 3aa003d67dcc11ba95c3e0c244e3ac4b03cce96cb405c8ed2288800ee14a5ad2
              • Opcode Fuzzy Hash: f6090204143d90c409afb99da9eff6d3e0d5cce45aa91614536ebdad61f66d59
              • Instruction Fuzzy Hash: FB90023120180802D100B658485474B000687D4302F95C111A1164659E876589516571
              Function 03672E30 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 60f76ebcd1d01f57aba125f2cfa0e89361f3469b25852382630518aa9a3ef16e
              • Instruction ID: ac9a55e02d3ca15807a57236cef1689dc94ddc8aecbb1cf2f8b764d3eb27591c
              • Opcode Fuzzy Hash: 60f76ebcd1d01f57aba125f2cfa0e89361f3469b25852382630518aa9a3ef16e
              • Instruction Fuzzy Hash: DB90022130140802D102B6584454646000AC7D5345FD5C112E1424659E87658A53A132
              Function 03672EE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 02c1760a81aa253f97197a968635bdb7a0bdfe00a0155ca24eafc6807ca49990
              • Instruction ID: 2009c4b21c502db950d934bcdac7fa63bf7a7341f15f1866729f363aeed19f2c
              • Opcode Fuzzy Hash: 02c1760a81aa253f97197a968635bdb7a0bdfe00a0155ca24eafc6807ca49990
              • Instruction Fuzzy Hash: 3990026120180803D140BA584844647000687D4302F95C111A2064659F8B698D516135
              Function 03672EA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8ef0c1b585e7cca59f93634c4194a7f3a37c1c11d529cfbad8c0b75e4a899c20
              • Instruction ID: 0b88e1cda8a68370aea70bd6f0237e7b1c857bb963b2a18813f875aa3ddde019
              • Opcode Fuzzy Hash: 8ef0c1b585e7cca59f93634c4194a7f3a37c1c11d529cfbad8c0b75e4a899c20
              • Instruction Fuzzy Hash: DD90027120140802D140B6584444786000687D4301F95C111A5064658F87998ED56665
              Function 03672E80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 110743bf36a287006f2762d9603a0069fbb5422e9b5d2e6f89d15cac22eb950b
              • Instruction ID: a6601a38d3994d050a93b4310d5cfa758d354a5252bd310f3d630d69f2eca991
              • Opcode Fuzzy Hash: 110743bf36a287006f2762d9603a0069fbb5422e9b5d2e6f89d15cac22eb950b
              • Instruction Fuzzy Hash: 8E90022160140902D101B6584444656000B87D4341FD5C122A1024659FCB658A92A131
              Function 03673D70 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ff6845c0bd2eec3e2f74ebc883d65fd50862a000f683f3af393f079f71c22934
              • Instruction ID: b5c75c6b0858e1d826eefaf0b3a12823685a81f004b5b2af19a0b9a98123ae75
              • Opcode Fuzzy Hash: ff6845c0bd2eec3e2f74ebc883d65fd50862a000f683f3af393f079f71c22934
              • Instruction Fuzzy Hash: 3F90023520140802D510B6585844686004787D4301F95D511A042465CE879489A1A121
              Function 03672D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 424cd822e844f0de59424d2ceb0219ff5c0efd77449fee26d3c563f4c17a2cf2
              • Instruction ID: 550db0ed94396a8b97b0d23723babb47a8ca8f19d5d513dc8a3aec6ce304e473
              • Opcode Fuzzy Hash: 424cd822e844f0de59424d2ceb0219ff5c0efd77449fee26d3c563f4c17a2cf2
              • Instruction Fuzzy Hash: 2F90022130140403D140B65854586464006D7E5301F95D111E0414658DDA5589565222
              Function 03672D00 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8a270aa32d566f4656925b78eb19757bccdec28e46be5192113b85f17e4d752d
              • Instruction ID: e94c90bdc3197e2306ab4c24857d614b78746af37834f9dfb48ed2615b8d33ab
              • Opcode Fuzzy Hash: 8a270aa32d566f4656925b78eb19757bccdec28e46be5192113b85f17e4d752d
              • Instruction Fuzzy Hash: BD90022120544842D100BA585448A46000687D4305F95D111A1064699EC7758951A131
              Function 03672D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7eda0c77d4ed49c629b633745327f00a43da01ac79acd2e7744c66b46c7482f4
