Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RdichqztBg.exe

Overview

General Information

Sample name:RdichqztBg.exe
renamed because original name is a hash value
Original sample name:7d2dba45bf81abba9d31ec681038d84fa98517b3034cfdf235f4de68a3876f98.exe
Analysis ID:1588378
MD5:1775ea702512bcb8aba8fb91b27d34a6
SHA1:ccceafffca25cc72770aef71b5d4832f7493af45
SHA256:7d2dba45bf81abba9d31ec681038d84fa98517b3034cfdf235f4de68a3876f98
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • RdichqztBg.exe (PID: 7444 cmdline: "C:\Users\user\Desktop\RdichqztBg.exe" MD5: 1775EA702512BCB8ABA8FB91B27D34A6)
    • svchost.exe (PID: 7540 cmdline: "C:\Users\user\Desktop\RdichqztBg.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1971334766.0000000003D50000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\RdichqztBg.exe", CommandLine: "C:\Users\user\Desktop\RdichqztBg.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\RdichqztBg.exe", ParentImage: C:\Users\user\Desktop\RdichqztBg.exe, ParentProcessId: 7444, ParentProcessName: RdichqztBg.exe, ProcessCommandLine: "C:\Users\user\Desktop\RdichqztBg.exe", ProcessId: 7540, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\RdichqztBg.exe", CommandLine: "C:\Users\user\Desktop\RdichqztBg.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\RdichqztBg.exe", ParentImage: C:\Users\user\Desktop\RdichqztBg.exe, ParentProcessId: 7444, ParentProcessName: RdichqztBg.exe, ProcessCommandLine: "C:\Users\user\Desktop\RdichqztBg.exe", ProcessId: 7540, ProcessName: svchost.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: RdichqztBg.exeVirustotal: Detection: 66%Perma Link
          Source: RdichqztBg.exeReversingLabs: Detection: 71%
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1971334766.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: RdichqztBg.exeJoe Sandbox ML: detected
          Source: RdichqztBg.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: svchost.exe, 00000002.00000003.1636087024.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1638276241.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1970980118.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000002.00000003.1636087024.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1638276241.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1970980118.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1971334766.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Binary is likely a compiled AutoIt script file
          Source: RdichqztBg.exe, 00000000.00000000.1350699703.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_06c70df8-4
          Source: RdichqztBg.exe, 00000000.00000000.1350699703.0000000000CA4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_d6c31b26-d
          Source: RdichqztBg.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7ee03d5a-4
          Source: RdichqztBg.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_96b5c696-0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C9F3 NtClose,2_2_0042C9F3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AA5D NtDelayExecution,2_2_0040AA5D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A735C0 NtCreateMutant,LdrInitializeThunk,2_2_03A735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72B60 NtClose,LdrInitializeThunk,2_2_03A72B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03A72DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A74340 NtSetContextThread,2_2_03A74340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73090 NtSetValueKey,2_2_03A73090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73010 NtOpenDirectoryObject,2_2_03A73010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A74650 NtSuspendThread,2_2_03A74650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72BA0 NtEnumerateValueKey,2_2_03A72BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72B80 NtQueryInformationFile,2_2_03A72B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72BE0 NtQueryValueKey,2_2_03A72BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72BF0 NtAllocateVirtualMemory,2_2_03A72BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72AB0 NtWaitForSingleObject,2_2_03A72AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72AF0 NtWriteFile,2_2_03A72AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72AD0 NtReadFile,2_2_03A72AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A739B0 NtGetContextThread,2_2_03A739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72FA0 NtQuerySection,2_2_03A72FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72FB0 NtResumeThread,2_2_03A72FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72F90 NtProtectVirtualMemory,2_2_03A72F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72FE0 NtCreateFile,2_2_03A72FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72F30 NtCreateSection,2_2_03A72F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72F60 NtCreateProcessEx,2_2_03A72F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72EA0 NtAdjustPrivilegesToken,2_2_03A72EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72E80 NtReadVirtualMemory,2_2_03A72E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72EE0 NtQueueApcThread,2_2_03A72EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72E30 NtWriteVirtualMemory,2_2_03A72E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72DB0 NtEnumerateKey,2_2_03A72DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72DD0 NtDelayExecution,2_2_03A72DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72D30 NtUnmapViewOfSection,2_2_03A72D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72D00 NtSetInformationFile,2_2_03A72D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72D10 NtMapViewOfSection,2_2_03A72D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73D10 NtOpenProcessToken,2_2_03A73D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73D70 NtOpenThread,2_2_03A73D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72CA0 NtQueryInformationToken,2_2_03A72CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72CF0 NtOpenProcess,2_2_03A72CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72CC0 NtQueryVirtualMemory,2_2_03A72CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72C00 NtQueryInformationProcess,2_2_03A72C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72C60 NtCreateKey,2_2_03A72C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72C70 NtFreeVirtualMemory,2_2_03A72C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004100EA2_2_004100EA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004100F32_2_004100F3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004031502_2_00403150
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011F02_2_004011F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416AEE2_2_00416AEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416AF32_2_00416AF3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E2F32_2_0040E2F3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004103132_2_00410313
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E4432_2_0040E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401C602_2_00401C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402C7B2_2_00402C7B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E4382_2_0040E438
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402C802_2_00402C80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E48C2_2_0040E48C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004047542_2_00404754
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EFD32_2_0042EFD3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A8739A2_2_03A8739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F02_2_03A4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B003E62_2_03B003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF132D2_2_03AF132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2D34C2_2_03A2D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA3522_2_03AFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A452A02_2_03A452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED2_2_03AE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B2C02_2_03A5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE02742_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4B1B02_2_03A4B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B001AA2_2_03B001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF81CC2_2_03AF81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A301002_2_03A30100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA1182_2_03ADA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7516C2_2_03A7516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F1722_2_03A2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0B16B2_2_03B0B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC81582_2_03AC8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF70E92_2_03AF70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFF0E02_2_03AFF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEF0CC2_2_03AEF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C02_2_03A470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFF7B02_2_03AFF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3C7C02_2_03A3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A407702_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A647502_2_03A64750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5C6E02_2_03A5C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF16CC2_2_03AF16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADD5B02_2_03ADD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B005912_2_03B00591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A405352_2_03A40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF75712_2_03AF7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEE4F62_2_03AEE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFF43F2_2_03AFF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A314602_2_03A31460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF24462_2_03AF2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5FB802_2_03A5FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB5BF02_2_03AB5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7DBF92_2_03A7DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF6BD72_2_03AF6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFB762_2_03AFFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFAB402_2_03AFAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADDAAC2_2_03ADDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A85AA02_2_03A85AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA802_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEDAC62_2_03AEDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB3A6C2_2_03AB3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFA492_2_03AFFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF7A462_2_03AF7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A02_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0A9A62_2_03B0A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A569622_2_03A56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A499502_2_03A49950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B9502_2_03A5B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A268B82_2_03A268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A438E02_2_03A438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E8F02_2_03A6E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAD8002_2_03AAD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A428402_2_03A42840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4A8402_2_03A4A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFFB12_2_03AFFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41F922_2_03A41F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4CFE02_2_03A4CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32FC82_2_03A32FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A82F282_2_03A82F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60F302_2_03A60F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFF092_2_03AFFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4F402_2_03AB4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A49EB02_2_03A49EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52E902_2_03A52E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFCE932_2_03AFCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFEEDB2_2_03AFEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFEE262_2_03AFEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40E592_2_03A40E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A58DBF2_2_03A58DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3ADE02_2_03A3ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5FDC02_2_03A5FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4AD002_2_03A4AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF7D732_2_03AF7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A43D402_2_03A43D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF1D5A2_2_03AF1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0CB52_2_03AE0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30CF22_2_03A30CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFCF22_2_03AFFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB9C322_2_03AB9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40C002_2_03A40C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03AAEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A2B970 appears 268 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A87E54 appears 90 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03ABF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A75130 appears 36 times
          Source: RdichqztBg.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: classification engineClassification label: mal80.troj.evad.winEXE@3/2@0/0
          Source: C:\Users\user\Desktop\RdichqztBg.exeFile created: C:\Users\user\AppData\Local\Temp\aut2983.tmpJump to behavior
          Source: RdichqztBg.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\RdichqztBg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: RdichqztBg.exeVirustotal: Detection: 66%
          Source: RdichqztBg.exeReversingLabs: Detection: 71%
          Source: unknownProcess created: C:\Users\user\Desktop\RdichqztBg.exe "C:\Users\user\Desktop\RdichqztBg.exe"
          Source: C:\Users\user\Desktop\RdichqztBg.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RdichqztBg.exe"
          Source: C:\Users\user\Desktop\RdichqztBg.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RdichqztBg.exe"Jump to behavior
          Source: C:\Users\user\Desktop\RdichqztBg.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\RdichqztBg.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\RdichqztBg.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\RdichqztBg.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\RdichqztBg.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\RdichqztBg.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\RdichqztBg.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\RdichqztBg.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\RdichqztBg.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\RdichqztBg.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\RdichqztBg.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\RdichqztBg.exeSection loaded: ntmarta.dllJump to behavior
          Source: RdichqztBg.exeStatic file information: File size 1219584 > 1048576
          Source: RdichqztBg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: RdichqztBg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: RdichqztBg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: RdichqztBg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: RdichqztBg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: RdichqztBg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: RdichqztBg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: svchost.exe, 00000002.00000003.1636087024.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1638276241.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1970980118.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000002.00000003.1636087024.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1638276241.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1970980118.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp
          Source: RdichqztBg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: RdichqztBg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: RdichqztBg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: RdichqztBg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: RdichqztBg.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411948 push ss; retf 2_2_0041194E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040214C pushad ; retf 2_2_0040214D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004229B7 push es; ret 2_2_004229CA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416AAC push esp; retf 2_2_00416AAD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413B33 pushfd ; ret 2_2_00413B79
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004033E0 push eax; ret 2_2_004033E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00423CA7 pushfd ; ret 2_2_00423CB2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00415D23 push 00000009h; retn 3081h2_2_00415DC4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041F61A push eax; iretd 2_2_0041F61B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041F63F push esp; retf 2_2_0041F648
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00408695 push edx; retf 2_2_004086AE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004086AF push edx; retf 2_2_004086AE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A309AD push ecx; mov dword ptr [esp], ecx2_2_03A309B6
          Source: C:\Users\user\Desktop\RdichqztBg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RdichqztBg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\RdichqztBg.exeAPI/Special instruction interceptor: Address: 159F354
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAD1C0 rdtsc 2_2_03AAD1C0
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 7544Thread sleep time: -30000s >= -30000sJump to behavior
          Source: RdichqztBg.exe, 00000000.00000003.1355719344.00000000015F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareworkstation.exe
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAD1C0 rdtsc 2_2_03AAD1C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417A83 LdrLoadDll,2_2_00417A83
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A533A5 mov eax, dword ptr fs:[00000030h]2_2_03A533A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A633A0 mov eax, dword ptr fs:[00000030h]2_2_03A633A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A633A0 mov eax, dword ptr fs:[00000030h]2_2_03A633A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]2_2_03A2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]2_2_03A2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]2_2_03A2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h]2_2_03A5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h]2_2_03A5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0539D mov eax, dword ptr fs:[00000030h]2_2_03B0539D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A8739A mov eax, dword ptr fs:[00000030h]2_2_03A8739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A8739A mov eax, dword ptr fs:[00000030h]2_2_03A8739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]2_2_03A28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]2_2_03A28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]2_2_03A28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEF3E6 mov eax, dword ptr fs:[00000030h]2_2_03AEF3E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B053FC mov eax, dword ptr fs:[00000030h]2_2_03B053FC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03A4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03A4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03A4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A663FF mov eax, dword ptr fs:[00000030h]2_2_03A663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEC3CD mov eax, dword ptr fs:[00000030h]2_2_03AEC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB63C0 mov eax, dword ptr fs:[00000030h]2_2_03AB63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEB3D0 mov ecx, dword ptr fs:[00000030h]2_2_03AEB3D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF132D mov eax, dword ptr fs:[00000030h]2_2_03AF132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF132D mov eax, dword ptr fs:[00000030h]2_2_03AF132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5F32A mov eax, dword ptr fs:[00000030h]2_2_03A5F32A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A27330 mov eax, dword ptr fs:[00000030h]2_2_03A27330
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB930B mov eax, dword ptr fs:[00000030h]2_2_03AB930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB930B mov eax, dword ptr fs:[00000030h]2_2_03AB930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB930B mov eax, dword ptr fs:[00000030h]2_2_03AB930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]2_2_03A6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]2_2_03A6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]2_2_03A6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C310 mov ecx, dword ptr fs:[00000030h]2_2_03A2C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50310 mov ecx, dword ptr fs:[00000030h]2_2_03A50310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEF367 mov eax, dword ptr fs:[00000030h]2_2_03AEF367
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD437C mov eax, dword ptr fs:[00000030h]2_2_03AD437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A37370 mov eax, dword ptr fs:[00000030h]2_2_03A37370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A37370 mov eax, dword ptr fs:[00000030h]2_2_03A37370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A37370 mov eax, dword ptr fs:[00000030h]2_2_03A37370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2D34C mov eax, dword ptr fs:[00000030h]2_2_03A2D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2D34C mov eax, dword ptr fs:[00000030h]2_2_03A2D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B05341 mov eax, dword ptr fs:[00000030h]2_2_03B05341
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A29353 mov eax, dword ptr fs:[00000030h]2_2_03A29353
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A29353 mov eax, dword ptr fs:[00000030h]2_2_03A29353
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov ecx, dword ptr fs:[00000030h]2_2_03AB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA352 mov eax, dword ptr fs:[00000030h]2_2_03AFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402A0 mov eax, dword ptr fs:[00000030h]2_2_03A402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402A0 mov eax, dword ptr fs:[00000030h]2_2_03A402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A452A0 mov eax, dword ptr fs:[00000030h]2_2_03A452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A452A0 mov eax, dword ptr fs:[00000030h]2_2_03A452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A452A0 mov eax, dword ptr fs:[00000030h]2_2_03A452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A452A0 mov eax, dword ptr fs:[00000030h]2_2_03A452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF92A6 mov eax, dword ptr fs:[00000030h]2_2_03AF92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF92A6 mov eax, dword ptr fs:[00000030h]2_2_03AF92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF92A6 mov eax, dword ptr fs:[00000030h]2_2_03AF92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF92A6 mov eax, dword ptr fs:[00000030h]2_2_03AF92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov ecx, dword ptr fs:[00000030h]2_2_03AC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC72A0 mov eax, dword ptr fs:[00000030h]2_2_03AC72A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC72A0 mov eax, dword ptr fs:[00000030h]2_2_03AC72A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB92BC mov eax, dword ptr fs:[00000030h]2_2_03AB92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB92BC mov eax, dword ptr fs:[00000030h]2_2_03AB92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB92BC mov ecx, dword ptr fs:[00000030h]2_2_03AB92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB92BC mov ecx, dword ptr fs:[00000030h]2_2_03AB92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h]2_2_03A6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h]2_2_03A6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]2_2_03AB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]2_2_03AB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]2_2_03AB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B05283 mov eax, dword ptr fs:[00000030h]2_2_03B05283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6329E mov eax, dword ptr fs:[00000030h]2_2_03A6329E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6329E mov eax, dword ptr fs:[00000030h]2_2_03A6329E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED mov eax, dword ptr fs:[00000030h]2_2_03AE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED mov eax, dword ptr fs:[00000030h]2_2_03AE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED mov eax, dword ptr fs:[00000030h]2_2_03AE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED mov eax, dword ptr fs:[00000030h]2_2_03AE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED mov eax, dword ptr fs:[00000030h]2_2_03AE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED mov eax, dword ptr fs:[00000030h]2_2_03AE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED mov eax, dword ptr fs:[00000030h]2_2_03AE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED mov eax, dword ptr fs:[00000030h]2_2_03AE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED mov eax, dword ptr fs:[00000030h]2_2_03AE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED mov eax, dword ptr fs:[00000030h]2_2_03AE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED mov eax, dword ptr fs:[00000030h]2_2_03AE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED mov eax, dword ptr fs:[00000030h]2_2_03AE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED mov eax, dword ptr fs:[00000030h]2_2_03AE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED mov eax, dword ptr fs:[00000030h]2_2_03AE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]2_2_03A402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]2_2_03A402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]2_2_03A402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B052E2 mov eax, dword ptr fs:[00000030h]2_2_03B052E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEF2F8 mov eax, dword ptr fs:[00000030h]2_2_03AEF2F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A292FF mov eax, dword ptr fs:[00000030h]2_2_03A292FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B2C0 mov eax, dword ptr fs:[00000030h]2_2_03A5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B2C0 mov eax, dword ptr fs:[00000030h]2_2_03A5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B2C0 mov eax, dword ptr fs:[00000030h]2_2_03A5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B2C0 mov eax, dword ptr fs:[00000030h]2_2_03A5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B2C0 mov eax, dword ptr fs:[00000030h]2_2_03A5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B2C0 mov eax, dword ptr fs:[00000030h]2_2_03A5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B2C0 mov eax, dword ptr fs:[00000030h]2_2_03A5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A392C5 mov eax, dword ptr fs:[00000030h]2_2_03A392C5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A392C5 mov eax, dword ptr fs:[00000030h]2_2_03A392C5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2B2D3 mov eax, dword ptr fs:[00000030h]2_2_03A2B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2B2D3 mov eax, dword ptr fs:[00000030h]2_2_03A2B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2B2D3 mov eax, dword ptr fs:[00000030h]2_2_03A2B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5F2D0 mov eax, dword ptr fs:[00000030h]2_2_03A5F2D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5F2D0 mov eax, dword ptr fs:[00000030h]2_2_03A5F2D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B05227 mov eax, dword ptr fs:[00000030h]2_2_03B05227