              • Instruction ID: eb3b26cc62c91c58aa2bcf805b03df034cd8fd138102a157ab3551ec396ee687
              • Opcode Fuzzy Hash: 7eda0c77d4ed49c629b633745327f00a43da01ac79acd2e7744c66b46c7482f4
              • Instruction Fuzzy Hash: 7390022921340402D180B658544864A000687D5302FD5D515A001565CDCA5589695321
              Function 03673D10 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 73e4677b71c5f19dac0202b67f08c80c0855ab179588a8b5cb3f9b6d13df73ee
              • Instruction ID: ad16e4712f401959e33ff3f40102739bbbe3a81c3a51bfd54614708970c35028
              • Opcode Fuzzy Hash: 73e4677b71c5f19dac0202b67f08c80c0855ab179588a8b5cb3f9b6d13df73ee
              • Instruction Fuzzy Hash: 38900231202405429540B7585844A8E410687E5302BD5D515A0015658DCA5489615221
              Function 03672DD0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 253e6dcfcae3c80fa1c042529e4a1fe9e781fa790703fd62d34e43de3fad84a2
              • Instruction ID: 3cd3554952be4e277cf9caf681f4d01bb0d632706e383e7fb4c57cb3c80cca1e
              • Opcode Fuzzy Hash: 253e6dcfcae3c80fa1c042529e4a1fe9e781fa790703fd62d34e43de3fad84a2
              • Instruction Fuzzy Hash: DE900221242445525545F6584444547400797E43417D5C112A1414A54D86669956D621
              Function 03672DB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a3f1eaefd2d98d22ea02749bf59ad0e7ffabd9d6b705ca9eaf8c437220f1eebe
              • Instruction ID: c0a3e2716ec8ae41761c3557174784ccfb59649f7173eb5b1e8d1de5d590b5a2
              • Opcode Fuzzy Hash: a3f1eaefd2d98d22ea02749bf59ad0e7ffabd9d6b705ca9eaf8c437220f1eebe
              • Instruction Fuzzy Hash: B490023124140802D141B6584444646000A97D4341FD5C112A0424658F87958B56AA61
              Function 03672C60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6788562e8e983b300f9bf29eabbf1986e601c5e65499951b0e880f53bc649482
              • Instruction ID: a73d70b26dc13e65620a629f34f1aa02e7663319655713b10b705c0158acf1b1
              • Opcode Fuzzy Hash: 6788562e8e983b300f9bf29eabbf1986e601c5e65499951b0e880f53bc649482
              • Instruction Fuzzy Hash: 1890023120140C42D100B6584444B86000687E4301F95C116A0124758E8755C9517521
              Function 03672C70 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fdc63664eb2456a73da58ae88b433236a598b136d3383bb955f8bad88925d6ea
              • Instruction ID: 57c9decabb3b232f45a361f624714e0ec6778d0d7793dceab87a2f73d3ff40a1
              • Opcode Fuzzy Hash: fdc63664eb2456a73da58ae88b433236a598b136d3383bb955f8bad88925d6ea
              • Instruction Fuzzy Hash: 5890023120148C02D110B658844478A000687D4301F99C511A442475CE87D589917121
              Function 03672CF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 36963c9749f21c2174d5b8e9c5c410bbf833b98a27767b7951a71fe7bb7f70d1
              • Instruction ID: 18c4a8923d9017b505c535c34a9086cceea6c34b9e5366c63e0909e620ee77c9
              • Opcode Fuzzy Hash: 36963c9749f21c2174d5b8e9c5c410bbf833b98a27767b7951a71fe7bb7f70d1
              • Instruction Fuzzy Hash: 6190023120140803D100B6585548747000687D4301F95D511A042465CED79689516121
              Function 03672CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 54b5fefee22b49489c531166c3df5c1e43fbb8c0aea5a7437d7fb54b2de1946d
              • Instruction ID: 48922546de11365eb2e63827ff35ded3a45b52560a1eb52c2694c6cd9b21ee5b
              • Opcode Fuzzy Hash: 54b5fefee22b49489c531166c3df5c1e43fbb8c0aea5a7437d7fb54b2de1946d
              • Instruction Fuzzy Hash: A590022160540802D140B6585458746001687D4301F95D111A0024658EC7998B5566A1
              Function 03672CA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dfbeefffa24b521b8078332ff1d50c2c3c2a5e021f386f356bb0a8ed433b041b
              • Instruction ID: 4947b2c852d1bbb9d6bcd5b7e1280a91f65a64248abaac80ad49a95163ad975f
              • Opcode Fuzzy Hash: dfbeefffa24b521b8078332ff1d50c2c3c2a5e021f386f356bb0a8ed433b041b
              • Instruction Fuzzy Hash: 5290023120140802D100BA985448686000687E4301F95D111A5024659FC7A589916131
              Function 03672C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction ID: 829bb9b762ae8f925790c83f671aa4208fa631a060d9be7762ffabc54cb6b263
              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction Fuzzy Hash:
              Function 03672890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
              • API String ID: 48624451-2108815105
              • Opcode ID: 62274f3d15778049b9603b58f2e1dae6207422e339c7e0b86b6d3061ec76189d
              • Instruction ID: 282589b5143b222d48a16e6871b8351cf7c825e08d96a27db41d0a5a55bc5096
              • Opcode Fuzzy Hash: 62274f3d15778049b9603b58f2e1dae6207422e339c7e0b86b6d3061ec76189d
              • Instruction Fuzzy Hash: 2F51D9B5A04516BFCB10DF9DC9A097EF7B8BB08200B58866AE4A5D7741D334DE44CBE4
              Function 03667630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
              Download Yara Rule
              Strings
              • Execute=1, xrefs: 036A4713
              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 036A4655
              • CLIENT(ntdll): Processing section info %ws..., xrefs: 036A4787
              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 036A4725
              • ExecuteOptions, xrefs: 036A46A0
              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 036A46FC
              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 036A4742
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
              • API String ID: 0-484625025
              • Opcode ID: 9e208eae6c112bdfcc5b132b00a8479ea66971f77d7d8301a0a4321d5eefc711
              • Instruction ID: 05985d717170dcfd592e2691e2d81588a5619331c743dbb5f3b07073dd2b2b65
              • Opcode Fuzzy Hash: 9e208eae6c112bdfcc5b132b00a8479ea66971f77d7d8301a0a4321d5eefc711
              • Instruction Fuzzy Hash: 76514935A003097ADF21EBA9DC89FAE77B8EF05348F0800ADD505EB291EB719E518F54
              Function 0367B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-$0$0
              • API String ID: 1302938615-699404926
              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
              • Instruction ID: 4d750a17a3fadbc85023cf9ac478ac7b3aee9617a1255f6828546db23ea22687
              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
              • Instruction Fuzzy Hash: FA81F170E052499EDF28CF68C9957FEBBB6AF45320F9C425ED861AB390C7308851CB54
              Function 0365F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
              Download Yara Rule
              Strings
              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 036A02BD
              • RTL: Re-Waiting, xrefs: 036A031E
              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 036A02E7
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
              • API String ID: 0-2474120054
              • Opcode ID: 5c9d4e05ed4a05016203769acde3f14b68fe71f49a5af58ff29875d289cb6bb5
              • Instruction ID: e1a06293db47928e79b114aa7b7cb4fa5c352d3c65127280c81266835c73c532
              • Opcode Fuzzy Hash: 5c9d4e05ed4a05016203769acde3f14b68fe71f49a5af58ff29875d289cb6bb5
              • Instruction Fuzzy Hash: EFE1AC30604B41DFD724CF28C984B6ABBE4BB88324F184A6DF9A58B3E1D775D945CB42