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2823B mov eax, dword ptr fs:[00000030h]2_2_03A2823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A67208 mov eax, dword ptr fs:[00000030h]2_2_03A67208
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A67208 mov eax, dword ptr fs:[00000030h]2_2_03A67208
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]2_2_03A34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]2_2_03A34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]2_2_03A34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFD26B mov eax, dword ptr fs:[00000030h]2_2_03AFD26B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFD26B mov eax, dword ptr fs:[00000030h]2_2_03AFD26B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2826B mov eax, dword ptr fs:[00000030h]2_2_03A2826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A59274 mov eax, dword ptr fs:[00000030h]2_2_03A59274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A71270 mov eax, dword ptr fs:[00000030h]2_2_03A71270
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A71270 mov eax, dword ptr fs:[00000030h]2_2_03A71270
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A29240 mov eax, dword ptr fs:[00000030h]2_2_03A29240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A29240 mov eax, dword ptr fs:[00000030h]2_2_03A29240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6724D mov eax, dword ptr fs:[00000030h]2_2_03A6724D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A250 mov eax, dword ptr fs:[00000030h]2_2_03A2A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEB256 mov eax, dword ptr fs:[00000030h]2_2_03AEB256
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEB256 mov eax, dword ptr fs:[00000030h]2_2_03AEB256
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36259 mov eax, dword ptr fs:[00000030h]2_2_03A36259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE11A4 mov eax, dword ptr fs:[00000030h]2_2_03AE11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE11A4 mov eax, dword ptr fs:[00000030h]2_2_03AE11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE11A4 mov eax, dword ptr fs:[00000030h]2_2_03AE11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE11A4 mov eax, dword ptr fs:[00000030h]2_2_03AE11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4B1B0 mov eax, dword ptr fs:[00000030h]2_2_03A4B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A70185 mov eax, dword ptr fs:[00000030h]2_2_03A70185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h]2_2_03AEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h]2_2_03AEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]2_2_03A2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]2_2_03A2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]2_2_03A2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A87190 mov eax, dword ptr fs:[00000030h]2_2_03A87190
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A551EF mov eax, dword ptr fs:[00000030h]2_2_03A551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A551EF mov eax, dword ptr fs:[00000030h]2_2_03A551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A551EF mov eax, dword ptr fs:[00000030h]2_2_03A551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A551EF mov eax, dword ptr fs:[00000030h]2_2_03A551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A551EF mov eax, dword ptr fs:[00000030h]2_2_03A551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A551EF mov eax, dword ptr fs:[00000030h]2_2_03A551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A551EF mov eax, dword ptr fs:[00000030h]2_2_03A551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A551EF mov eax, dword ptr fs:[00000030h]2_2_03A551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A551EF mov eax, dword ptr fs:[00000030h]2_2_03A551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A551EF mov eax, dword ptr fs:[00000030h]2_2_03A551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A551EF mov eax, dword ptr fs:[00000030h]2_2_03A551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A551EF mov eax, dword ptr fs:[00000030h]2_2_03A551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A551EF mov eax, dword ptr fs:[00000030h]2_2_03A551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A351ED mov eax, dword ptr fs:[00000030h]2_2_03A351ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD71F9 mov esi, dword ptr fs:[00000030h]2_2_03AD71F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B061E5 mov eax, dword ptr fs:[00000030h]2_2_03B061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A601F8 mov eax, dword ptr fs:[00000030h]2_2_03A601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h]2_2_03AF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h]2_2_03AF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6D1D0 mov eax, dword ptr fs:[00000030h]2_2_03A6D1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6D1D0 mov ecx, dword ptr fs:[00000030h]2_2_03A6D1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_03AAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B051CB mov eax, dword ptr fs:[00000030h]2_2_03B051CB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60124 mov eax, dword ptr fs:[00000030h]2_2_03A60124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A31131 mov eax, dword ptr fs:[00000030h]2_2_03A31131
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A31131 mov eax, dword ptr fs:[00000030h]2_2_03A31131
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2B136 mov eax, dword ptr fs:[00000030h]2_2_03A2B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2B136 mov eax, dword ptr fs:[00000030h]2_2_03A2B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2B136 mov eax, dword ptr fs:[00000030h]2_2_03A2B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2B136 mov eax, dword ptr fs:[00000030h]2_2_03A2B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov ecx, dword ptr fs:[00000030h]2_2_03ADA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]2_2_03ADA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]2_2_03ADA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]2_2_03ADA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF0115 mov eax, dword ptr fs:[00000030h]2_2_03AF0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F172 mov eax, dword ptr fs:[00000030h]2_2_03A2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC9179 mov eax, dword ptr fs:[00000030h]2_2_03AC9179
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B05152 mov eax, dword ptr fs:[00000030h]2_2_03B05152
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov ecx, dword ptr fs:[00000030h]2_2_03AC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A29148 mov eax, dword ptr fs:[00000030h]2_2_03A29148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A29148 mov eax, dword ptr fs:[00000030h]2_2_03A29148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A29148 mov eax, dword ptr fs:[00000030h]2_2_03A29148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A29148 mov eax, dword ptr fs:[00000030h]2_2_03A29148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A37152 mov eax, dword ptr fs:[00000030h]2_2_03A37152
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C156 mov eax, dword ptr fs:[00000030h]2_2_03A2C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC8158 mov eax, dword ptr fs:[00000030h]2_2_03AC8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h]2_2_03A36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h]2_2_03A36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC80A8 mov eax, dword ptr fs:[00000030h]2_2_03AC80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF60B8 mov eax, dword ptr fs:[00000030h]2_2_03AF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF60B8 mov ecx, dword ptr fs:[00000030h]2_2_03AF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3208A mov eax, dword ptr fs:[00000030h]2_2_03A3208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2D08D mov eax, dword ptr fs:[00000030h]2_2_03A2D08D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A35096 mov eax, dword ptr fs:[00000030h]2_2_03A35096
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5D090 mov eax, dword ptr fs:[00000030h]2_2_03A5D090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5D090 mov eax, dword ptr fs:[00000030h]2_2_03A5D090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6909C mov eax, dword ptr fs:[00000030h]2_2_03A6909C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A550E4 mov eax, dword ptr fs:[00000030h]2_2_03A550E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A550E4 mov ecx, dword ptr fs:[00000030h]2_2_03A550E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_03A2A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A380E9 mov eax, dword ptr fs:[00000030h]2_2_03A380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB60E0 mov eax, dword ptr fs:[00000030h]2_2_03AB60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C0F0 mov eax, dword ptr fs:[00000030h]2_2_03A2C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A720F0 mov ecx, dword ptr fs:[00000030h]2_2_03A720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov eax, dword ptr fs:[00000030h]2_2_03A470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov ecx, dword ptr fs:[00000030h]2_2_03A470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov ecx, dword ptr fs:[00000030h]2_2_03A470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov eax, dword ptr fs:[00000030h]2_2_03A470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov ecx, dword ptr fs:[00000030h]2_2_03A470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov ecx, dword ptr fs:[00000030h]2_2_03A470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov eax, dword ptr fs:[00000030h]2_2_03A470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov eax, dword ptr fs:[00000030h]2_2_03A470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov eax, dword ptr fs:[00000030h]2_2_03A470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov eax, dword ptr fs:[00000030h]2_2_03A470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov eax, dword ptr fs:[00000030h]2_2_03A470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov eax, dword ptr fs:[00000030h]2_2_03A470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov eax, dword ptr fs:[00000030h]2_2_03A470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov eax, dword ptr fs:[00000030h]2_2_03A470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov eax, dword ptr fs:[00000030h]2_2_03A470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov eax, dword ptr fs:[00000030h]2_2_03A470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov eax, dword ptr fs:[00000030h]2_2_03A470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C0 mov eax, dword ptr fs:[00000030h]2_2_03A470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B050D9 mov eax, dword ptr fs:[00000030h]2_2_03B050D9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAD0C0 mov eax, dword ptr fs:[00000030h]2_2_03AAD0C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAD0C0 mov eax, dword ptr fs:[00000030h]2_2_03AAD0C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB20DE mov eax, dword ptr fs:[00000030h]2_2_03AB20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A590DB mov eax, dword ptr fs:[00000030h]2_2_03A590DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A020 mov eax, dword ptr fs:[00000030h]2_2_03A2A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C020 mov eax, dword ptr fs:[00000030h]2_2_03A2C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF903E mov eax, dword ptr fs:[00000030h]2_2_03AF903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF903E mov eax, dword ptr fs:[00000030h]2_2_03AF903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF903E mov eax, dword ptr fs:[00000030h]2_2_03AF903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF903E mov eax, dword ptr fs:[00000030h]2_2_03AF903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4000 mov ecx, dword ptr fs:[00000030h]2_2_03AB4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB106E mov eax, dword ptr fs:[00000030h]2_2_03AB106E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B05060 mov eax, dword ptr fs:[00000030h]2_2_03B05060
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41070 mov eax, dword ptr fs:[00000030h]2_2_03A41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41070 mov ecx, dword ptr fs:[00000030h]2_2_03A41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41070 mov eax, dword ptr fs:[00000030h]2_2_03A41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41070 mov eax, dword ptr fs:[00000030h]2_2_03A41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41070 mov eax, dword ptr fs:[00000030h]2_2_03A41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41070 mov eax, dword ptr fs:[00000030h]2_2_03A41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41070 mov eax, dword ptr fs:[00000030h]2_2_03A41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41070 mov eax, dword ptr fs:[00000030h]2_2_03A41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41070 mov eax, dword ptr fs:[00000030h]2_2_03A41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41070 mov eax, dword ptr fs:[00000030h]2_2_03A41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41070 mov eax, dword ptr fs:[00000030h]2_2_03A41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41070 mov eax, dword ptr fs:[00000030h]2_2_03A41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41070 mov eax, dword ptr fs:[00000030h]2_2_03A41070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5C073 mov eax, dword ptr fs:[00000030h]2_2_03A5C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAD070 mov ecx, dword ptr fs:[00000030h]2_2_03AAD070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32050 mov eax, dword ptr fs:[00000030h]2_2_03A32050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD705E mov ebx, dword ptr fs:[00000030h]2_2_03AD705E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD705E mov eax, dword ptr fs:[00000030h]2_2_03AD705E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B052 mov eax, dword ptr fs:[00000030h]2_2_03A5B052
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6050 mov eax, dword ptr fs:[00000030h]2_2_03AB6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB97A9 mov eax, dword ptr fs:[00000030h]2_2_03AB97A9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABF7AF mov eax, dword ptr fs:[00000030h]2_2_03ABF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABF7AF mov eax, dword ptr fs:[00000030h]2_2_03ABF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABF7AF mov eax, dword ptr fs:[00000030h]2_2_03ABF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABF7AF mov eax, dword ptr fs:[00000030h]2_2_03ABF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABF7AF mov eax, dword ptr fs:[00000030h]2_2_03ABF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B037B6 mov eax, dword ptr fs:[00000030h]2_2_03B037B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A307AF mov eax, dword ptr fs:[00000030h]2_2_03A307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5D7B0 mov eax, dword ptr fs:[00000030h]2_2_03A5D7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F7BA mov eax, dword ptr fs:[00000030h]2_2_03A2F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F7BA mov eax, dword ptr fs:[00000030h]2_2_03A2F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F7BA mov eax, dword ptr fs:[00000030h]2_2_03A2F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F7BA mov eax, dword ptr fs:[00000030h]2_2_03A2F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F7BA mov eax, dword ptr fs:[00000030h]2_2_03A2F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F7BA mov eax, dword ptr fs:[00000030h]2_2_03A2F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F7BA mov eax, dword ptr fs:[00000030h]2_2_03A2F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F7BA mov eax, dword ptr fs:[00000030h]2_2_03A2F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F7BA mov eax, dword ptr fs:[00000030h]2_2_03A2F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEF78A mov eax, dword ptr fs:[00000030h]2_2_03AEF78A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3D7E0 mov ecx, dword ptr fs:[00000030h]2_2_03A3D7E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]2_2_03A527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]2_2_03A527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]2_2_03A527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h]2_2_03A347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h]2_2_03A347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3C7C0 mov eax, dword ptr fs:[00000030h]2_2_03A3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A357C0 mov eax, dword ptr fs:[00000030h]2_2_03A357C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A357C0 mov eax, dword ptr fs:[00000030h]2_2_03A357C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A357C0 mov eax, dword ptr fs:[00000030h]2_2_03A357C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB07C3 mov eax, dword ptr fs:[00000030h]2_2_03AB07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEF72E mov eax, dword ptr fs:[00000030h]2_2_03AEF72E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A33720 mov eax, dword ptr fs:[00000030h]2_2_03A33720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4F720 mov eax, dword ptr fs:[00000030h]2_2_03A4F720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4F720 mov eax, dword ptr fs:[00000030h]2_2_03A4F720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4F720 mov eax, dword ptr fs:[00000030h]2_2_03A4F720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF972B mov eax, dword ptr fs:[00000030h]2_2_03AF972B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h]2_2_03A6C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h]2_2_03A6C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0B73C mov eax, dword ptr fs:[00000030h]2_2_03B0B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0B73C mov eax, dword ptr fs:[00000030h]2_2_03B0B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0B73C mov eax, dword ptr fs:[00000030h]2_2_03B0B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0B73C mov eax, dword ptr fs:[00000030h]2_2_03B0B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A29730 mov eax, dword ptr fs:[00000030h]2_2_03A29730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A29730 mov eax, dword ptr fs:[00000030h]2_2_03A29730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A65734 mov eax, dword ptr fs:[00000030h]2_2_03A65734
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3973A mov eax, dword ptr fs:[00000030h]2_2_03A3973A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3973A mov eax, dword ptr fs:[00000030h]2_2_03A3973A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h]2_2_03A6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6273C mov ecx, dword ptr fs:[00000030h]2_2_03A6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h]2_2_03A6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAC730 mov eax, dword ptr fs:[00000030h]2_2_03AAC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A37703 mov eax, dword ptr fs:[00000030h]2_2_03A37703
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A35702 mov eax, dword ptr fs:[00000030h]2_2_03A35702
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A35702 mov eax, dword ptr fs:[00000030h]2_2_03A35702
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C700 mov eax, dword ptr fs:[00000030h]2_2_03A6C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30710 mov eax, dword ptr fs:[00000030h]2_2_03A30710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60710 mov eax, dword ptr fs:[00000030h]2_2_03A60710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6F71F mov eax, dword ptr fs:[00000030h]2_2_03A6F71F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6F71F mov eax, dword ptr fs:[00000030h]2_2_03A6F71F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2B765 mov eax, dword ptr fs:[00000030h]2_2_03A2B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2B765 mov eax, dword ptr fs:[00000030h]2_2_03A2B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2B765 mov eax, dword ptr fs:[00000030h]2_2_03A2B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2B765 mov eax, dword ptr fs:[00000030h]2_2_03A2B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38770 mov eax, dword ptr fs:[00000030h]2_2_03A38770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A43740 mov eax, dword ptr fs:[00000030h]2_2_03A43740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A43740 mov eax, dword ptr fs:[00000030h]2_2_03A43740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A43740 mov eax, dword ptr fs:[00000030h]2_2_03A43740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6674D mov esi, dword ptr fs:[00000030h]2_2_03A6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h]2_2_03A6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h]2_2_03A6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30750 mov eax, dword ptr fs:[00000030h]2_2_03A30750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h]2_2_03A72750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h]2_2_03A72750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B03749 mov eax, dword ptr fs:[00000030h]2_2_03B03749
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4755 mov eax, dword ptr fs:[00000030h]2_2_03AB4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C6A6 mov eax, dword ptr fs:[00000030h]2_2_03A6C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2D6AA mov eax, dword ptr fs:[00000030h]2_2_03A2D6AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2D6AA mov eax, dword ptr fs:[00000030h]2_2_03A2D6AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A276B2 mov eax, dword ptr fs:[00000030h]2_2_03A276B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A276B2 mov eax, dword ptr fs:[00000030h]2_2_03A276B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A276B2 mov eax, dword ptr fs:[00000030h]2_2_03A276B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A666B0 mov eax, dword ptr fs:[00000030h]2_2_03A666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB368C mov eax, dword ptr fs:[00000030h]2_2_03AB368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB368C mov eax, dword ptr fs:[00000030h]2_2_03AB368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB368C mov eax, dword ptr fs:[00000030h]2_2_03AB368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB368C mov eax, dword ptr fs:[00000030h]2_2_03AB368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h]2_2_03A34690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h]2_2_03A34690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC36EE mov eax, dword ptr fs:[00000030h]2_2_03AC36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC36EE mov eax, dword ptr fs:[00000030h]2_2_03AC36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC36EE mov eax, dword ptr fs:[00000030h]2_2_03AC36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC36EE mov eax, dword ptr fs:[00000030h]2_2_03AC36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC36EE mov eax, dword ptr fs:[00000030h]2_2_03AC36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC36EE mov eax, dword ptr fs:[00000030h]2_2_03AC36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5D6E0 mov eax, dword ptr fs:[00000030h]2_2_03A5D6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5D6E0 mov eax, dword ptr fs:[00000030h]2_2_03A5D6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A636EF mov eax, dword ptr fs:[00000030h]2_2_03A636EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h]2_2_03AB06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h]2_2_03AB06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AED6F0 mov eax, dword ptr fs:[00000030h]2_2_03AED6F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_03A6A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A6C7 mov eax, dword ptr fs:[00000030h]2_2_03A6A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3B6C0 mov eax, dword ptr fs:[00000030h]2_2_03A3B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3B6C0 mov eax, dword ptr fs:[00000030h]2_2_03A3B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3B6C0 mov eax, dword ptr fs:[00000030h]2_2_03A3B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3B6C0 mov eax, dword ptr fs:[00000030h]2_2_03A3B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3B6C0 mov eax, dword ptr fs:[00000030h]2_2_03A3B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3B6C0 mov eax, dword ptr fs:[00000030h]2_2_03A3B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF16CC mov eax, dword ptr fs:[00000030h]2_2_03AF16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF16CC mov eax, dword ptr fs:[00000030h]2_2_03AF16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF16CC mov eax, dword ptr fs:[00000030h]2_2_03AF16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF16CC mov eax, dword ptr fs:[00000030h]2_2_03AF16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEF6C7 mov eax, dword ptr fs:[00000030h]2_2_03AEF6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A616CF mov eax, dword ptr fs:[00000030h]2_2_03A616CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E627 mov eax, dword ptr fs:[00000030h]2_2_03A4E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F626 mov eax, dword ptr fs:[00000030h]2_2_03A2F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F626 mov eax, dword ptr fs:[00000030h]2_2_03A2F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F626 mov eax, dword ptr fs:[00000030h]2_2_03A2F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F626 mov eax, dword ptr fs:[00000030h]2_2_03A2F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F626 mov eax, dword ptr fs:[00000030h]2_2_03A2F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F626 mov eax, dword ptr fs:[00000030h]2_2_03A2F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F626 mov eax, dword ptr fs:[00000030h]2_2_03A2F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F626 mov eax, dword ptr fs:[00000030h]2_2_03A2F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F626 mov eax, dword ptr fs:[00000030h]2_2_03A2F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A66620 mov eax, dword ptr fs:[00000030h]2_2_03A66620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B05636 mov eax, dword ptr fs:[00000030h]2_2_03B05636
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68620 mov eax, dword ptr fs:[00000030h]2_2_03A68620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3262C mov eax, dword ptr fs:[00000030h]2_2_03A3262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A61607 mov eax, dword ptr fs:[00000030h]2_2_03A61607
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE609 mov eax, dword ptr fs:[00000030h]2_2_03AAE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6F603 mov eax, dword ptr fs:[00000030h]2_2_03A6F603
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\RdichqztBg.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\RdichqztBg.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2EBD008Jump to behavior
          Source: C:\Users\user\Desktop\RdichqztBg.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RdichqztBg.exe"Jump to behavior
          Source: RdichqztBg.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1971334766.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1971334766.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          DLL Side-Loading          		212
          Process Injection          		2
          Virtualization/Sandbox Evasion          		OS Credential Dumping121
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		212
          Process Injection          		LSASS Memory2
          Virtualization/Sandbox Evasion          		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
          Deobfuscate/Decode Files or Information          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          DLL Side-Loading          		NTDS11
          System Information Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
          Obfuscated Files or Information          		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          RdichqztBg.exe67%VirustotalBrowse
          RdichqztBg.exe71%ReversingLabsWin32.Trojan.AutoitInject
          RdichqztBg.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          s-part-0017.t-0009.t-msedge.net
          		13.107.246.45
          		truefalse
            		high

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:42.0.0 Malachite
            Analysis ID:1588378
            Start date and time:2025-01-11 01:41:48 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 5m 25s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Run name:Run with higher sleep bypass
            Number of analysed new started processes analysed:6
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:RdichqztBg.exe
            renamed because original name is a hash value
            Original Sample Name:7d2dba45bf81abba9d31ec681038d84fa98517b3034cfdf235f4de68a3876f98.exe
            Detection:MAL
            Classification:mal80.troj.evad.winEXE@3/2@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 92%
            • Number of executed functions: 11
            • Number of non-executed functions: 326
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
            • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
            • Stop behavior analysis, all processes terminated

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
            • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            s-part-0017.t-0009.t-msedge.netAraK29dzhH.exeGet hashmaliciousFormBookBrowse
            • 13.107.246.45
            YrCSUX2O3I.exeGet hashmaliciousGuLoaderBrowse
            • 13.107.246.45
            http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==Get hashmaliciousUnknownBrowse
            • 13.107.246.45
            uG3I84bQEr.exeGet hashmaliciousFormBookBrowse
            • 13.107.246.45
            12621132703258916868.jsGet hashmaliciousStrela DownloaderBrowse
            • 13.107.246.45
            Cpfkf79Rzk.exeGet hashmaliciousGuLoaderBrowse
            • 13.107.246.45
            https://noiclethomas.wixsite.com/riceGet hashmaliciousUnknownBrowse
            • 13.107.246.45
            TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
            • 13.107.246.45
            OKkUGRkZV7.exeGet hashmaliciousRemcosBrowse
            • 13.107.246.45
            https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351Get hashmaliciousUnknownBrowse
            • 13.107.246.45