              Function 0366BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
              Download Yara Rule
              Strings
              • RTL: Resource at %p, xrefs: 036A7B8E
              • RTL: Re-Waiting, xrefs: 036A7BAC
              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 036A7B7F
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 0-871070163
              • Opcode ID: 64f37b5f49c7cbb868b5435088455b61dd17b3d134c2b7a30f8c2c38b70c79f2
              • Instruction ID: feb268656fc47c528e7ff28105b3daa6eb5c38468374b890b9c267555df3ac5b
              • Opcode Fuzzy Hash: 64f37b5f49c7cbb868b5435088455b61dd17b3d134c2b7a30f8c2c38b70c79f2
              • Instruction Fuzzy Hash: BF41E2353007029FC724DE6ACD40B6AB7E9EF88760F140A2DE85ADB790DB70E8058F95
              Function 0366B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              APIs
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 036A728C
              Strings
              • RTL: Resource at %p, xrefs: 036A72A3
              • RTL: Re-Waiting, xrefs: 036A72C1
              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 036A7294
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 885266447-605551621
              • Opcode ID: eadc5b00081f3aadb6cbecddb9363a37769cfbc81df39061fd386689d66f5c40
              • Instruction ID: 04b42fad36b6039b66cb56d291645ff32dcfac5944f209c950a4f202eecddb28
              • Opcode Fuzzy Hash: eadc5b00081f3aadb6cbecddb9363a37769cfbc81df39061fd386689d66f5c40
              • Instruction Fuzzy Hash: EF41F035700606ABC720DE69CD41B6ABBA5FF84750F180629F855EB340DB30E8528BE9
              Function 03677D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-
              • API String ID: 1302938615-2137968064
              • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
              • Instruction ID: f82a028039bac5f867c5f5652d00895fb62e3b3093866cae76172b3a19d50c72
              • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
              • Instruction Fuzzy Hash: 8691C470E0021A9BDF24DF69CA81ABEB7B5FF44320F98461AE865E73C0D7349942CB50
              Function 03639126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $$@
              • API String ID: 0-1194432280
              • Opcode ID: acdebb8ea35163df2eeac3271beeb3f80a1e650ea2a114cdc3a458077ae52a89
              • Instruction ID: 807ae5e144d08af22ae12aa8f1ad19beb77c177cd9253d130fb62a99f8eed811
              • Opcode Fuzzy Hash: acdebb8ea35163df2eeac3271beeb3f80a1e650ea2a114cdc3a458077ae52a89
              • Instruction Fuzzy Hash: E7813A76D002699BDB31DF54CD54BEABBB8AF08710F0445EAE909B7280D7709E81CFA4
              Function 036BCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
              Download Yara Rule
              APIs
              • @_EH4_CallFilterFunc@8.LIBCMT ref: 036BCFBD
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1765008354.0000000003600000.00000040.00001000.00020000.00000000.sdmp, Offset: 03600000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3600000_svchost.jbxd
              Similarity
              • API ID: CallFilterFunc@8
              • String ID: @$@4_w@4_w
              • API String ID: 4062629308-713214301
              • Opcode ID: 80008630b15025f6f5ca4ce0509ec1ece12d6dc72d456d752687f0c2f4b0879e
              • Instruction ID: 1734f907ab674a2e86636b25b80b10e9085d242087ad081629f770de34f2bfa0
              • Opcode Fuzzy Hash: 80008630b15025f6f5ca4ce0509ec1ece12d6dc72d456d752687f0c2f4b0879e
              • Instruction Fuzzy Hash: AF419C79A00224DFDB21EFA9C980AAEBBB8EF45B04F14406EEA15DF354D734D941CB64