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Temp\aut2983.tmp

            Download File
            Process:C:\Users\user\Desktop\RdichqztBg.exe
            File Type:data
            Category:dropped
            Size (bytes):288256
            Entropy (8bit):7.995442581254366
            Encrypted:true
            SSDEEP:6144:0RbPQriXVfFyntPZw/ulbJfHdBaHsS2MVC+BUuPP:0RbPQrEVfFkc/uVpHss8VCeUOP
            MD5:3D5FDF8F8812449DA44A028082A33A51
            SHA1:80D4DAA6785A962E1D0FE23712A032E372E5B28B
            SHA-256:39B8B491F3CD94B34F3BBE5B12D13280DF511B3B13A52A9DFB6592E1C7F36306
            SHA-512:76F503F3373A7E6C63621BAAE40AE7750791F00FF7EE06505962AED3EC9D2F7692A706A2ACC830671EBE64695EB51E7663ED2001530AD31E94BA59C360BFB0C9
            Malicious:false
            Reputation:low
            Preview:|..250Q10WR1..X4.H1QDLUB.FSA741IC260Q14WR1LBX4JH1QDLUBCFSA74.IC28/.?4.[.m.Yx.ie9-?u21)43VY.*"\X_%.V2rC9,x]$hu..l8-'#}L:>.IC260Q1MV[.q"?.w(V.y,2.Y....TV.Y...mQS.H..dT-.c8'$h"$.SA741IC2fuQ1xVS10..hJH1QDLUB.FQ@<5:ICf20Q14WR1LBh!JH1ADLU2GFSAw41YC262Q12WR1LBX4LH1QDLUBC6WA761IC260S1t.R1\BX$JH1QTLURCFSA74!IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1b6=L>H1Q..QBCVSA7`5IC"60Q14WR1LBX4JH.QD,UBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14W

            C:\Users\user\AppData\Local\Temp\sticket

            Download File
            Process:C:\Users\user\Desktop\RdichqztBg.exe
            File Type:data
            Category:dropped
            Size (bytes):288256
            Entropy (8bit):7.995442581254366
            Encrypted:true
            SSDEEP:6144:0RbPQriXVfFyntPZw/ulbJfHdBaHsS2MVC+BUuPP:0RbPQrEVfFkc/uVpHss8VCeUOP
            MD5:3D5FDF8F8812449DA44A028082A33A51
            SHA1:80D4DAA6785A962E1D0FE23712A032E372E5B28B
            SHA-256:39B8B491F3CD94B34F3BBE5B12D13280DF511B3B13A52A9DFB6592E1C7F36306
            SHA-512:76F503F3373A7E6C63621BAAE40AE7750791F00FF7EE06505962AED3EC9D2F7692A706A2ACC830671EBE64695EB51E7663ED2001530AD31E94BA59C360BFB0C9
            Malicious:false
            Reputation:low
            Preview:|..250Q10WR1..X4.H1QDLUB.FSA741IC260Q14WR1LBX4JH1QDLUBCFSA74.IC28/.?4.[.m.Yx.ie9-?u21)43VY.*"\X_%.V2rC9,x]$hu..l8-'#}L:>.IC260Q1MV[.q"?.w(V.y,2.Y....TV.Y...mQS.H..dT-.c8'$h"$.SA741IC2fuQ1xVS10..hJH1QDLUB.FQ@<5:ICf20Q14WR1LBh!JH1ADLU2GFSAw41YC262Q12WR1LBX4LH1QDLUBC6WA761IC260S1t.R1\BX$JH1QTLURCFSA74!IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1b6=L>H1Q..QBCVSA7`5IC"60Q14WR1LBX4JH.QD,UBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14WR1LBX4JH1QDLUBCFSA741IC260Q14W

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):7.20112516733397
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:RdichqztBg.exe
            File size:1'219'584 bytes
            MD5:1775ea702512bcb8aba8fb91b27d34a6
            SHA1:ccceafffca25cc72770aef71b5d4832f7493af45
            SHA256:7d2dba45bf81abba9d31ec681038d84fa98517b3034cfdf235f4de68a3876f98
            SHA512:dfe430101e2379b5f87295ee4b533ecb0f95a3759a161782d1da42d8e88cc40bfcaf9477ecc96f12f0ff1fe942704f3a1961d8191cad657b90c210d98347a4f7
            SSDEEP:24576:Tu6J33O0c+JY5UZ+XC0kGso6Faj4ZIhRlSN1Xd9WY:9u0c++OCvkGs9FajcWAAY
            TLSH:1B45CF2273DDC360CB669173BF69B7016EBF3C614630B95B2F880D7DA960162162D7A3
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

            File Icon

            Icon Hash:aaf3e3e3938382a0

            Static PE Info

            General

            Entrypoint:0x427dcd
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
            Time Stamp:0x6752F1EF [Fri Dec 6 12:45:35 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:1
            File Version Major:5
            File Version Minor:1
            Subsystem Version Major:5
            Subsystem Version Minor:1
            Import Hash:afcdf79be1557326c854b6e20cb900a7

            Entrypoint Preview

            Instruction
            call 00007F08F90AF92Ah
            jmp 00007F08F90A26F4h
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            push edi
            push esi
            mov esi, dword ptr [esp+10h]
            mov ecx, dword ptr [esp+14h]
            mov edi, dword ptr [esp+0Ch]
            mov eax, ecx
            mov edx, ecx
            add eax, esi
            cmp edi, esi
            jbe 00007F08F90A287Ah
            cmp edi, eax
            jc 00007F08F90A2BDEh
            bt dword ptr [004C31FCh], 01h
            jnc 00007F08F90A2879h
            rep movsb
            jmp 00007F08F90A2B8Ch
            cmp ecx, 00000080h
            jc 00007F08F90A2A44h
            mov eax, edi
            xor eax, esi
            test eax, 0000000Fh
            jne 00007F08F90A2880h
            bt dword ptr [004BE324h], 01h
            jc 00007F08F90A2D50h
            bt dword ptr [004C31FCh], 00000000h
            jnc 00007F08F90A2A1Dh
            test edi, 00000003h
            jne 00007F08F90A2A2Eh
            test esi, 00000003h
            jne 00007F08F90A2A0Dh
            bt edi, 02h
            jnc 00007F08F90A287Fh
            mov eax, dword ptr [esi]
            sub ecx, 04h
            lea esi, dword ptr [esi+04h]
            mov dword ptr [edi], eax
            lea edi, dword ptr [edi+04h]
            bt edi, 03h
            jnc 00007F08F90A2883h
            movq xmm1, qword ptr [esi]
            sub ecx, 08h
            lea esi, dword ptr [esi+08h]
            movq qword ptr [edi], xmm1
            lea edi, dword ptr [edi+08h]
            test esi, 00000007h
            je 00007F08F90A28D5h
            bt esi, 03h
            jnc 00007F08F90A2928h

            Rich Headers

            Programming Language:
            • [ASM] VS2013 build 21005
            • [ C ] VS2013 build 21005
            • [C++] VS2013 build 21005
            • [ C ] VS2008 SP1 build 30729
            • [IMP] VS2008 SP1 build 30729
            • [ASM] VS2013 UPD4 build 31101
            • [RES] VS2013 build 21005
            • [LNK] VS2013 UPD4 build 31101

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x61204.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1290000x711c.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0xc70000x612040x61400b8e0ef02c1afae2e4e15650a44779321False0.931771168059126data7.904284117616479IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x1290000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
            RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
            RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
            RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
            RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
            RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
            RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
            RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
            RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
            RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
            RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
            RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
            RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
            RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
            RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
            RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
            RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
            RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
            RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
            RT_RCDATA0xcf7b80x584cbdata1.0003345545033524
            RT_GROUP_ICON0x127c840x76dataEnglishGreat Britain0.6610169491525424
            RT_GROUP_ICON0x127cfc0x14dataEnglishGreat Britain1.25
            RT_GROUP_ICON0x127d100x14dataEnglishGreat Britain1.15
            RT_GROUP_ICON0x127d240x14dataEnglishGreat Britain1.25
            RT_VERSION0x127d380xdcdataEnglishGreat Britain0.6181818181818182
            RT_MANIFEST0x127e140x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

            Imports

            DLLImport
            WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
            VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
            COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
            MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
            WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
            PSAPI.DLLGetProcessMemoryInfo
            IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
            USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
            UxTheme.dllIsThemeActive
            KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
            USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
            GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
            COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
            ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
            SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
            OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishGreat Britain

            Network Behavior

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Jan 11, 2025 01:42:37.686387062 CET1.1.1.1192.168.2.90x805cNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
            Jan 11, 2025 01:42:37.686387062 CET1.1.1.1192.168.2.90x805cNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:19:42:40
            Start date:10/01/2025
            Path:C:\Users\user\Desktop\RdichqztBg.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\RdichqztBg.exe"
            Imagebase:0xbf0000
            File size:1'219'584 bytes
            MD5 hash:1775EA702512BCB8ABA8FB91B27D34A6
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:2
            Start time:19:42:46
            Start date:10/01/2025
            Path:C:\Windows\SysWOW64\svchost.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\RdichqztBg.exe"
            Imagebase:0x4c0000
            File size:46'504 bytes
            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1971334766.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:0.8%
              Dynamic/Decrypted Code Coverage:5.8%
              Signature Coverage:5.8%
              Total number of Nodes:103
              Total number of Limit Nodes:10
              execution_graph 79147 425043 79148 42505c 79147->79148 79149 4250a7 79148->79149 79152 4250ea 79148->79152 79154 4250ef 79148->79154 79155 42ea73 79149->79155 79153 42ea73 RtlFreeHeap 79152->79153 79153->79154 79158 42cd63 79155->79158 79157 4250b7 79159 42cd7d 79158->79159 79160 42cd8e RtlFreeHeap 79159->79160 79160->79157 79161 42bfe3 79162 42c000 79161->79162 79165 3a72df0 LdrInitializeThunk 79162->79165 79163 42c028 79165->79163 79238 42eb53 79241 42cd13 79238->79241 79240 42eb6b 79242 42cd2d 79241->79242 79243 42cd3e RtlAllocateHeap 79242->79243 79243->79240 79244 42fb73 79245 42ea73 RtlFreeHeap 79244->79245 79246 42fb88 79245->79246 79247 42fef3 79249 42ff19 79247->79249 79248 42ff6b 79249->79248 79252 429db3 79249->79252 79251 42ffc0 79253 429e10 79252->79253 79255 429e24 79253->79255 79256 417b03 79253->79256 79255->79251 79257 417ad5 79256->79257 79259 417afa 79256->79259 79258 417ae3 LdrLoadDll 79257->79258 79257->79259 79258->79259 79259->79255 79260 424cb3 79261 424ccf 79260->79261 79262 424cf7 79261->79262 79263 424d0b 79261->79263 79265 42c9f3 NtClose 79262->79265 79264 42c9f3 NtClose 79263->79264 79267 424d14 79264->79267 79266 424d00 79265->79266 79270 42eb93 RtlAllocateHeap 79267->79270 79269 424d1f 79270->79269 79271 413f13 79275 413f33 79271->79275 79273 413f9c 79274 413f92 79275->79273 79276 41b6e3 RtlFreeHeap LdrInitializeThunk 79275->79276 79276->79274 79166 401ae5 79167 401ae3 79166->79167 79167->79166 79167->79167 79170 42ffe3 79167->79170 79173 42e643 79170->79173 79174 42e666 79173->79174 79183 407463 79174->79183 79176 42e67c 79182 401be7 79176->79182 79186 41b3d3 79176->79186 79178 42e69b 79179 42cdb3 ExitProcess 79178->79179 79180 42e6b0 79178->79180 79179->79180 79197 42cdb3 79180->79197 79200 416733 79183->79200 79185 407470 79185->79176 79187 41b3ff 79186->79187 79218 41b2c3 79187->79218 79190 41b444 79193 41b460 79190->79193 79195 42c9f3 NtClose 79190->79195 79191 41b42c 79192 41b437 79191->79192 79224 42c9f3 79191->79224 79192->79178 79193->79178 79196 41b456 79195->79196 79196->79178 79198 42cdcd 79197->79198 79199 42cdde ExitProcess 79198->79199 79199->79182 79201 416750 79200->79201 79203 416766 79201->79203 79204 42d453 79201->79204 79203->79185 79206 42d46d 79204->79206 79205 42d49c 79205->79203 79206->79205 79211 42c033 79206->79211 79209 42ea73 RtlFreeHeap 79210 42d512 79209->79210 79210->79203 79212 42c04d 79211->79212 79215 3a72c0a 79212->79215 79213 42c079 79213->79209 79216 3a72c11 79215->79216 79217 3a72c1f LdrInitializeThunk 79215->79217 79216->79213 79217->79213 79219 41b2dd 79218->79219 79223 41b3b9 79218->79223 79227 42c0d3 79219->79227 79222 42c9f3 NtClose 79222->79223 79223->79190 79223->79191 79225 42ca10 79224->79225 79226 42ca21 NtClose 79225->79226 79226->79192 79228 42c0ed 79227->79228 79231 3a735c0 LdrInitializeThunk 79228->79231 79229 41b3ad 79229->79222 79231->79229 79232 3a72b60 LdrInitializeThunk 79233 40ac0e 79234 40ac16 79233->79234 79236 40ab5d 79233->79236 79235 40ab5e 79236->79235 79237 40abdb NtDelayExecution 79236->79237 79237->79236

              Executed Functions

              Function 0040AA5D Relevance: 1.6, APIs: 1, Instructions: 127COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 35 40aa5d-40aacf 37 40ab21-40ab26 35->37 38 40aad1-40aadb 35->38 39 40ab27-40ab3a 37->39 38->37 39->39 40 40ab3c-40ab5c 39->40 41 40abdb-40abe0 NtDelayExecution 40->41 42 40ab5d 40->42 45 40abe5-40abed 41->45 43 40ab99-40aba4 42->43 44 40ab5e-40ab76 42->44 46 40aba5-40aba7 43->46 47 40ab83-40ab96 44->47 45->47 48 40abef-40abf5 45->48 46->42 49 40aba9-40abc7 46->49 48->46 50 40abf7-40ac0d 48->50 49->45 51 40abc9-40abd8 49->51 51->41
              Memory Dump Source
              • Source File: 00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d2ad9849b508fdee32b083bfd9bfe77e4c6119186f407687e11bddd623b26287
              • Instruction ID: 38770f26f6536931a8bfbdcc8e542fdc372e6b5c8be7a4dc0cd7013f7aeccc84
              • Opcode Fuzzy Hash: d2ad9849b508fdee32b083bfd9bfe77e4c6119186f407687e11bddd623b26287
              • Instruction Fuzzy Hash: 7831FB325896478FC7229E388C815C9BBB1FB923207244356C5A04B2D7E735A093C796
              Function 00417A83 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 52 417a83-417aac call 42f653 55 417ab2-417ac0 call 42fc53 52->55 56 417aae-417ab1 52->56 59 417ad0-417ae1 call 42e113 55->59 60 417ac2-417acd call 42fef3 55->60 65 417ae3-417af7 LdrLoadDll 59->65 66 417afa-417afd 59->66 60->59 65->66
              APIs
              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417AF5
              Memory Dump Source
              • Source File: 00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID: Load
              • String ID:
              • API String ID: 2234796835-0
              • Opcode ID: 1bd6b9b3f9a3a703cd6f7cd3cc21eb108ae6c6a5492f06d3a52e8d6e247aa079
              • Instruction ID: eaf5f4e168246c305f94dc0bbb2aca7b58ab22f6bde61e0e4eb5a593271938f3
              • Opcode Fuzzy Hash: 1bd6b9b3f9a3a703cd6f7cd3cc21eb108ae6c6a5492f06d3a52e8d6e247aa079
              • Instruction Fuzzy Hash: 090175B5E0010DABDF10DBE5DC42FDEB378AF14348F4081A6E90897241F675EB588795
              Function 0042C9F3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 78 42c9f3-42ca2f call 4048a3 call 42dc33 NtClose
              APIs
              • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CA2A
              Memory Dump Source
              • Source File: 00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: ee4ec558f62bc218c368cc0b405eff94a443ef14152aa81c2af7c35d61ae86dd
              • Instruction ID: 67e8b450b9222bb80ac86144111069fe3f08783990a57a80b099334205c97f03
              • Opcode Fuzzy Hash: ee4ec558f62bc218c368cc0b405eff94a443ef14152aa81c2af7c35d61ae86dd
              • Instruction Fuzzy Hash: 3CE04F3A2102147BD520BA5ADC41F97B76CDFC5724F50842AFA0867142C6B4791187B4
              Function 03A735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 94 3a735c0-3a735cc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: ebce7f13fa05659ffeff7f52b65f0bbfe17cb251d2be97d1ebc7546275e37624
              • Instruction ID: 8be3f98a60af97975ec109fd72819471920c05d00907bd7c21b7e5f0758742fa
              • Opcode Fuzzy Hash: ebce7f13fa05659ffeff7f52b65f0bbfe17cb251d2be97d1ebc7546275e37624
              • Instruction Fuzzy Hash: 1290023160550802D100B2584554746500A87D0301FA6C412A042456CD8B998A5165B2
              Function 03A72B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 92 3a72b60-3a72b6c LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 8d0f7406ee9ccafca5a2668ad6899c7002d2a07bf6a5384c6dffbe39a2afeaba
              • Instruction ID: f2f3aed07c35dfcbf5890919c288cb173e9f7752dfdc21db169de1d2204c02dc
              • Opcode Fuzzy Hash: 8d0f7406ee9ccafca5a2668ad6899c7002d2a07bf6a5384c6dffbe39a2afeaba
              • Instruction Fuzzy Hash: 43900261202404034105B2584454656800F87E0301B96C022E1014594DCA2989916135
              Function 03A72DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 93 3a72df0-3a72dfc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 334d6813db9daf9f5c216bef16ef87c1c2013ed93ad0fbf0ae15e470e99e1be9
              • Instruction ID: 7e6c41b1e2a895b3658c0bbefc5c344f7b2255cc5c1d8d85d620e24d36ff4704
              • Opcode Fuzzy Hash: 334d6813db9daf9f5c216bef16ef87c1c2013ed93ad0fbf0ae15e470e99e1be9
              • Instruction Fuzzy Hash: DB90023120140813D111B2584544747400E87D0341FD6C413A042455CD9B5A8A52A131
              Function 00417B03 Relevance: 1.6, APIs: 1, Instructions: 135libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 9 417b03-417b14 10 417ad5-417ae1 9->10 11 417b15-417b27 9->11 12 417ae3-417af7 LdrLoadDll 10->12 13 417afa 10->13 11->11 14 417b29-417b42 11->14 12->13 15 417afc-417afd 13->15 16 417bc2-417bd8 14->16 17 417b44-417b5c 14->17 18 417b61-417b69 16->18 19 417bda-417be1 16->19 17->18 20 417b6a-417b73 18->20 21 417b75 20->21 21->15 22 417b77-417b7a 21->22 22->21 23 417b7c 22->23 24 417b7e-417b8b 23->24 25 417bb8-417bbe 24->25 26 417b8e-417b99 24->26 25->16 26->20 27 417b9b 26->27 28 417b9d-417ba3 27->28 28->28 29 417ba5 28->29 29->24 30 417ba7-417ba9 29->30 31 417c29-417c3e call 42b9d3 30->31 32 417bab-417bb7 30->32 32->25
              APIs
              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417AF5
              Memory Dump Source
              • Source File: 00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID: Load
              • String ID:
              • API String ID: 2234796835-0
              • Opcode ID: 3337a90113c795202259a43ed76fb03d8e8333ee5ff191d8cbf6b21d32f201eb
              • Instruction ID: 0aa9f35f62bd185860c540aa92ec317d976a02f25f87ed18137ed45d41069173
              • Opcode Fuzzy Hash: 3337a90113c795202259a43ed76fb03d8e8333ee5ff191d8cbf6b21d32f201eb
              • Instruction Fuzzy Hash: 2B31E17550C5495ECB218E688C42ADFBBB8EF06354B04069EEC99D7352E211D983C7DA
              Function 0042CD63 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 73 42cd63-42cda4 call 4048a3 call 42dc33 RtlFreeHeap
              APIs
              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,8B0C7D8B,00000007,00000000,00000004,00000000,004172F8,000000F4), ref: 0042CD9F
              Memory Dump Source
              • Source File: 00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 810a74616cf1f7edc9571f81092c2c68541171432b2a4d28ec1c79f1b828dcf6
              • Instruction ID: 576e8f37e0f366598811bb02d8582a6d4701289f1a7d2aac93200c29c3a7f4fa
              • Opcode Fuzzy Hash: 810a74616cf1f7edc9571f81092c2c68541171432b2a4d28ec1c79f1b828dcf6
              • Instruction Fuzzy Hash: 11E06DB26043447BD624EE59EC41E9B77ACDFC5714F008419F908A7281C670B911CBB4
              Function 0042CD13 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 68 42cd13-42cd54 call 4048a3 call 42dc33 RtlAllocateHeap
              APIs
              • RtlAllocateHeap.NTDLL(?,0041E85E,?,?,00000000,?,0041E85E,?,?,?), ref: 0042CD4F
              Memory Dump Source
              • Source File: 00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 46b9de866ae9e9211aba3bbfc007d892797bd0d84365835a31f5fbe6f5627678
              • Instruction ID: d47a85022bb06e3de0df504e0e8efd14ee9f4ff0c9458c5936fc4a0e01cd326a
              • Opcode Fuzzy Hash: 46b9de866ae9e9211aba3bbfc007d892797bd0d84365835a31f5fbe6f5627678
              • Instruction Fuzzy Hash: BAE06D722007147BD614EE9ADC45F9B73ACDFC9714F004419F908A7241C674B9118BB8
              Function 0042CDB3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 83 42cdb3-42cdec call 4048a3 call 42dc33 ExitProcess
              APIs
              Memory Dump Source
              • Source File: 00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID: ExitProcess
              • String ID:
              • API String ID: 621844428-0
              • Opcode ID: 657375991ed09f145d430e73990d8a404f0cc7c069c1b0f3b893de6edf3fbbdd
              • Instruction ID: 2f2eb0f1e79f340e5ae3fadfa6bd988a84cfc33541777cfee2ac03f742b49ff7
              • Opcode Fuzzy Hash: 657375991ed09f145d430e73990d8a404f0cc7c069c1b0f3b893de6edf3fbbdd
              • Instruction Fuzzy Hash: DEE04F762046147BD120AA5ADC41FD7776CDFC5714F40441AFA4C67141D7B4791187A4
              Function 03A72C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 88 3a72c0a-3a72c0f 89 3a72c11-3a72c18 88->89 90 3a72c1f-3a72c26 LdrInitializeThunk 88->90
              APIs
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 52fc328b12e02d0848c86f9ef43994524745637387dbef4d8dbd7cdaff7024fe
              • Instruction ID: 6f5e2efa675efa3c8a7ba8ee2e8f84cee8cd93609338ab83b39bb35e1f488e02
              • Opcode Fuzzy Hash: 52fc328b12e02d0848c86f9ef43994524745637387dbef4d8dbd7cdaff7024fe
              • Instruction Fuzzy Hash: 6AB09B719015C5C5DA11F7604A4C717790967D0701F5AC477D3030645E473DC5D1E175

              Non-executed Functions

              Function 03AB2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2160512332
              • Opcode ID: e0297197d5d3159490b7059e4d16ba47fe15b0b164a897bb4555a7dff4a69f31
              • Instruction ID: 3085a0817375a896473837cc336847bf042aed95b42707ce3926013e328532a8
              • Opcode Fuzzy Hash: e0297197d5d3159490b7059e4d16ba47fe15b0b164a897bb4555a7dff4a69f31
              • Instruction Fuzzy Hash: 5D926B75604341ABD720DF24C984BAAB7FCBB84754F084D2FFA949B292D774E844CB92
              Function 03A268B8 Relevance: 19.0, Strings: 15, Instructions: 249COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim engine DLL$LdrpGetShimEngineInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_InitializeEngine$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$apphelp.dll$minkernel\ntdll\ldrinit.c
              • API String ID: 0-3089669407
              • Opcode ID: 9006e9db255b38701ac9f4f8dbe055bafcd4fdb90fe68eb63229728c6787e922
              • Instruction ID: 4cdf410707c7df4adb26691de4961464925a392cee14cac0e036656063747780
              • Opcode Fuzzy Hash: 9006e9db255b38701ac9f4f8dbe055bafcd4fdb90fe68eb63229728c6787e922
              • Instruction Fuzzy Hash: D48105B2D022187F9B21FB98EED4DEEB7BDAB19654B044527B910F7514D720ED048BA0
              Function 03A68620 Relevance: 19.0, Strings: 15, Instructions: 223COMMON
              Download Yara Rule
              Strings
              • undeleted critical section in freed memory, xrefs: 03AA542B
              • Critical section address, xrefs: 03AA5425, 03AA54BC, 03AA5534
              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 03AA54CE
              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 03AA540A, 03AA5496, 03AA5519
              • Thread is in a state in which it cannot own a critical section, xrefs: 03AA5543
              • Critical section address., xrefs: 03AA5502
              • 8, xrefs: 03AA52E3
              • Critical section debug info address, xrefs: 03AA541F, 03AA552E
              • Thread identifier, xrefs: 03AA553A
              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 03AA54E2
              • Invalid debug info address of this critical section, xrefs: 03AA54B6
              • I_wI_w@4_w@4_w, xrefs: 03AA5341, 03AA534D
              • Address of the debug info found in the active list., xrefs: 03AA54AE, 03AA54FA
              • corrupted critical section, xrefs: 03AA54C2
              • double initialized or corrupted critical section, xrefs: 03AA5508
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory$I_wI_w@4_w@4_w
              • API String ID: 0-4161880443
              • Opcode ID: 4e2e2701dfcdec1fe0fc97b220e635e1904667e824efdd1385135cf6e0371e57
              • Instruction ID: 9880351710fdf7893f13d613f82f7bd5fea31d2acf8dd7b7dfcf0e71f185574a
              • Opcode Fuzzy Hash: 4e2e2701dfcdec1fe0fc97b220e635e1904667e824efdd1385135cf6e0371e57
              • Instruction Fuzzy Hash: A581BCB5E00758BFDB20CF98C940BAEBBB9FB49704F14415AF518BB241D379A940CB64
              Function 03A60F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
              • API String ID: 0-360209818
              • Opcode ID: 2a55848a644e8b1765eb0b3a81bd29310f327a5948d1084e19f9ea191c34dee5
              • Instruction ID: 552dca624339f647f9c008a499f4cbc42bbf98bde4bc394d710aa196421673fe
              • Opcode Fuzzy Hash: 2a55848a644e8b1765eb0b3a81bd29310f327a5948d1084e19f9ea191c34dee5
              • Instruction Fuzzy Hash: 77629EB6E006299FDB24CF18C8407A9B7B6EF95320F5982DFD449AB280D7365AD1CF50
              Function 03AE12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
              • API String ID: 0-3591852110
              • Opcode ID: cdabc38ef213a8776de989863a82d1bde7423cd39bd6c025b790f3bec706a113
              • Instruction ID: 354955615d5b02836554ef9c6867f6872e4ee4c1aa768de67680e1769748330e
              • Opcode Fuzzy Hash: cdabc38ef213a8776de989863a82d1bde7423cd39bd6c025b790f3bec706a113
              • Instruction Fuzzy Hash: 6712AC74604662EFD725DF29C441BBABBF5FF0A714F08845EE4968B681D738E880CB60
              Function 03A4AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
              • API String ID: 0-3197712848
              • Opcode ID: bdb621e8633e23c94a346d1efd3f11e4e6df76233c79242e06e582ccfafd1fbb
              • Instruction ID: 2c5fe55d5829b2facc561aa9e9db98a35adbad48e25e97794b1df0aeab541349
              • Opcode Fuzzy Hash: bdb621e8633e23c94a346d1efd3f11e4e6df76233c79242e06e582ccfafd1fbb
              • Instruction Fuzzy Hash: 6F12F271A083419FD724DF28C540BAAB7E8BFC5708F084A5FF8999B291E774D944CB62
              Function 03A2D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
              • API String ID: 0-3532704233
              • Opcode ID: 855b1fd951376812160fa4afca1e500877ed3f72948186df39c822ea1cae5d8a
              • Instruction ID: 727d4895858d08c81bd493feaf36f0f3778aa07cf581a5b26443c63f147fa37d
              • Opcode Fuzzy Hash: 855b1fd951376812160fa4afca1e500877ed3f72948186df39c822ea1cae5d8a
              • Instruction Fuzzy Hash: E7B1AD729083619FC711EF28C980B6BBBE8BB88754F05492FF899DB341D774D9448B92
              Function 03AE0CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
              • API String ID: 0-1357697941
              • Opcode ID: 3c979374273fbcd393c890077c69f19fd506eab7810244c285ca6598d2182311
              • Instruction ID: eb56436a0fbab5d3218fa807db58635396c5740f78a8e0eddcfe9a1b254c8353
              • Opcode Fuzzy Hash: 3c979374273fbcd393c890077c69f19fd506eab7810244c285ca6598d2182311
              • Instruction Fuzzy Hash: C8F10235A04695EFCB25DF6AC480BAAFBF5FF09704F08805FE4969B282C774A945CB50
              Function 03AC9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
              • API String ID: 0-3063724069
              • Opcode ID: 1652e4432f2c0496356dadf8ffb7b026805bff45b8f574c6c23ca6c1a6cad84f
              • Instruction ID: 01e6c9f6e19bbd619502a61e8576617ae89d1b05af0218fea09a585f921164e4
              • Opcode Fuzzy Hash: 1652e4432f2c0496356dadf8ffb7b026805bff45b8f574c6c23ca6c1a6cad84f
              • Instruction Fuzzy Hash: 89D1D572814395AFD721DB64C980BAFB7ECAF84714F04492FFA949B290E774C948C792
              Function 03AE0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
              • API String ID: 0-1700792311
              • Opcode ID: 83c3be018435cb1eab360c79bcaf07fc1a8cc66b953b8cf48365224eb40140fc
              • Instruction ID: 9e6f718e18ef580b00d92a16e974ea74100a23be4c80770890ca8b7f1d77a26f
              • Opcode Fuzzy Hash: 83c3be018435cb1eab360c79bcaf07fc1a8cc66b953b8cf48365224eb40140fc
              • Instruction Fuzzy Hash: 1ED1CC35500685EFCB26EF6AC540AAEFBF1FF5A704F08814AE4559B762C7B89941CB20
              Function 03A2D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
              Download Yara Rule
              Strings
              • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 03A2D262
              • @, xrefs: 03A2D0FD
              • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 03A2D0CF
              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 03A2D2C3
              • Control Panel\Desktop\LanguageConfiguration, xrefs: 03A2D196
              • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 03A2D146
              • @, xrefs: 03A2D2AF
              • @, xrefs: 03A2D313
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
              • API String ID: 0-1356375266
              • Opcode ID: a53b2ce46afe2029fd3e0496936f941aec567b482aeede95d32d6e795c25d485
              • Instruction ID: af6a3e45794e8b79c273eaf285537dba7fd3ca2d260ec09f6c71290b060196fe
              • Opcode Fuzzy Hash: a53b2ce46afe2029fd3e0496936f941aec567b482aeede95d32d6e795c25d485
              • Instruction Fuzzy Hash: 46A16A719083559FD721DF28C984B5BBBE8BB84715F004D2FF9A89A241E774D908CF92
              Function 03A49EB0 Relevance: 9.2, Strings: 7, Instructions: 499COMMON
              Download Yara Rule
              Strings
              • sxsisol_SearchActCtxForDllName, xrefs: 03A976DD
              • minkernel\ntdll\sxsisol.cpp, xrefs: 03A97713, 03A978A4
              • @, xrefs: 03A49EE7
              • Status != STATUS_NOT_FOUND, xrefs: 03A9789A
              • [%x.%x] SXS: %s - Relative redirection plus env var expansion., xrefs: 03A976EE
              • Internal error check failed, xrefs: 03A97718, 03A978A9
              • !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT), xrefs: 03A97709
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)$@$Internal error check failed$Status != STATUS_NOT_FOUND$[%x.%x] SXS: %s - Relative redirection plus env var expansion.$minkernel\ntdll\sxsisol.cpp$sxsisol_SearchActCtxForDllName
              • API String ID: 0-761764676
              • Opcode ID: c29e3fabf5cd050da0e0e49ba120c2a177e52bc2fe0181c03362212982bcfc9d
              • Instruction ID: 8bb8fa584887a8244383dd2dc6b3bf1e58374753a0c2d42032729b1f74172e33
              • Opcode Fuzzy Hash: c29e3fabf5cd050da0e0e49ba120c2a177e52bc2fe0181c03362212982bcfc9d
              • Instruction Fuzzy Hash: BC127E74A002259FEF24CF58C881AAEB7F4FF89714F1884ABE845EB351E7359851CB64
              Function 03A3EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
              • API String ID: 0-1109411897
              • Opcode ID: bf434be5520fb9ab46d5021b9a85015def67e22f0c38b560d7709f0e13be9f2b
              • Instruction ID: 4f9bc63339380d25002105fc4fc8d784829f6e2765a09016fd8d8e1ed9b2046a
              • Opcode Fuzzy Hash: bf434be5520fb9ab46d5021b9a85015def67e22f0c38b560d7709f0e13be9f2b
              • Instruction Fuzzy Hash: 6FA22A75E056298FDF64DF19CD88BA9B7B5AF4A304F1442EBE809A7250DB349E81CF40
              Function 03A2F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-523794902
              • Opcode ID: 16c4044031f5d8853c8f4f70e4662a210e4548c60b4a0dba66b783665b19f433
              • Instruction ID: d7b6a3aed338b33dc7b3751e45d7c2ed532e8014a0644a1eecbbd35f2054a1e6
              • Opcode Fuzzy Hash: 16c4044031f5d8853c8f4f70e4662a210e4548c60b4a0dba66b783665b19f433
              • Instruction Fuzzy Hash: D242CC75608391DFC715EF28C984A2ABBF5FF89604F084A6FE8968B391D734D841CB52
              Function 03A3ADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
              • API String ID: 0-4098886588
              • Opcode ID: cf74fb4dcc7e045557643824e69456ba336b30ba71bfbc8de4ad1d71cf45dec3
              • Instruction ID: 42a0e699015464ab06b8260121f379c540bda2dfad14169db5dd8275e8af3a19
              • Opcode Fuzzy Hash: cf74fb4dcc7e045557643824e69456ba336b30ba71bfbc8de4ad1d71cf45dec3
              • Instruction Fuzzy Hash: D032B175E04269CFEF25CB14C894BEEB7BAAF46340F1841EBE449A7290D7719E818F50
              Function 03A4B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
              • API String ID: 0-122214566
              • Opcode ID: 7c0c5fecb97aff0ff6f48800748cf3a0e728a147769c3cceb80d62d223ef7d2e
              • Instruction ID: 7495ef8efd58544266c5bc43d8eb5401155a8a98af24a1ddc3ce7af080772324
              • Opcode Fuzzy Hash: 7c0c5fecb97aff0ff6f48800748cf3a0e728a147769c3cceb80d62d223ef7d2e
              • Instruction Fuzzy Hash: F6C12B35A00215ABDF24CB69C880BBEB7B9AFD5310F18416FE845AF791E7B4D944C3A1
              Function 03A663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
              • API String ID: 0-792281065
              • Opcode ID: 734dff4960eda31b954d31bdc0b14f960f73679e7c349e9349c32ff42e6814ff
              • Instruction ID: 85e0079dcac2be84fcc564ce788137faf3e53201d336056493d273d4c4c2c2fd
              • Opcode Fuzzy Hash: 734dff4960eda31b954d31bdc0b14f960f73679e7c349e9349c32ff42e6814ff
              • Instruction Fuzzy Hash: C6915836A00B149FDB34EF19DA48BAEB7B4FB55B18F08066FE8146B791D7B49801C790
              Function 03A6C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
              Download Yara Rule
              Strings
              • Loading import redirection DLL: '%wZ', xrefs: 03AA8170
              • LdrpInitializeImportRedirection, xrefs: 03AA8177, 03AA81EB
              • Unable to build import redirection Table, Status = 0x%x, xrefs: 03AA81E5
              • minkernel\ntdll\ldrredirect.c, xrefs: 03AA8181, 03AA81F5
              • LdrpInitializeProcess, xrefs: 03A6C6C4
              • minkernel\ntdll\ldrinit.c, xrefs: 03A6C6C3
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
              • API String ID: 0-475462383
              • Opcode ID: 00b0c24b626c3f31de59535f5be230b379cf9ba889448194c91431231c13b874
              • Instruction ID: 680eb332a7dee1985c71fd4fa187afdd8fdb8fa68a86f553cd3659e7cfe6deaa
              • Opcode Fuzzy Hash: 00b0c24b626c3f31de59535f5be230b379cf9ba889448194c91431231c13b874
              • Instruction Fuzzy Hash: 8331F77A644701AFC224EF2CDE45E2AB7A4EF84B24F04095AF8855B391D724EC04C7A2
              Function 03AB9C32 Relevance: 6.8, Strings: 5, Instructions: 542COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$AVRF: Verifier .dlls must not have thread locals$KnownDllPath$L$\KnownDlls32
              • API String ID: 0-3127649145
              • Opcode ID: 3398d8dea2242e0086e6b4aeecfd57d2118ad879b6e1b9867c5e640d79389e08
              • Instruction ID: 3206126e9fc6a719954f92e822b291ea42a7303bf0b96b2a9f26db4c3c63b0c3
              • Opcode Fuzzy Hash: 3398d8dea2242e0086e6b4aeecfd57d2118ad879b6e1b9867c5e640d79389e08
              • Instruction Fuzzy Hash: AE325675A007199BDB60DF25CD88BDAB7F8FF48300F1046EAE509AB251DB70AA84CF50
              Function 03A49950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
              • API String ID: 0-3393094623
              • Opcode ID: 33ae96f6f1ba073717aad32fb8344dc0e30a9e74e46f4e1ddd09baa487c9d5b6
              • Instruction ID: f9b7b65b0dadf3073d1539f0a459caae53b5e913938f7574ea912c36683f73f8
              • Opcode Fuzzy Hash: 33ae96f6f1ba073717aad32fb8344dc0e30a9e74e46f4e1ddd09baa487c9d5b6
              • Instruction Fuzzy Hash: 0A0257719083418FD720CF64C184BABBBE5BFC9704F48892FE9999B250E770D855CBA2
              Function 03A551EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
              Download Yara Rule
              Strings
              • Kernel-MUI-Language-Disallowed, xrefs: 03A55352
              • Kernel-MUI-Language-SKU, xrefs: 03A5542B
              • WindowsExcludedProcs, xrefs: 03A5522A
              • Kernel-MUI-Language-Allowed, xrefs: 03A5527B
              • Kernel-MUI-Number-Allowed, xrefs: 03A55247
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
              • API String ID: 0-258546922
              • Opcode ID: b0ce2ea30638340fdadfcbe1b97d5f839abe5b706f779510a39353db82819641
              • Instruction ID: 8167ae1fbec74c7da047b3ce5bdb098d24b411ada9967fa97366f6c87b0d94de
              • Opcode Fuzzy Hash: b0ce2ea30638340fdadfcbe1b97d5f839abe5b706f779510a39353db82819641
              • Instruction Fuzzy Hash: 4AF13B76D00218EFCF15DF98D984AAEBBF9FF49650F15405BE902AB250D7749E01CBA0
              Function 03AB4F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
              • API String ID: 0-2518169356
              • Opcode ID: 41d542eff2bd4030d099f69b2eb153f925089474e372be50fdf15d409c015334
              • Instruction ID: 507e0aa0a03d4a5a1c344dde915725ba08941310cd5429f481a40428b6380a5b
              • Opcode Fuzzy Hash: 41d542eff2bd4030d099f69b2eb153f925089474e372be50fdf15d409c015334
              • Instruction Fuzzy Hash: 6991BF76D006199FCB20CFA9C881AFEB7B8EF4A710F59416AE811EB352D735D901CB90
              Function 03A5D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1975516107
              • Opcode ID: b38e976ea0c6e8cb0678a297fbe06a229d7379977adf3577e89304f1b9716c4e
              • Instruction ID: 29bacc90396f13a2dd5c2222613d488ca9e0229281b992e807e20ee22a74675a
              • Opcode Fuzzy Hash: b38e976ea0c6e8cb0678a297fbe06a229d7379977adf3577e89304f1b9716c4e
              • Instruction Fuzzy Hash: 6A51EE75A00345DFDB24EFA8C68479DFBB1BF49318F28425BE8056B6A5D774A881CB80
              Function 03A276B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
              • API String ID: 0-3061284088
              • Opcode ID: 0e107cebf052e6cfb8a99e752ad672cb97568d2f69a4711ed8f6069d5db4ce08
              • Instruction ID: 7ec83e9d1a2cd6e4eb0ffcfb69d5360722ebd41f449ce80cfa2d314a7c9a3658
              • Opcode Fuzzy Hash: 0e107cebf052e6cfb8a99e752ad672cb97568d2f69a4711ed8f6069d5db4ce08
              • Instruction Fuzzy Hash: 8A01D876148660EFD22AF71DE519F96BBE4EB42B70F18405BE0104BAA2CBA59C84D570
              Function 03A470C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
              • API String ID: 0-3178619729
              • Opcode ID: 5a5605a92d66b8095c5b4ddb10633a8a5322f00d3f0709557a2cc598600acad1
              • Instruction ID: 5c720f475052159e6a3f4be9f1f10e72eb7c28b4cfc0f7f7fac978905813a9a4
              • Opcode Fuzzy Hash: 5a5605a92d66b8095c5b4ddb10633a8a5322f00d3f0709557a2cc598600acad1
              • Instruction Fuzzy Hash: 69139D70A00655DFDB25CF68C4807A9FBF5BF89304F1881AED859AB381D73AA945CF90
              Function 03A41070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
              • API String ID: 0-3570731704
              • Opcode ID: 1cb36fba9d1f4bec82de3208c3d52f0a6281a7d16f338364539868be9ace5bb4
              • Instruction ID: 6cafc36fdc16cf96f1734caedb69ab4e6aab6f98a775d083496654a5038cbf6a
              • Opcode Fuzzy Hash: 1cb36fba9d1f4bec82de3208c3d52f0a6281a7d16f338364539868be9ace5bb4
              • Instruction Fuzzy Hash: 43923875E00228CFEB25CB18C981BA9B7B5BF85314F1981EBE949AB350D7349E80CF51
              Function 03A4A840 Relevance: 5.4, Strings: 4, Instructions: 358COMMON
              Download Yara Rule
              Strings
              • SsHd, xrefs: 03A4A885
              • SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 03A97D39
              • RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 03A97D03
              • SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 03A97D56
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
              • API String ID: 0-2905229100
              • Opcode ID: d9367a8ffcf87c15cd14c72590af554d5416ad288f675ececd56713960db17fb
              • Instruction ID: 9e213cd229c4ac4a1af075da0219763e25527fa065368dafa9c31d95ac12252d
              • Opcode Fuzzy Hash: d9367a8ffcf87c15cd14c72590af554d5416ad288f675ececd56713960db17fb
              • Instruction Fuzzy Hash: 93D17C76A402199BDF24CF98C9806ADF7B5FF88310F19416BE845AB352D371D951CBA0
              Function 03A43D40 Relevance: 5.4, Strings: 3, Instructions: 1603COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
              • API String ID: 0-3178619729
              • Opcode ID: b8d3ee56b7d18420d42213645f920625798aa944010edd581d22cdfdb8a55610
              • Instruction ID: 022eb5a9025751643c2a21e450b86c452660aa0534101605dc41ab9c792221bf
              • Opcode Fuzzy Hash: b8d3ee56b7d18420d42213645f920625798aa944010edd581d22cdfdb8a55610
              • Instruction Fuzzy Hash: 28E29074A00655DFDB28CF69C490BA9FBF1FF89304F1881AED849AB385D735A845CB90
              Function 03A3A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
              • API String ID: 0-379654539
              • Opcode ID: 496e732f0d58218b9c070a2a63866c1cab30399565341ce71f91cef90a6f1142
              • Instruction ID: 584432be85fe13b77e3d5cf4e764cb4d7bb944404988cc87f2b08d69c3087c2e
              • Opcode Fuzzy Hash: 496e732f0d58218b9c070a2a63866c1cab30399565341ce71f91cef90a6f1142
              • Instruction Fuzzy Hash: A8C177742083969FDB11CF28C144B6AB7F4AF86704F04896FF8D69B250E739C949CB56
              Function 03A40C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
              Download Yara Rule
              Strings
              • HEAP[%wZ]: , xrefs: 03A954D1, 03A95592
              • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 03A954ED
              • HEAP: , xrefs: 03A954E0, 03A955A1
              • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 03A955AE
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
              • API String ID: 0-1657114761
              • Opcode ID: 006ef1e2a29b20a99e4d5047df1b0c5afa3263a40c3f72ea3193dff072ae5c7d
              • Instruction ID: 4a064eaf1d898d18c847a18d04cc775828ad5146751f57b2763fb9dbc82507ee
              • Opcode Fuzzy Hash: 006ef1e2a29b20a99e4d5047df1b0c5afa3263a40c3f72ea3193dff072ae5c7d
              • Instruction Fuzzy Hash: CAA1E034A04205DFDB24DF28C845BBAFBF5AF95300F18866FD5968B782D734A844EB90
              Function 004011F0 Relevance: 5.3, Strings: 4, Instructions: 251COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: '\y$]$`$/
              • API String ID: 0-3605676939
              • Opcode ID: 0f27cc0798bf836680d2788001de4d2868b6cb0f079cf3f438105b3b4a7e5fc2
              • Instruction ID: edce99a0ae4ccac6257319918f3b068376a4d6d8397f0ca5987307c3951ccc61
              • Opcode Fuzzy Hash: 0f27cc0798bf836680d2788001de4d2868b6cb0f079cf3f438105b3b4a7e5fc2
              • Instruction Fuzzy Hash: 4F91C571E1060987DF18CF99C8502EDB7B1EFD4318F18826AE819BF7A0E73999418B95
              Function 03A6273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
              Download Yara Rule
              Strings
              • .Local, xrefs: 03A628D8
              • SXS: %s() passed the empty activation context, xrefs: 03AA21DE
              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 03AA22B6
              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 03AA21D9, 03AA22B1
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
              • API String ID: 0-1239276146
              • Opcode ID: 89297d2bfd422c8abda2032f2ae83d2927a180f4034677c3a950d4331de27cbb
              • Instruction ID: d00d9de2c67835240671e6311fa6dd06428eb94ea12ffee7cfe1f8a5815cedb7
              • Opcode Fuzzy Hash: 89297d2bfd422c8abda2032f2ae83d2927a180f4034677c3a950d4331de27cbb
              • Instruction Fuzzy Hash: F7A180369402299BDB24CF68DC84BA9B3B5BF58314F1949EFD848AB351D7309E84CF90
              Function 03A2F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
              • API String ID: 0-2586055223
              • Opcode ID: e9c0ff3c72fd4e6c746eaa3a1e8d3c732e6b67b9c0cadc108a075ed893497d1b
              • Instruction ID: aa296583c16daa479120f820bc5dcb9d0a36c31c6ecbe388f68d05c407762d64
              • Opcode Fuzzy Hash: e9c0ff3c72fd4e6c746eaa3a1e8d3c732e6b67b9c0cadc108a075ed893497d1b
              • Instruction Fuzzy Hash: 3561E076205780AFD721EB28C944F67BBF9EF84714F08086AF9558B391D734E941CB61
              Function 03AE11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
              • API String ID: 0-336120773
              • Opcode ID: 4b0d010567552ee9ff7948e19382012f010a8f1fc6dc0d23015e9d7e45f874f2
              • Instruction ID: 5640fa5e1c611e059691ae399d2b88f17617e2d2565026375bfdb02ca5201fef
              • Opcode Fuzzy Hash: 4b0d010567552ee9ff7948e19382012f010a8f1fc6dc0d23015e9d7e45f874f2
              • Instruction Fuzzy Hash: 6F31CB35600220EFD719EB98CD85FAAB7E8FF09764F18016BE451DB291E670EC41CA65
              Function 03A29148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
              • API String ID: 0-1391187441
              • Opcode ID: 3b4eac729346533caa0001fe593226c7643f048062a405b13bbb52c5ab3a4456
              • Instruction ID: b6a9564966e3799282a2e4182c10809bb47ef469efacd18763b38071f4bfc628
              • Opcode Fuzzy Hash: 3b4eac729346533caa0001fe593226c7643f048062a405b13bbb52c5ab3a4456
              • Instruction Fuzzy Hash: D4316076A00214EFCB11EB5AC985FAFBBB9EF45B20F14405BE815AB291D770ED40CA71
              Function 03A429A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
              Download Yara Rule
              Strings
              • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 03A4327D
              • HEAP[%wZ]: , xrefs: 03A43255
              • HEAP: , xrefs: 03A43264
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
              • API String ID: 0-617086771
              • Opcode ID: 3cc228a040e33d32adc04e4d6deb8ebdf9ab513057718a3e064db2683bee3292
              • Instruction ID: b14979d86a1559113c921aa3d9c36d5cd517f9b81941745c007e2f4a2d3c5e5b
              • Opcode Fuzzy Hash: 3cc228a040e33d32adc04e4d6deb8ebdf9ab513057718a3e064db2683bee3292
              • Instruction Fuzzy Hash: 2B929A74A042499FDF25CF68C5447AEBBF1EF89300F1884AEE899AB391D735A941CF50
              Function 03A41F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
              • API String ID: 0-3178619729
              • Opcode ID: ea3eff02f1e1ed18900be1174038b8a668a61c27a6ee3f774df4aecb9df3d2e2
              • Instruction ID: 6ea9363dd267c2726302b933c256626521b982c24f16fff8d4d22345f4f04886
              • Opcode Fuzzy Hash: ea3eff02f1e1ed18900be1174038b8a668a61c27a6ee3f774df4aecb9df3d2e2
              • Instruction Fuzzy Hash: A522FB70A00641AFEB26CF28C495B7AFBF5EF46704F18849BE4559B392E735E881CB50
              Function 03A40770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-4253913091
              • Opcode ID: 2f60c4a7edbeed5a55c03bf9c2660473839fa7f6795f28e76cc49a89ffac88f5
              • Instruction ID: 3347c6cf4e671669eb5ed9f59dc216b8eecbff1f1a6b9277a192a906454854d8
              • Opcode Fuzzy Hash: 2f60c4a7edbeed5a55c03bf9c2660473839fa7f6795f28e76cc49a89ffac88f5
              • Instruction Fuzzy Hash: 36F1DE34A00605DFEB19DF68C980B6AF7F5FF85304F1881AAE516AB391D734E981CB90
              Function 03A31460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
              Download Yara Rule
              Strings
              • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 03A31728
              • HEAP[%wZ]: , xrefs: 03A31712
              • HEAP: , xrefs: 03A31596
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
              • API String ID: 0-3178619729
              • Opcode ID: dc43e685c58d0b7ef1f9aa47ca2879b7416dc398e1b35d61aadc38441cc70935
              • Instruction ID: 610709e2ce17c858ad566b8fec25c91aa3b42083f67f7ac14f69ba074d6f8fc5
              • Opcode Fuzzy Hash: dc43e685c58d0b7ef1f9aa47ca2879b7416dc398e1b35d61aadc38441cc70935
              • Instruction Fuzzy Hash: 2EE1C070A046469FDB29EF68C491B7ABBF5AF4A300F18855FF4968B345E734E940CB50
              Function 03A3B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
              • API String ID: 0-1145731471
              • Opcode ID: 538e78fdc4723a15f64f9a9e6155d2b102e898184a64017ee3edb9e8f0c234f6
              • Instruction ID: 1da94759f46221035dff2fa4eafc4e17346b3cece483057297a480bc1dc9850c
              • Opcode Fuzzy Hash: 538e78fdc4723a15f64f9a9e6155d2b102e898184a64017ee3edb9e8f0c234f6
              • Instruction Fuzzy Hash: F8B16A79A056449FEF25CF69C980BADB7B6EF45714F1889AFE451EB380D730A840CB60
              Function 03AB368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$DelegatedNtdll$\SystemRoot\system32\
              • API String ID: 0-2391371766
              • Opcode ID: eb8f2a6f86563541afb02f76a6aaf210330a9d89395303243bfa9c0ed49e76c5
              • Instruction ID: 23ee4bd00c63a88fc5779ea660b2770205c6327d03870154d0e23e6c51999e3b
              • Opcode Fuzzy Hash: eb8f2a6f86563541afb02f76a6aaf210330a9d89395303243bfa9c0ed49e76c5
              • Instruction Fuzzy Hash: 03B19D79604341AFEB21DF54C980BABB7FCAB49714F15092FFA409B291D771E844CB92
              Function 03A56962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $@
              • API String ID: 0-1077428164
              • Opcode ID: e61d0e1ced47722e557a0094eba9a686f4cc790bf5d934f84ceb587736316d73
              • Instruction ID: 2c2a95ef37f5fc73e27ac2bd630dcec5057f28a74874ed75174b36e260d49be9
              • Opcode Fuzzy Hash: e61d0e1ced47722e557a0094eba9a686f4cc790bf5d934f84ceb587736316d73
              • Instruction Fuzzy Hash: 05C27D716087419FEB25CF24C880BABBBE5AF88754F08896FF989E7250D735D804CB52
              Function 03A2A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: FilterFullPath$UseFilter$\??\
              • API String ID: 0-2779062949
              • Opcode ID: ef7e99afa1ae6a867ff19f4e9d6456bc6a91a0ad7d7af920c152457d35af27ac
              • Instruction ID: c4276869602d242dd173edf97e8cda97989e8d72cd8941fe8613abd6a72309ce
              • Opcode Fuzzy Hash: ef7e99afa1ae6a867ff19f4e9d6456bc6a91a0ad7d7af920c152457d35af27ac
              • Instruction Fuzzy Hash: 7FA18C759012299BDB31EF24CD88BEAF7B8EF44710F1405EAE909AB250D7359E85CF60
              Function 03AC36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
              • API String ID: 0-318774311
              • Opcode ID: 8adc1c9c8dbb606dc6484b402da17b3f83216242941387013c22e090524ddfcf
              • Instruction ID: ed5dfdd812346fdbc2f1b0aa39f5ab6ff36f9d0dfcfad91f7de8a22f3d420e0b
              • Opcode Fuzzy Hash: 8adc1c9c8dbb606dc6484b402da17b3f83216242941387013c22e090524ddfcf
              • Instruction Fuzzy Hash: 81818E79618380AFDB11DB14C984B6AB7E8FF85750F08892EF9909B3D0D778D904CB52
              Function 03A6909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: %$&$@
              • API String ID: 0-1537733988
              • Opcode ID: 83ca95458df1b92bf84ba17eab3df040423cf43eae41263482d164b6a585f6d8
              • Instruction ID: daa09888330b133a13fbe6ec16afb9d69a637325e55ccae17112f64fbf2504e3
              • Opcode Fuzzy Hash: 83ca95458df1b92bf84ba17eab3df040423cf43eae41263482d164b6a585f6d8
              • Instruction Fuzzy Hash: 0071D1705087019FC754DF24CA84A2BFBE9FF85618F144A1FE4AA8B290D730D905CB96
              Function 03B0B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
              Download Yara Rule
              Strings
              • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 03B0B82A
              • GlobalizationUserSettings, xrefs: 03B0B834
              • TargetNtPath, xrefs: 03B0B82F
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
              • API String ID: 0-505981995
              • Opcode ID: 15636f226af721803e43a3b71052b6dc90aeef50f55a95cf54d8f7be59142851
              • Instruction ID: f8ac4c2abfb6c65be880654ea99514b9fe64b38722deef5a26e131334f0ca0b7
              • Opcode Fuzzy Hash: 15636f226af721803e43a3b71052b6dc90aeef50f55a95cf54d8f7be59142851
              • Instruction Fuzzy Hash: A6617F76D41229ABDB21DF54DC88B9ABBB8EF04714F0101E5A508AB390DB74DE84CF90
              Function 03A2F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
              Download Yara Rule
              Strings
              • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 03A8E6C6
              • HEAP[%wZ]: , xrefs: 03A8E6A6
              • HEAP: , xrefs: 03A8E6B3
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
              • API String ID: 0-1340214556
              • Opcode ID: 4d3bd3db839c50ff4c947501fc33054a2151778eeb5004cd27629cb3fbadbb33
              • Instruction ID: 036c4df1b96919cc5b212d43e1c54dd64e74265abfca75975e59e93e7f8505a5
              • Opcode Fuzzy Hash: 4d3bd3db839c50ff4c947501fc33054a2151778eeb5004cd27629cb3fbadbb33
              • Instruction Fuzzy Hash: FF51C135604794EFD712EB68C944FAAFBF8EF05300F0845A6E9518B792D774E950CB20
              Function 03ADDAAC Relevance: 3.9, Strings: 3, Instructions: 163COMMON
              Download Yara Rule
              Strings
              • HEAP[%wZ]: , xrefs: 03ADDC12
              • HEAP: , xrefs: 03ADDC1F
              • Heap block at %p modified at %p past requested size of %Ix, xrefs: 03ADDC32
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
              • API String ID: 0-3815128232
              • Opcode ID: 0a60b769703dbbd0552a47eb6e7800b8a31878e67183ace78e2219ebf167883d
              • Instruction ID: 8f12bc6512ad7c7b5b96af41c0907455de36936ffaef0503e1be773aac742157
              • Opcode Fuzzy Hash: 0a60b769703dbbd0552a47eb6e7800b8a31878e67183ace78e2219ebf167883d
              • Instruction Fuzzy Hash: B15122352046508EE374DB2EC848772B7F2EF45648F08888FE4D38F685D276E846DB21
              Function 03A6C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
              Download Yara Rule
              Strings
              • LdrpInitializePerUserWindowsDirectory, xrefs: 03AA82DE
              • Failed to reallocate the system dirs string !, xrefs: 03AA82D7
              • minkernel\ntdll\ldrinit.c, xrefs: 03AA82E8
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1783798831
              • Opcode ID: 750bab00a3f7310cacd02f77dacd9aae5ae8c269e47c5f6976a2867153646bd6
              • Instruction ID: 2658679e4dca39bd962dd5367f5f5476536a5f439d4463705aadd68dadff5faa
              • Opcode Fuzzy Hash: 750bab00a3f7310cacd02f77dacd9aae5ae8c269e47c5f6976a2867153646bd6
              • Instruction Fuzzy Hash: 3A41F3B6944310ABC721EB68DA44B5B7BE8FF49764F044A2BF988D7250E774D8108B91
              Function 03A616CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
              Download Yara Rule
              Strings
              • LdrpAllocateTls, xrefs: 03AA1B40
              • minkernel\ntdll\ldrtls.c, xrefs: 03AA1B4A
              • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 03AA1B39
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
              • API String ID: 0-4274184382
              • Opcode ID: 5dce3385c75fc70b85e5e0466c9316018fecc1f53ead84e4fb7967415fe17fb7
              • Instruction ID: a61f9d262b8ab5298d84ca0675ea41bac60394a64342d3c4f7b09d47edaecf1a
              • Opcode Fuzzy Hash: 5dce3385c75fc70b85e5e0466c9316018fecc1f53ead84e4fb7967415fe17fb7
              • Instruction Fuzzy Hash: 1541587AA00608AFCB25DFA8C941BAEFBF5FF49714F14811AE405AB350D775A800CF90
              Function 03AEC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
              Download Yara Rule
              Strings
              • PreferredUILanguages, xrefs: 03AEC212
              • @, xrefs: 03AEC1F1
              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 03AEC1C5
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
              • API String ID: 0-2968386058
              • Opcode ID: 0060061628eddba3190762393f871d2114d6e0e443597bb9f5e779a76facdcef
              • Instruction ID: 5ab04890a3e24fb31e98bcc2c766acfd892471d12dceba8989b9b751fc7dc686
              • Opcode Fuzzy Hash: 0060061628eddba3190762393f871d2114d6e0e443597bb9f5e779a76facdcef
              • Instruction Fuzzy Hash: 72418E76E00209EFDF15EBD8C995FEEB7BCAB44710F04406BE905BB290D7749A448B90
              Function 03AC4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
              • API String ID: 0-1373925480
              • Opcode ID: 8591aaa513ba8c5a1e86fc9481517d28db50bd95d2aa64ace21365b6f401317f
              • Instruction ID: 17b1b91cf4f3f09ddc2db6c0ad6f421ffe70fffb75e7dbf7771a928249ab3641
              • Opcode Fuzzy Hash: 8591aaa513ba8c5a1e86fc9481517d28db50bd95d2aa64ace21365b6f401317f
              • Instruction Fuzzy Hash: E84111359147888BEB26DBA6C964BADBBB8EF99340F18045FD841EF381D7348901CB14
              Function 03AB4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              Strings
              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 03AB4888
              • LdrpCheckRedirection, xrefs: 03AB488F
              • minkernel\ntdll\ldrredirect.c, xrefs: 03AB4899
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
              • API String ID: 0-3154609507
              • Opcode ID: b2497557e9226a9844dc6457fcc17b8839e7843e4b6f21c0f43e2e0fb4f399d7
              • Instruction ID: 781f91ffec14b80e1bdf07fd1a3660d804d8cbcf49958b23de19f10f9d4ff7cf
              • Opcode Fuzzy Hash: b2497557e9226a9844dc6457fcc17b8839e7843e4b6f21c0f43e2e0fb4f399d7
              • Instruction Fuzzy Hash: B341A232A047509FCB21CFAAD940AA6B7FCBB4E650B09065EEC589B353D731D850CB91
              Function 03A633A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
              Download Yara Rule
              Strings
              • RtlCreateActivationContext, xrefs: 03AA29F9
              • SXS: %s() passed the empty activation context data, xrefs: 03AA29FE
              • Actx , xrefs: 03A633AC
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
              • API String ID: 0-859632880
              • Opcode ID: 3eeb9c39c38538ffcf42d09559466c9b4f295d664773738efd7730bd51e6b7c4
              • Instruction ID: 90cc076018201ecea3f90f7c8e04fde8160ee720a7a6b78ea7e0bb2244057c5d
              • Opcode Fuzzy Hash: 3eeb9c39c38538ffcf42d09559466c9b4f295d664773738efd7730bd51e6b7c4
              • Instruction Fuzzy Hash: 6C3124366007059FDF26DF58C884B9AB7A4FB44711F09886BED059F2E2CB70D852CB90
              Function 03A61607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
              Download Yara Rule
              Strings
              • LdrpInitializeTls, xrefs: 03AA1A47
              • minkernel\ntdll\ldrtls.c, xrefs: 03AA1A51
              • DLL "%wZ" has TLS information at %p, xrefs: 03AA1A40
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
              • API String ID: 0-931879808
              • Opcode ID: 8217e44685d9c5d6e2ad1512c87eab52bda18691300166ef326b118a7a8603a2
              • Instruction ID: 32431d5cc2a7f355dff79ad443be9cb31ff9457863e162745fd04e236378f6ce
              • Opcode Fuzzy Hash: 8217e44685d9c5d6e2ad1512c87eab52bda18691300166ef326b118a7a8603a2
              • Instruction Fuzzy Hash: 2731F87AA00200BBDB30DB58CA45F7ABABCFB55758F04066FE505AB680E774AD048790
              Function 03A71270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
              Download Yara Rule
              Strings
              • BuildLabEx, xrefs: 03A7130F
              • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 03A7127B
              • @, xrefs: 03A712A5
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
              • API String ID: 0-3051831665
              • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
              • Instruction ID: a8b8bbb8635f4c2b3293b378a0f0205e4696ba5b75bacd31a1d16628ac6f4bac
              • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
              • Instruction Fuzzy Hash: D6316F76A00619AFDB11EF95CD84EAFBBBDEB84750F004427E914AB260D730DA058B90
              Function 03AB20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
              Download Yara Rule
              Strings
              • LdrpInitializationFailure, xrefs: 03AB20FA
              • Process initialization failed with status 0x%08lx, xrefs: 03AB20F3
              • minkernel\ntdll\ldrinit.c, xrefs: 03AB2104
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2986994758
              • Opcode ID: 06262e8dba9930775aae76ff1c29c3f593c69b0380f494ab1d12a34f2db43fab
              • Instruction ID: aef50762d6a564b8665e7659e57b1d488da50fa94125045cb761eaa95823ce30
              • Opcode Fuzzy Hash: 06262e8dba9930775aae76ff1c29c3f593c69b0380f494ab1d12a34f2db43fab
              • Instruction Fuzzy Hash: C9F02835640308BFD720E70CDD42FD9776CEB40B48F04086BF6006B682D2F0E510CA50
              Function 03A403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: #%u
              • API String ID: 48624451-232158463
              • Opcode ID: f6216e98892603d10145e9ee0fb0afc33c6f6f31a2a1673eac4546dfa14edfb0
              • Instruction ID: 8f770352b08b0b1f9371c788241d3551c7c65bfafa368bf9bbee186269fbe6fe
              • Opcode Fuzzy Hash: f6216e98892603d10145e9ee0fb0afc33c6f6f31a2a1673eac4546dfa14edfb0
              • Instruction Fuzzy Hash: C3715A75A002499FDF01DFA9DA94BAEB7F8AF48304F15416AE901AB351EB34ED01CB60
              Function 03AD705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID: kLsE
              • API String ID: 3446177414-3058123920
              • Opcode ID: d396464b4d63fe9ccc76103b2cf373d68c36f1bd0b1cbb310f7dd4af0edb010b
              • Instruction ID: 855d1f489da0e14072bb88a84c01dc8d93171f355f2b0ef998dc5bc328983198
              • Opcode Fuzzy Hash: d396464b4d63fe9ccc76103b2cf373d68c36f1bd0b1cbb310f7dd4af0edb010b
              • Instruction Fuzzy Hash: 494153325013504AE335FF65EA84BA97BA4AB10B2CF18032EFDA18F6D9CBB54481C791
              Function 03A452A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$@
              • API String ID: 0-149943524
              • Opcode ID: 0e9d468387df5cb8c219825662c0e4d5ec99b6754e20cc715079c1a7964f4e25
              • Instruction ID: ad7057c915d896e68f9593e13577b879d61b08ddc5b21a22d9523fd04d0f494e
              • Opcode Fuzzy Hash: 0e9d468387df5cb8c219825662c0e4d5ec99b6754e20cc715079c1a7964f4e25
              • Instruction Fuzzy Hash: 113277749083118BDB28CF19C594B3AF7E5AFCA750F18492FF9959B2A0E734D844CB92
              Function 03A32FC8 Relevance: 2.9, Strings: 2, Instructions: 410COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @4_w@4_w$PATH
              • API String ID: 0-1852745621
              • Opcode ID: 4e3a4d1c5f9cbe381c82728a7e0f2c0eb21af93acef93ad5a4ecd2da6f770ae8
              • Instruction ID: 2a963f764ed2de4f2c4e31656ad1c2685209a33c935d619a4681d83f28ec82f4
              • Opcode Fuzzy Hash: 4e3a4d1c5f9cbe381c82728a7e0f2c0eb21af93acef93ad5a4ecd2da6f770ae8
              • Instruction Fuzzy Hash: 61F1C079D04218DBCF25DF98D981ABEB7B5FF89700F48812AF445AB390D774A841CB61
              Function 03AFA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: `$`
              • API String ID: 0-197956300
              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction ID: 43f70fa5d34d56a64a5fcdc68060a6d8f791d41cfd8d07da9d1eb43c14c6e85b
              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction Fuzzy Hash: F6C1CE312047429FD724CF68C944BABFBE5AF84358F088A2EF699CA290D779D505CF51
              Function 03A30CF2 Relevance: 2.8, Strings: 2, Instructions: 317COMMON
              Download Yara Rule
              Strings
              • Failed to retrieve service checksum., xrefs: 03A8EE56
              • ResIdCount less than 2., xrefs: 03A8EEC9
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Failed to retrieve service checksum.$ResIdCount less than 2.
              • API String ID: 0-863616075
              • Opcode ID: 4f997e090ffd5d28ca1235c0970a6b977c46f335d724c16239e74e0096c82c8a
              • Instruction ID: eae62c7f7d0e92526fcc9591efc1be43e2ac25469e405032f68f141408973b1c
              • Opcode Fuzzy Hash: 4f997e090ffd5d28ca1235c0970a6b977c46f335d724c16239e74e0096c82c8a
              • Instruction Fuzzy Hash: 49E1E1B19087849FE324CF15C441BABBBE4BB88314F008A2FE59D8B381DB749509CF56
              Function 03AAE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: Legacy$UEFI
              • API String ID: 2994545307-634100481
              • Opcode ID: 1a506d39b7540ce06c88a39ab856b30e8fb7da990d5bcbe32583788bd8558ac1
              • Instruction ID: fe63cef0f58181a8f0ad6ca9a193e05bfccce0e5103537f7dbb1726626a0688d
              • Opcode Fuzzy Hash: 1a506d39b7540ce06c88a39ab856b30e8fb7da990d5bcbe32583788bd8558ac1
              • Instruction Fuzzy Hash: 83611972E007189FDB25DFA9C980FAEBBB9FB48700F14446EE559EB291D731A940CB50
              Function 03A4F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $$$
              • API String ID: 0-233714265
              • Opcode ID: a1fe3c16f599b8381f6ccc23971672a75f23e53490f6ca8700c33fcf0be63e86
              • Instruction ID: 14f5573c7da737d43996675d3e16fe1be76eff62064721f2db823f9f97dab2d7
              • Opcode Fuzzy Hash: a1fe3c16f599b8381f6ccc23971672a75f23e53490f6ca8700c33fcf0be63e86
              • Instruction Fuzzy Hash: E0619875A00749DFDB20EFA4C684BA9B7B1BB88308F18516FE515AF780CB74A941CB90
              Function 00401C60 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: x$c
              • API String ID: 0-2896162669
              • Opcode ID: ebf18001478eef0d46912704b0fd62bc66bedb58c02d4104a3cb0a345d7ee86f
              • Instruction ID: f5fadbe95c4a172c36547af4bf25afba46c0a5bfbb7d0976998f263179bce14b
              • Opcode Fuzzy Hash: ebf18001478eef0d46912704b0fd62bc66bedb58c02d4104a3cb0a345d7ee86f
              • Instruction Fuzzy Hash: 6241F872F0012A47DB28895DCD8429AB666EFE4314F198277DD15FF3E4E678ED0146C4
              Function 03A3A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
              Download Yara Rule
              Strings
              • RtlpResUltimateFallbackInfo Enter, xrefs: 03A3A2FB
              • RtlpResUltimateFallbackInfo Exit, xrefs: 03A3A309
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
              • API String ID: 0-2876891731
              • Opcode ID: 02ee62e46804497b8d13d3a3048ea6584d4c8ceea016cb47bb799c774bdc231a
              • Instruction ID: 1e984b6ce8cfbe99f09a20eeb728b9390f0b5f5433304e694890da2cf546d44e
              • Opcode Fuzzy Hash: 02ee62e46804497b8d13d3a3048ea6584d4c8ceea016cb47bb799c774bdc231a
              • Instruction Fuzzy Hash: 02418E39A04659DBDB11CF69C840B69B7F4EF86700F1844ABEC44EB391E335D940CB51
              Function 03A6329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: .Local\$@
              • API String ID: 0-380025441
              • Opcode ID: 9a22b1a30ad11d13977a82771cefdcac3516183899cfe55b4bfce71a5dea755a
              • Instruction ID: 217f52c9be5798c8a8e774fec2ba42c26763eceef0c792221df439a303396b1d
              • Opcode Fuzzy Hash: 9a22b1a30ad11d13977a82771cefdcac3516183899cfe55b4bfce71a5dea755a
              • Instruction Fuzzy Hash: 8031A17A5093049FCB10DF28C984A5BBBF8EBC5654F48092FF595872A0DA30DD05CB92
              Function 03A3C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: MUI
              • API String ID: 0-1339004836
              • Opcode ID: 44d76195c4876e8ff4a0f178b4e1b78bf05fcfa76dc9d232f9324d2f07a5f57c
              • Instruction ID: 677922b58dce1b654552457bfd1fe1c2554a5188b2ce59053ef5459f6cdb6860
              • Opcode Fuzzy Hash: 44d76195c4876e8ff4a0f178b4e1b78bf05fcfa76dc9d232f9324d2f07a5f57c
              • Instruction Fuzzy Hash: E8822775E00218DFDB24CFA9C984BADF7B5BF4A710F18816AE859AB394D7309D81CB50
              Function 03A82F28 Relevance: 2.0, Strings: 1, Instructions: 762COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: P`MwRbMw
              • API String ID: 0-3798419607
              • Opcode ID: 7342cf4e4d69a3c314e8478ead086bb63926f2ddf7b25e900121087bda6b88eb
              • Instruction ID: 614cf0fe81c0d5ac59cda9ef0b1b4f7ab7f7f86c7e6bb9ac2e62ff2701397f9d
              • Opcode Fuzzy Hash: 7342cf4e4d69a3c314e8478ead086bb63926f2ddf7b25e900121087bda6b88eb
              • Instruction Fuzzy Hash: 6142BE7DD04259AEDF29EFA8D8446BDFBB5AF05B10F18806FE441AB2D0D7748A81CB50
              Function 03A5FB80 Relevance: 1.8, Strings: 1, Instructions: 559COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: I_wI_w@4_w@4_w
              • API String ID: 0-3634609715
              • Opcode ID: 4a63ee264ef4f64deadc8d159b05abd103338748a5a7b860e26c317acb37ee74
              • Instruction ID: 7d9423239c206e83e48264a510a76ab65fad31c980a57d05a1c3bd774e68a426
              • Opcode Fuzzy Hash: 4a63ee264ef4f64deadc8d159b05abd103338748a5a7b860e26c317acb37ee74
              • Instruction Fuzzy Hash: 5522C376900609DFDB10DFA8C984BAEB7B5FF88314F1486ABE8149B345E734DA45CB90
              Function 03A37370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4039f69f10575893d65e3dc404952f422e97782aae68f6ee03906d4fdabe63df
              • Instruction ID: eb0fd9238ef9833a818ff9a74a081080f367bfb7fa71a8f3f298ece9abdc4357
              • Opcode Fuzzy Hash: 4039f69f10575893d65e3dc404952f422e97782aae68f6ee03906d4fdabe63df
              • Instruction Fuzzy Hash: F5A169B5608342CFD724DF28D580A2ABBF9BF89304F1449AEF5859B350E731E945CB92
              Function 03A52E90 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: 0
              • API String ID: 0-4108050209
              • Opcode ID: ea6a1f2d78cb6b16bfaac3eaf6362bd3fa6de8b55da691206a3c8f4ffb99020b
              • Instruction ID: fe18fdf758ddbb705bb336e58ff3e2fe2c24488414bd99d2642f4bbddba1e867
              • Opcode Fuzzy Hash: ea6a1f2d78cb6b16bfaac3eaf6362bd3fa6de8b55da691206a3c8f4ffb99020b
              • Instruction Fuzzy Hash: 2DF18E796087458FDF25CF25C580B6ABBE5AFC8650F09486FFC8A9B380DB30D9498B51
              Function 00416AEE Relevance: 1.7, Strings: 1, Instructions: 430COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: (
              • API String ID: 0-3887548279
              • Opcode ID: 9fe6ce17d5a5150d37883276bd6dd859189dff1cb37aef9bfe5331f9ba64df8d
              • Instruction ID: c264aca9d063e64b86ba4e949a81fba2f305d246a0855e71870641fb92608edf
              • Opcode Fuzzy Hash: 9fe6ce17d5a5150d37883276bd6dd859189dff1cb37aef9bfe5331f9ba64df8d
              • Instruction Fuzzy Hash: AF021DB6E006189FDB14CF9AD4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80
              Function 00416AF3 Relevance: 1.7, Strings: 1, Instructions: 423COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: (
              • API String ID: 0-3887548279
              • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
              • Instruction ID: b61dbb4debc92cc59e8fd48069df448c4c120560fcb906b9e36422a6ec8ef113
              • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
              • Instruction Fuzzy Hash: 5B021EB6E006189FDB14CF9AD4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80
              Function 03A5FDC0 Relevance: 1.6, Strings: 1, Instructions: 390COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: I_wI_w@4_w@4_w
              • API String ID: 0-3634609715
              • Opcode ID: a51140e4b3c33dccd1baca5e0a7e9211dd1cbc8a339bc323443e3f4bac182357
              • Instruction ID: 6a4a050eae1b7e7f7f1533120f3ed1f1b40df9eb20d4c6b5a0700e11c6d87b1e
              • Opcode Fuzzy Hash: a51140e4b3c33dccd1baca5e0a7e9211dd1cbc8a339bc323443e3f4bac182357
              • Instruction Fuzzy Hash: 52F1C175900609DFDB14DFA8C980BAEB7B5FF48304F1886AAE815EB345E734DA45CB90
              Function 03A6F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c11fbf2f04bcbd650e43de2c28a217049f454bce5c912b115dc58a59ef5184f2
              • Instruction ID: 1112202be1040bd41c8c32b9f50e9226aa79b4f364d7c1dbbbf504b3a5290133
              • Opcode Fuzzy Hash: c11fbf2f04bcbd650e43de2c28a217049f454bce5c912b115dc58a59ef5184f2
              • Instruction Fuzzy Hash: FC414978900288AFDB21DFA9D980AAEFBF4FB48304F14416FE859AB211D7359940CB60
              Function 03A30100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: 63ca541a1368ad5a10f12aad4cc11ffa9751dcd655141c78a12ee341f202856f
              • Instruction ID: 25bf37e931ab92400de16b3e3626f1a6e61acdee3cccd67151376574a9a3b495
              • Opcode Fuzzy Hash: 63ca541a1368ad5a10f12aad4cc11ffa9751dcd655141c78a12ee341f202856f
              • Instruction Fuzzy Hash: F1A10931A08368ABDF28DB698945FFEA7B95F56304F0840DFFD87AB281D6748940CB51
              Function 03A3973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @
              • API String ID: 0-2766056989
              • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
              • Instruction ID: b2f80c38dc2a053429c2eaf52d74e07b08113aa363a6d3dd09591dff4710f7eb
              • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
              • Instruction Fuzzy Hash: 35613C75D00219ABDF21DF99C944BAEFBB8EF85714F14456FE810B7290D7B49901CBA0
              Function 03A2B2D3 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: 04_w04_wI_wI_w@4_w@4_w
              • API String ID: 0-4217632228
              • Opcode ID: 9c12643a38392e10fdb0d3792171c7647967daaf6fde20319a2825e8786a52da
              • Instruction ID: b7cffca9b55cadc5ce182b24b595e6e4db7158a9e29d6fd6bafd6231a4bad012
              • Opcode Fuzzy Hash: 9c12643a38392e10fdb0d3792171c7647967daaf6fde20319a2825e8786a52da
              • Instruction Fuzzy Hash: DD412535600710AFCB25EF29DA80F2ABBA9EF44764F15456FE5599B790D770DC008BA0
              Function 03ABF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @
              • API String ID: 0-2766056989
              • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
              • Instruction ID: 0bc704624d42cc68630cbf413135b15625f66575521c2b6838c1d7963715d6c7
              • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
              • Instruction Fuzzy Hash: B2516772604345AFD721DF54CD84FAAB7BCFB84750F08092EB9809B291D7B4E914CB92
              Function 00402C7B Relevance: 1.4, Strings: 1, Instructions: 156COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: gfff
              • API String ID: 0-1553575800
              • Opcode ID: 129f691285f856196d288592171d05380673586719924ab69570d2428f89bf1e
              • Instruction ID: d6a534ed54b21cd6b00990fa06cfd0beac800e4a165325f6df5fbd12c0c14d05
              • Opcode Fuzzy Hash: 129f691285f856196d288592171d05380673586719924ab69570d2428f89bf1e
              • Instruction Fuzzy Hash: 9D514B31A005194BDB1CCE6EDD952EDB792EFD4304F1882BED949EB3D1D5789E058B80
              Function 00402C80 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: gfff
              • API String ID: 0-1553575800
              • Opcode ID: 537d0b1be08af3026344840f592bdb26fc4dccd5cd4213b404ff5303148487f2
              • Instruction ID: 6e873d9537f35847c7e4195f27f16d69510129edc3da73eac35c83a2c1a87905
              • Opcode Fuzzy Hash: 537d0b1be08af3026344840f592bdb26fc4dccd5cd4213b404ff5303148487f2
              • Instruction Fuzzy Hash: E0513731A0051A4BDB1CCE5EDA952EDB792EF94304F1882BEDD49EB3D1E5789E058A80
              Function 03A4E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: EXT-
              • API String ID: 0-1948896318
              • Opcode ID: dd1e64b0bdbc65991748bf84c1470d96717c51955ce0b4e3d6828c137c6d9511
              • Instruction ID: 469494d91b8942fadfeca3192ff490e22da4dfd56dcddbf3d0df3d4728d76353
              • Opcode Fuzzy Hash: dd1e64b0bdbc65991748bf84c1470d96717c51955ce0b4e3d6828c137c6d9511
              • Instruction Fuzzy Hash: 3D416D76608341ABD710DB65CA80F6BB7E8BFC9724F44092FB984EB280E674D9048796
              Function 03AEB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: PreferredUILanguages
              • API String ID: 0-1884656846
              • Opcode ID: 2556ef0672e753ccffc4b7cf8c44fc8c993c910e7ab7d911800da4347d9c5d89
              • Instruction ID: 0bf2ffc12b98ea59b1c9a5dbb3f6a22a7917a72c214b63e55c37e390f6d1f0f8
              • Opcode Fuzzy Hash: 2556ef0672e753ccffc4b7cf8c44fc8c993c910e7ab7d911800da4347d9c5d89
              • Instruction Fuzzy Hash: 3141D23AD0421AAFCB11EB98C985BEEF7B9AF44710F05016BE911EB654D6B4DE40C7B0
              Function 03AAC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: BinaryHash
              • API String ID: 0-2202222882
              • Opcode ID: abe4058df69b856430270bada14a2d75a6d8ac7dff8aa5fa94c197893163fb33
              • Instruction ID: 9531dd9262fbd81c8677462acfe21dd1a65f00fb9eb8e8af66692a30cc91a83c
              • Opcode Fuzzy Hash: abe4058df69b856430270bada14a2d75a6d8ac7dff8aa5fa94c197893163fb33
              • Instruction Fuzzy Hash: 544137B6D0062CABEB21DB54CD84FDEB77CAB45714F0045E6E608EB240DB709E498FA4
              Function 03AB97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: verifier.dll
              • API String ID: 0-3265496382
              • Opcode ID: 24034735ebe17cb15f3a5bdfffd5d6163d59c277c7efbb4d89e2fbaad08f38a7
              • Instruction ID: 093dab7a00b60d91d4aad08fa41093c583ed1f2176691f80fd282057efe6ef59
              • Opcode Fuzzy Hash: 24034735ebe17cb15f3a5bdfffd5d6163d59c277c7efbb4d89e2fbaad08f38a7
              • Instruction Fuzzy Hash: 22318275A003019FDB34DFA99950AB7B6F9EB59314F58807FE6089F382E7318C818790
              Function 03A636EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Flst
              • API String ID: 0-2374792617
              • Opcode ID: 3f56cbfd95e3ee63dd52777c446f134a5ec60beed2a824023dd63a219ba3397a
              • Instruction ID: ad910cae8ffb72d45c5c2f007937f99f5e71966715f942a1f1eaffa9f46bdbb5
              • Opcode Fuzzy Hash: 3f56cbfd95e3ee63dd52777c446f134a5ec60beed2a824023dd63a219ba3397a
              • Instruction Fuzzy Hash: 334189B5605301DFCB14CF18C580A26FBE4EF8A710F1885AFE45A8F291DB71D942CB91
              Function 03A29730 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: L4_wL4_w
              • API String ID: 0-4042522810
              • Opcode ID: 0ccdc5aa702bdf0825e4e9bad97c5211f6034481d7c483179a266647fb8e7703
              • Instruction ID: af420130cf843bbcfcf03bbe6508a1615216b530627310d86487e7881dd52406
              • Opcode Fuzzy Hash: 0ccdc5aa702bdf0825e4e9bad97c5211f6034481d7c483179a266647fb8e7703
              • Instruction Fuzzy Hash: E421C17AA00B20AFC321EF58C500B1BBFB5FB85B54F15046EE9699B740D770E811CBA0
              Function 03A35096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Actx
              • API String ID: 0-89312691
              • Opcode ID: 1786f7db44108600ac67c2adcc705d04fcb853ac516809d007e3d7daf1071b9c
              • Instruction ID: f256d26678ab7bb053f7cf2611d7cd4d7713507027e2cb9e96716aed25fb04c4
              • Opcode Fuzzy Hash: 1786f7db44108600ac67c2adcc705d04fcb853ac516809d007e3d7daf1071b9c
              • Instruction Fuzzy Hash: 23115130F49A028FEB24DA1DD8506B6F2E9EB97364F38852FF452DB391D672D8418780
              Function 03AB106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: LdrCreateEnclave
              • API String ID: 0-3262589265
              • Opcode ID: 5c7691c7d443701785bcbcdb92eeaf85b4f0f9beef43b37d6667c73fda5093a2
              • Instruction ID: f7339886c24f0f9b86a058541bd63a05b53c3ec940793a936c8ea9a8cf0ec408
              • Opcode Fuzzy Hash: 5c7691c7d443701785bcbcdb92eeaf85b4f0f9beef43b37d6667c73fda5093a2
              • Instruction Fuzzy Hash: 8B21F3B1508344AFC320DF1A9944A9BFBE8FBD5B00F104A1FB5A49B251EBB09504CB92
              Function 03A6E8F0 Relevance: 1.0, Instructions: 985COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 64946e9dabe8aba28621b19d6e3227fc6d1afc83f8bebb0082a29be0db3791f8
              • Instruction ID: 6fbce891d9f818f494d72422d15df822fdb05b6e321b029bfa68d0690afc47d2
              • Opcode Fuzzy Hash: 64946e9dabe8aba28621b19d6e3227fc6d1afc83f8bebb0082a29be0db3791f8
              • Instruction Fuzzy Hash: 72822472F102188BCB58CFADDC916DDB7F2EF88314B19812DE416EB349DA34AC568B45
              Function 03A7516C Relevance: .8, Instructions: 785COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e65f05a1615ff5c1a4010c50d37bc8e815a76bfac9a4a9ec590de5eb281f5b41
              • Instruction ID: b3bf6c691027b21751907d691d6345ae7fc044addd97febb5ee356fea1904e5d
              • Opcode Fuzzy Hash: e65f05a1615ff5c1a4010c50d37bc8e815a76bfac9a4a9ec590de5eb281f5b41
              • Instruction Fuzzy Hash: 24625D32D0464AAFCF25CF08D8D04AEFB62FE96314B49C59EC89A27604D371B955CBD1
              Function 03A8739A Relevance: .7, Instructions: 705COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ef0f2544c8d3779d6d4dfb82d9006e13fa88ac152a3accf1697d6f605330f822
              • Instruction ID: 16fc4a8226e41a7dac7f2e65bf8ef19f50a48dd95ae372ad31c2479c48160fe3
              • Opcode Fuzzy Hash: ef0f2544c8d3779d6d4dfb82d9006e13fa88ac152a3accf1697d6f605330f822
              • Instruction Fuzzy Hash: 9742B275A006168FDB19DF59C480ABEF7B6FF88314B28856ED552AB340D736EC42CB90
              Function 03A85AA0 Relevance: .7, Instructions: 652COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
              • Instruction ID: eb35deafee5a148e98e8bfd7d17763f272ec6adeb0cd97324e3dbf259a8d3c2a
              • Opcode Fuzzy Hash: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
              • Instruction Fuzzy Hash: 89128273B716180BC344CD7DCC852C27293ABD452875FCA3CAD68CB706F66AED1A6684
              Function 03A5B2C0 Relevance: .6, Instructions: 629COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 81e494968242cc8b720a761f4bc4784d10c50a1e615cb779630ed1133fa611cf
              • Instruction ID: 04ce30bfdaf64d71ccf378f6251d18e3c83e7f2c93f7933e3fbf6e43a6a8eb55
              • Opcode Fuzzy Hash: 81e494968242cc8b720a761f4bc4784d10c50a1e615cb779630ed1133fa611cf
              • Instruction Fuzzy Hash: CF32AC75E01219DBCF24DFA8C980BAEBBB5FF54715F18012EE805AB391E7759901CBA0
              Function 03AC8158 Relevance: .6, Instructions: 617COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 36288273c21941ba712983c5444f9dc88ccb2a445f7ab2e76d51a11f6a204ffe
              • Instruction ID: b2c15091a90cc1cc3985413d2d490fcdda3ea1932f2c04ed60bf5e88c10863ba
              • Opcode Fuzzy Hash: 36288273c21941ba712983c5444f9dc88ccb2a445f7ab2e76d51a11f6a204ffe
              • Instruction Fuzzy Hash: 28424A75A102599FDB24CF69C981BADF7F9BF88300F18819EE849EB241D7389985CF50
              Function 03A42840 Relevance: .6, Instructions: 605COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 065ecc1c65ee976f6b369168ba7db29f7802cbd6bac046efdb413d9ba4b45358
              • Instruction ID: 2bfcdc2998f07bb6f57392fc971a6311871a03aea88db90e97db48ad4b90c19e
              • Opcode Fuzzy Hash: 065ecc1c65ee976f6b369168ba7db29f7802cbd6bac046efdb413d9ba4b45358
              • Instruction Fuzzy Hash: 5532DD74A007558BEF24CF69C944BBEFBF6AF84314F18855FE486AB294DB35A801CB50
              Function 03ADA118 Relevance: .6, Instructions: 591COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b961176c4f6c4d008ea44a96ce7d27a4b3b43b675b9232768e10d619f2a17901
              • Instruction ID: 87f764a26d766adcee432b7554d6a7f803e4bbc619688835f37feaea24baf18e
              • Opcode Fuzzy Hash: b961176c4f6c4d008ea44a96ce7d27a4b3b43b675b9232768e10d619f2a17901
              • Instruction Fuzzy Hash: 3422AB742046618BDB28CF29C094772B7F1AF45304F08889FE897CF686E739E592DB61
              Function 03AF16CC Relevance: .6, Instructions: 571COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d589941aece0bcede756f4604df1a334bb86b86965d5e6884488ead82d2ebb37
              • Instruction ID: 287ff0ca072b195f876349ec591eb16c6143cd7d0fe933948c9601898a150334
              • Opcode Fuzzy Hash: d589941aece0bcede756f4604df1a334bb86b86965d5e6884488ead82d2ebb37
              • Instruction Fuzzy Hash: E522C335A00216CFCB19CF99C580ABAF3B2FF89314B18456EE655DB344DB34E942CB90
              Function 03AF1D5A Relevance: .6, Instructions: 559COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 010c80d2b74bfcffc7959ee126e5faf0a40012bd2321fe53c0fa4699254a5fd4
              • Instruction ID: 1d437bc637994d3992a72425f0fbfaae8e3bf18cb03c79e04429648cfe023f1b
              • Opcode Fuzzy Hash: 010c80d2b74bfcffc7959ee126e5faf0a40012bd2321fe53c0fa4699254a5fd4
              • Instruction Fuzzy Hash: 7C228F796047128FC718CF59C490A2AF3E5FF89314B188A6EFA96CB355D730E842CB91
              Function 03A58DBF Relevance: .6, Instructions: 554COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ca1204758695afc4632570382ca9c3d6f7a9d63c5db51cf53951cfe7028869a1
              • Instruction ID: 94df3cf246010cfaafb1c0041b3ecd38d6ee7f8b71d6a42ad1d269ada8b0e0de
              • Opcode Fuzzy Hash: ca1204758695afc4632570382ca9c3d6f7a9d63c5db51cf53951cfe7028869a1
              • Instruction Fuzzy Hash: 0E222D74E00216DBDF15CF95C5809BEFBFABF88704B18849BE845AB241E738D981CB64
              Function 03AF2446 Relevance: .5, Instructions: 485COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f549744c47dda49088779e27412f38d33cf21f1d752a09c8a2df7f4c60cdac0b
              • Instruction ID: b62ed8de75b2f781a22b7813e12d41d21ccbffb24ed0dd0a4fb1a4ea06d110a2
              • Opcode Fuzzy Hash: f549744c47dda49088779e27412f38d33cf21f1d752a09c8a2df7f4c60cdac0b
              • Instruction Fuzzy Hash: 3202C0386046518FDB64CFAAC490375F7F1AF85300B58899FFA96CB281D738D842DB60
              Function 03B0B16B Relevance: .4, Instructions: 450COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: be258b6fea864cf4359b95138e98d4eecbe63f075bef0091efeb3ae75aecbb48
              • Instruction ID: 3b811accfb1cfa5ce37e2aabf50c2229fa77ce07ce53558ac097391ac4897ee2
              • Opcode Fuzzy Hash: be258b6fea864cf4359b95138e98d4eecbe63f075bef0091efeb3ae75aecbb48
              • Instruction Fuzzy Hash: 73F1C372E006159BCB18CFA9C9A067EFFF5EF98214B1941B9D456DB3C0E634EA41CB90
              Function 00410313 Relevance: .4, Instructions: 435COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
              • Instruction ID: 57a41b6c328d6c096f3d1b9b31d8b6b04059802b1cd29ddf1efe58c70b62fbc5
              • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
              • Instruction Fuzzy Hash: 7A026E73E547164FE720CE4ACDC4765B3A3EFC8301F5B81B8CA142B613CA79BA525A90
              Function 03B0A9A6 Relevance: .4, Instructions: 425COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3d0c96eb65a7642ed681ea43d694a6d50155b34cfb25b6159460166aa3404c5d
              • Instruction ID: d1e54e0368da9e29f3f0aed82128caba8a998576649fb9c4ca28242c9b9f0125
              • Opcode Fuzzy Hash: 3d0c96eb65a7642ed681ea43d694a6d50155b34cfb25b6159460166aa3404c5d
              • Instruction Fuzzy Hash: CFF19372E006269BCB28CE68C9A05BDFFB5EF45214B1946B9D856EB3C0D734DE41CB90
              Function 03A28397 Relevance: .4, Instructions: 380COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 14e75e358f1a09723d4d273bd3d76b0a0eccc906416f42f7285a237e64899909
              • Instruction ID: 939cfa0ea574c21447ad650e9f46939894ca7ff5000eaa234cc67455e4292d0b
              • Opcode Fuzzy Hash: 14e75e358f1a09723d4d273bd3d76b0a0eccc906416f42f7285a237e64899909
              • Instruction Fuzzy Hash: 22D1C575A007269FCB14DF68C990ABABBB9BF54304F08466FF816DB280E738D945C760
              Function 03A5C6E0 Relevance: .4, Instructions: 367COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: af788007d720981c2ddcd809ac01adda6874c23c630ef7df2aea005a9ff55447
              • Instruction ID: b2ffc979e7cadfe790f9783d28e1dbfa097eb35e5f5a32582f4532ce140d7aa8
              • Opcode Fuzzy Hash: af788007d720981c2ddcd809ac01adda6874c23c630ef7df2aea005a9ff55447
              • Instruction Fuzzy Hash: CAD16971E043199BEF28CF98C5847BDBBB6FB45320F18806FE942AB699D7748941CB44
              Function 03A438E0 Relevance: .3, Instructions: 349COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5410c8bf43a3cbe9b2bcd24f4c5d99b76ae36e1554b39ae63c944b738f609520
              • Instruction ID: 903f77be1ac4cbca7fe8baf5e9558ff801441611d76a48730291500461cb91d8
              • Opcode Fuzzy Hash: 5410c8bf43a3cbe9b2bcd24f4c5d99b76ae36e1554b39ae63c944b738f609520
              • Instruction Fuzzy Hash: 59E18D75A00205CFDB18CF59C990BAAB7F5FF98310F2881AEE855AB791D730E951CB90
              Function 03A4CFE0 Relevance: .3, Instructions: 345COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 75a722c63460b45cf499efff8fdd3bf73e73ceb327c6b226970a47f4706e03cf
              • Instruction ID: f4b7adac504025bebbe3cadeac8e0987fca3345e1a0651529aef0ab6ce85b13f
              • Opcode Fuzzy Hash: 75a722c63460b45cf499efff8fdd3bf73e73ceb327c6b226970a47f4706e03cf
              • Instruction Fuzzy Hash: 54D1B431A003198FDB35DB19C994BAAF7B5BB89304F0841EFD9099B242D774AD85CB51
              Function 03A3D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2a5f30605faa9238452d1ae9b346d32fcb01466614ddf09d838fb08675a92b04
              • Instruction ID: 91b341f987e0021196cfe70de431e38e2335d18662574aba47b70191637fdce5
              • Opcode Fuzzy Hash: 2a5f30605faa9238452d1ae9b346d32fcb01466614ddf09d838fb08675a92b04
              • Instruction Fuzzy Hash: 3FC17375E002159BEF14CF5AC940BAEF7B5EB59314F18826FE815AB390D774A942CB80
              Function 03A40535 Relevance: .3, Instructions: 300COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction ID: e9098882c6ac9fdd2b330ae05871ab73bbd017513b3bbca89b0527953fd76a6d
              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction Fuzzy Hash: F0B12435600645AFDF21DB68C940BBEFBF6EF89200F18459BD642AB381DB30E941DB90
              Function 03A590DB Relevance: .3, Instructions: 287COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4914fbd8ec3692c8f7878bc08d4f8b373f961683d4bb13091dadd7dd0d0973c6
              • Instruction ID: 866d99ded5bffed84e667a391d276ea3bec99fc0a362cf048515939d6cbaa721
              • Opcode Fuzzy Hash: 4914fbd8ec3692c8f7878bc08d4f8b373f961683d4bb13091dadd7dd0d0973c6
              • Instruction Fuzzy Hash: FDA14975900215AFEF26EFA4CC85FAFB7B9AF55750F05005AFA00AF2A0D7759850CBA0
              Function 03A383C0 Relevance: .3, Instructions: 281COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: befdeb9fb5d91676861ffe5249d53370050a301aec4a6d7fe08440b3cb12d4de
              • Instruction ID: eb15f13e897bb9a97d4ae893c550052aea872bc8d3120c3dc2290b1a5d3b8ed3
              • Opcode Fuzzy Hash: befdeb9fb5d91676861ffe5249d53370050a301aec4a6d7fe08440b3cb12d4de
              • Instruction Fuzzy Hash: 72C129745083418FDB64CF19C494BABB7E9BF88304F44496EF9899B390D778E909CB92
              Function 03A70185 Relevance: .3, Instructions: 276COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: db6254167b5318c7f9b9a1d8bb7c1ed3fae916c08aec39784e658436694685aa
              • Instruction ID: 9e72d4e71278ca5f4157e799e2c682b328f03e738fffbdb233227cac67a64f58
              • Opcode Fuzzy Hash: db6254167b5318c7f9b9a1d8bb7c1ed3fae916c08aec39784e658436694685aa
              • Instruction Fuzzy Hash: 6FA1AD75B0071A9BDB24DF69C9D0BAAB7F5FF54314F04412EEA459B281EB38E811CB90
              Function 03AB60E0 Relevance: .3, Instructions: 264COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 21e1d25f86f779045b8d803d53b07986736f13455de73bcd6f072e1acc783ae7
              • Instruction ID: 896a688b4d4fc4b7aaea480316ed39b984846e7f30699c2edf87be417e88634c
              • Opcode Fuzzy Hash: 21e1d25f86f779045b8d803d53b07986736f13455de73bcd6f072e1acc783ae7
              • Instruction Fuzzy Hash: 8B91A375E00215AFDB15CFA8D884BFEBBBDAF48700F15416AE551EB362D738D9008BA0
              Function 03A4E3F0 Relevance: .3, Instructions: 261COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 279c1fd1339c647258f6b1d8e9451357b650e49d7056da80c0414fc29f0f6280
              • Instruction ID: 618646c34ca37f1488ba31797c5deba8965c66d098195213fdd505bb64000b22
              • Opcode Fuzzy Hash: 279c1fd1339c647258f6b1d8e9451357b650e49d7056da80c0414fc29f0f6280
              • Instruction Fuzzy Hash: 24910135A006219BEB24DB28D940F7AB7F5FBD4714F0985AFE805AB390E7349901C791
              Function 03A31131 Relevance: .3, Instructions: 259COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 79c1010253bd28f46d3ea2afa9c0fdf50b2f088f3b29b7cb68f58c5cb63ae22b
              • Instruction ID: 1293f88f4a53be13bdc3713b1f9bafad66cff684cf4c73a15f96e030c1fb2246
              • Opcode Fuzzy Hash: 79c1010253bd28f46d3ea2afa9c0fdf50b2f088f3b29b7cb68f58c5cb63ae22b
              • Instruction Fuzzy Hash: ECB10175A093418FD364DF28C580A5AFBF1BB89304F184A6EF899CB352D371E945CB82
              Function 03A64750 Relevance: .3, Instructions: 251COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
              • Instruction ID: fa3e5c381cb91660f8c375df9b4690646a393b1c2c4e0ae09f5ec8799434fd40
              • Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
              • Instruction Fuzzy Hash: 86812736A047968FEF25CEAEC8C026DBB65EF57200B2C467FD4429B281C3659886C791
              Function 03A7DBF9 Relevance: .2, Instructions: 244COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
              • Instruction ID: f0340984e7fa6eaa61b4ace1006af130b2e4f9e81631243819cd7fa537f6a2bb
              • Opcode Fuzzy Hash: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
              • Instruction Fuzzy Hash: 37914E72621A06CFD725CF29CCC9662BBE0FF55324B188A1ED4E6DB6A1C375E511CB00
              Function 03AFF7B0 Relevance: .2, Instructions: 242COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6a41012268aa69f27374539dd91b455dd862c927d0d83430ede1bae10483d270
              • Instruction ID: 01503f04b2fd0598800241cb59883ffaea61dba819562c6fb28333244e799dae
              • Opcode Fuzzy Hash: 6a41012268aa69f27374539dd91b455dd862c927d0d83430ede1bae10483d270
              • Instruction Fuzzy Hash: 0C91E672A00206AFDB24CFA8C98076AB7F5EF44314F08857AFA55DB395D774E911CB90
              Function 03AFF43F Relevance: .2, Instructions: 241COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 05f00d3af0abcc9b514fe9d5be3a9b0dc7945333ddb375f697aeac1645c6a143
              • Instruction ID: f022357de8740576d0d3fb15a3755c349ab238af2a7a8b681eb5373cd651762d
              • Opcode Fuzzy Hash: 05f00d3af0abcc9b514fe9d5be3a9b0dc7945333ddb375f697aeac1645c6a143
              • Instruction Fuzzy Hash: 2191F172A001158FDB18CF69C8906BEBBF1FF88315F1982BAE955DB399D634DA01CB50
              Function 03AF81CC Relevance: .2, Instructions: 232COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 22a5b7cfcbe284a673675175eed5684f2da04755d8ce6e8ed55a3ceeeb404889
              • Instruction ID: 8c4456eeeb38421ec070c27743a91b4b01f2337a238bf0b6a1be87cd92bb8f03
              • Opcode Fuzzy Hash: 22a5b7cfcbe284a673675175eed5684f2da04755d8ce6e8ed55a3ceeeb404889
              • Instruction Fuzzy Hash: 4181A472E006159FCB18CFA9C8805AEB7F9FF88315B18436BE525E7290D778E951CB90
              Function 03A40E59 Relevance: .2, Instructions: 231COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 21b423466910033e4e2f516e980fe45ac0b6c6e77cb5b6cfb2ba329f9a40ad6a
              • Instruction ID: 34cacd0ab3d2399cb40dca3a90d50c8322ceddda70ef9754b515e61b4b52089d
              • Opcode Fuzzy Hash: 21b423466910033e4e2f516e980fe45ac0b6c6e77cb5b6cfb2ba329f9a40ad6a
              • Instruction Fuzzy Hash: AE819631A00659DFDB14CF69C88096EFBB6FFC5210B2882ABE9559B345D730E941DB90
              Function 03AEE4F6 Relevance: .2, Instructions: 224COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0a5b0cef1627c89b9cdd7086923615a7a57a4a7081e78a43f0e627e0cd72dbe6
              • Instruction ID: e2752ec3d02c3c374399e8ac3dbb7bd27bb707cc919de3001d1f3c723d3adaec
              • Opcode Fuzzy Hash: 0a5b0cef1627c89b9cdd7086923615a7a57a4a7081e78a43f0e627e0cd72dbe6
              • Instruction Fuzzy Hash: B6815F76E002159BCB18CF99C590AADFBF1EB89310F19816ED816EF385D7349941CB90
              Function 03AFAB40 Relevance: .2, Instructions: 222COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
              • Instruction ID: 5ea1e20f53b3448608d50d14848add573aa96921d58125c258e6c5a4f93292f5
              • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
              • Instruction Fuzzy Hash: 36816F35A102099FCF18DFD9C994AAEB7B6AF84314F18856EE91A9B344D734E902CF50
              Function 03A5D090 Relevance: .2, Instructions: 217COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
              • Instruction ID: d885c935b8e6630431087fa919aca82514e7fc5cc57b12eca0deb9c08de44dec
              • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
              • Instruction Fuzzy Hash: 6D817A76E001199FEF14CF69C980BADF7F2FB84344F19826BE816BB345D6359A408B91
              Function 03A6E284 Relevance: .2, Instructions: 212COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 61d4261e253ee1fb2b444870cd944de2256761f3e9c5e0faa648eab0ad2084c3
              • Instruction ID: ddfebbdbf9858d3ab1d2b175b8f0fae66f2d0ce98a8ca4ded2997f7db5374629
              • Opcode Fuzzy Hash: 61d4261e253ee1fb2b444870cd944de2256761f3e9c5e0faa648eab0ad2084c3
              • Instruction Fuzzy Hash: 89813C75A00709AFDB25CFA9C980EEEF7BAFB88354F14442EE556A7250D730AC45CB60
              Function 03A5B950 Relevance: .2, Instructions: 209COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 253aed21cfb25b98fd4b485c21fdbdda36271c2d75cf34028c370050bcf890a1
              • Instruction ID: 1a6c0cd97bf875577684958cdb2f0fc6787621413db842671f02118da320613c
              • Opcode Fuzzy Hash: 253aed21cfb25b98fd4b485c21fdbdda36271c2d75cf34028c370050bcf890a1
              • Instruction Fuzzy Hash: 0971D5342046509FEB24CF2AC940B36B7E1AB85705F18855FFE969B2D5D739E802CB70
              Function 03AEDAC6 Relevance: .2, Instructions: 202COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 21486e982505c48751967af532ac42dc8b8464fac475febd8e22f9800f4f3bd6
              • Instruction ID: 00713a7a9e90befc3e48a6ba8b99cd13caac4f5f7174c572e564f143eeed2c6a
              • Opcode Fuzzy Hash: 21486e982505c48751967af532ac42dc8b8464fac475febd8e22f9800f4f3bd6
              • Instruction Fuzzy Hash: 0D817C70D006A5DFDB24CFAAC488AAAFBF5EF89740F04849EE495AB285D374D841DF50
              Function 03AF70E9 Relevance: .2, Instructions: 201COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5fc4620d45d4aab1a96d91dcd28f72a5190d40a7787516c058f3c8b586638a49
              • Instruction ID: db727283c703c22efb48fa53f5f51d37d3ad98b7efec073b9110a4a50cd4ab5e
              • Opcode Fuzzy Hash: 5fc4620d45d4aab1a96d91dcd28f72a5190d40a7787516c058f3c8b586638a49
              • Instruction Fuzzy Hash: D661AF75E0031AAFCB14EFE5C980ABFB779AF44350F14452BFA11AB340EB75D9458A90
              Function 03A4260B Relevance: .2, Instructions: 201COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 31f8824dccb678eec6b4db7887e74bd6b9eaf3b759e8691488dbc2c4a465437f
              • Instruction ID: 9aad400b5309c16242ab39085b48ca08ee594cd2401684898c7cbbd90e3076e4
              • Opcode Fuzzy Hash: 31f8824dccb678eec6b4db7887e74bd6b9eaf3b759e8691488dbc2c4a465437f
              • Instruction Fuzzy Hash: 5A719A356046419FD715DF28C580B2AF7E5FFC9210F0989ABF8988B362DB78D846CB91
              Function 03AEF0CC Relevance: .2, Instructions: 199COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c00640a0106b65aae920ec11854c253dc96c92a6a5c5fefcd5b74a00b6cac1a4
              • Instruction ID: ede831d5afe994e44e74676cf927a738d0ff1e263c7c2436a0bb2558d7f04a30
              • Opcode Fuzzy Hash: c00640a0106b65aae920ec11854c253dc96c92a6a5c5fefcd5b74a00b6cac1a4
              • Instruction Fuzzy Hash: 28719C79A01626DFCB28CF5AC48017AF3F1FF84705B6A496FD98297640D374E980CB90
              Function 03AB035C Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction ID: 410027a447294b0fe076a5467849a7f6c2d4b3fe59bc60b5e2ff0c919b694c4a
              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction Fuzzy Hash: 6F716275E00619AFCB10DFA5CA44EDEBBB8FF84700F14456AE505AB351DB34EA05CB50
              Function 03AC62A0 Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0e5d9382b475e83bddac0287749266de039603773d4f9e07558f3bf107048513
              • Instruction ID: 22ea239124a80a6c05ae2f3629092a5b100deeb4a02c2c3ceea74d3df88ce04a
              • Opcode Fuzzy Hash: 0e5d9382b475e83bddac0287749266de039603773d4f9e07558f3bf107048513
              • Instruction Fuzzy Hash: DC71F036250B41AFDB31DF14CA84FAAB7B5EF84720F18492EE2569B2B0D774E944CB50
              Function 03AF7A46 Relevance: .2, Instructions: 193COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fe064efae241bba083a45b10b87e640edcb3c620a0ef15e61de8662abdf17c00
              • Instruction ID: eda54f14327f02ee44bd8bfb20e6eed1e3434448bc382ea5fe8b1e3a8b82b10c
              • Opcode Fuzzy Hash: fe064efae241bba083a45b10b87e640edcb3c620a0ef15e61de8662abdf17c00
              • Instruction Fuzzy Hash: 37513B75A002255FCB14DFA9C980ABAF7F6EF88350B18416EFE55DB384DA35C902C7A0
              Function 03AF132D Relevance: .2, Instructions: 188COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b196f64b83055bf841cf71f0ec4957dc095e6bbc8f0183c734c4aa9c3cbf4852
              • Instruction ID: 89148de5321adbf616ebf5eb64088e53e4f8ec86c4a2f389848cef960d1f55bb
              • Opcode Fuzzy Hash: b196f64b83055bf841cf71f0ec4957dc095e6bbc8f0183c734c4aa9c3cbf4852
              • Instruction Fuzzy Hash: FC816D75A00205DFCB09CF99C590AAEB7F1FF88304F1981AAE859EB345D734EA41CB90
              Function 03AF903E Relevance: .2, Instructions: 186COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 875d6946d9e85bea22189d46ab6052df7df89fd44149fcdebdaf4934939f957a
              • Instruction ID: 81f3248298b1a5ed30268890f52c4dd8d2a4cfb4b5b92e4622d7b4aea49a1421
              • Opcode Fuzzy Hash: 875d6946d9e85bea22189d46ab6052df7df89fd44149fcdebdaf4934939f957a
              • Instruction Fuzzy Hash: 3661DE75600715AFD765DFA5C984BABFBA8FF88710F04462EFA598B240DB30E510CBA1
              Function 03AFFCF2 Relevance: .2, Instructions: 181COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1200870572b50c7b8a3589c3cd410c2042a2d007d6f77e5bd910ca4a60a41bad
              • Instruction ID: 5ea9d18345f16e2ddd22d1805dc22fab155decfaf1b9ec67db3131377d7a6022
              • Opcode Fuzzy Hash: 1200870572b50c7b8a3589c3cd410c2042a2d007d6f77e5bd910ca4a60a41bad
              • Instruction Fuzzy Hash: 4261B331A0020A9FCB14DFA8C980ABEF7F5FF48318F14466AF655EB284D734A955CB50
              Function 03A37703 Relevance: .2, Instructions: 179COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a3de7bfd220899a245adaf27acc33cb3ed554d7c128db9940cd4549b1d5f1279
              • Instruction ID: 71c0c36b114e8567936c3ee2240cb89420d5a52c6967ea6fe967638005a442a9
              • Opcode Fuzzy Hash: a3de7bfd220899a245adaf27acc33cb3ed554d7c128db9940cd4549b1d5f1279
              • Instruction Fuzzy Hash: B56123B5A00605EFDB18DF68C580AADFBB5FF89304F18856FE519A7340DB35A941CB90
              Function 03AF92A6 Relevance: .2, Instructions: 174COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8259485a1ea8f193066365729dc68a009227554699174c79a4f0eb6877d7ec44
              • Instruction ID: fdeef5b6294c43eaf4f615a99ca215fb3b358faf2350f8c4bcf4b3c5add0ea5d
              • Opcode Fuzzy Hash: 8259485a1ea8f193066365729dc68a009227554699174c79a4f0eb6877d7ec44
              • Instruction Fuzzy Hash: 1161DF352047428FD315DFA8C994B6BB7E4BF90708F18496EFA858B391DB35E806CB91
              Function 03AFCE93 Relevance: .2, Instructions: 172COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
              • Instruction ID: e166fbb1b322efa79da8d6305b759d37e86ded2fedeea4b75bfbf3b058a5a72f
              • Opcode Fuzzy Hash: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
              • Instruction Fuzzy Hash: 8251143260430A5FC715DF6AC85076AFBE6AFC1260F19846FFA56CB349DA30D9098791
              Function 004100F3 Relevance: .2, Instructions: 165COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
              • Instruction ID: dbd5fd89e6c0f548719f7fd991e585a64f6020043c075e633e8a6fcc1c3abe3f
              • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
              • Instruction Fuzzy Hash: 205182B3E14A214BD3188E09CC40635B792EFC8312B5F81BADD199B357CE74E9529A90
              Function 03AF7D73 Relevance: .2, Instructions: 160COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7480d0718375433fc77a323c9cfb632dd1c865cf9543cdbf312060e9e6466656
              • Instruction ID: 38db14aedf57af1314f5e5ca0520f7c6de744aa5ee7f235083505909804e4d3f
              • Opcode Fuzzy Hash: 7480d0718375433fc77a323c9cfb632dd1c865cf9543cdbf312060e9e6466656
              • Instruction Fuzzy Hash: 0951C136A1014A8FCB08CFA8C480AEEB7F1EF98314B19827ED915DB355E731DA15CB90
              Function 004100EA Relevance: .2, Instructions: 160COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1ff29c95b7e0ff90e359a38c5ec1f741c11673a29b60b039085b1eb5031236f3
              • Instruction ID: 5737424c76cd32f136558e663d7479c6cfc2cb2f1b861d524d784ab48317940b
              • Opcode Fuzzy Hash: 1ff29c95b7e0ff90e359a38c5ec1f741c11673a29b60b039085b1eb5031236f3
              • Instruction Fuzzy Hash: FD5192B3E14A214BD3188F09CD40635B692FFC8312B5B81BEDD199B35BCE74E9529A90
              Function 03A43740 Relevance: .2, Instructions: 159COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 62e832910576d6adbed08cc2b47138aa1a01df0f93294633a789380cc6c25aa0
              • Instruction ID: 14baf193abc821607c6d58d3f3da0c0bfcc6ca8cbab737ca72ca89da183d8a0b
              • Opcode Fuzzy Hash: 62e832910576d6adbed08cc2b47138aa1a01df0f93294633a789380cc6c25aa0
              • Instruction Fuzzy Hash: 54510579A00615AFCB11CF68C480769F7B4FF95710F0942AAE895DB780E734E9A1CBC0
              Function 03A37152 Relevance: .2, Instructions: 158COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3de62753f094db0db477ed5fb30864175be209c4d3e01ee99ffb5e90afa4d9aa
              • Instruction ID: a9b55d9b4565b88b3633d88ae5051021b05ab70c1e98395b23f42eed6828e350
              • Opcode Fuzzy Hash: 3de62753f094db0db477ed5fb30864175be209c4d3e01ee99ffb5e90afa4d9aa
              • Instruction Fuzzy Hash: C851E176A0060AEFEF15DF64C944BADB7F8BF46315F1441ABE402A76A0EB749911CF80
              Function 03AB3A6C Relevance: .2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 28f25674bd7812529728c4a807f1b3a7aad6acb568bc368bb3341bdfd070c871
              • Instruction ID: 477aaac31d32c0ad89f2ced593988b6425b949bd9d12c21f7d126f4d8b42c527
              • Opcode Fuzzy Hash: 28f25674bd7812529728c4a807f1b3a7aad6acb568bc368bb3341bdfd070c871
              • Instruction Fuzzy Hash: C9519E37E4012D4BEF24CA58D461BEFB3F6EB44310F48086AE849BB3C5C6B66A57D550
              Function 03AAD800 Relevance: .2, Instructions: 155COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 80d4643433773eaa82b24366a5f607725bdab2eb491ba1c22f0e916330656c0c
              • Instruction ID: 48871060aeace8029d0d9688ad1bb4a9ecd59f3ea998dffd3849c5886cd40752
              • Opcode Fuzzy Hash: 80d4643433773eaa82b24366a5f607725bdab2eb491ba1c22f0e916330656c0c
              • Instruction Fuzzy Hash: 9051DE75A00A15ABCB14DF6DC4A0ABEB7B4FF45700B0845AFE881DBB90E734D850CB90
              Function 03AFD26B Relevance: .2, Instructions: 153COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
              • Instruction ID: c970e9fe573c1af63cd567b5c8aae5e67697c4d564573698d9fe539917759118
              • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
              • Instruction Fuzzy Hash: AE516E766087429FC716CFA8C884B5AB7E5FBC8344F048A2EFA948B344D734E905CB52
              Function 03AF7571 Relevance: .2, Instructions: 153COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0ddd4e82306d5514fffa1f1b30874c7f09d1d458be5fe5861797eb9008640ed2
              • Instruction ID: 68c30fc4fea65421fdc3a0ea6b39f371216c27a6d816228f390c1ece2cd57697
              • Opcode Fuzzy Hash: 0ddd4e82306d5514fffa1f1b30874c7f09d1d458be5fe5861797eb9008640ed2
              • Instruction Fuzzy Hash: 59510531A00219AFCB14DFA9C944A7EFBB9FF48384F08416AFA05D7250DB75AE11CB80
              Function 03A351ED Relevance: .1, Instructions: 149COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5fba3cbec30ef7f11953d733d1d9ba3a645fb0fbc9e6201e0af211e94a61101e
              • Instruction ID: 42f7cc77a01b81686140aafccc28d2ad0fda692e3a207240d397009c148d56b2
              • Opcode Fuzzy Hash: 5fba3cbec30ef7f11953d733d1d9ba3a645fb0fbc9e6201e0af211e94a61101e
              • Instruction Fuzzy Hash: 0B518975E05314DFEF25DBA9C940BADB7B8AF0B358F18006BF811EB240D7B498408B52
              Function 03AB5BF0 Relevance: .1, Instructions: 145COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5e13dc8d16d1cb1a6840996b3cec8f6a1cc87c01a5490f89f83da57e4cb875b4
              • Instruction ID: b3c6d7d034ce96a22f1688bb815cf9dba368ba350201802f4a1fbde138adb64a
              • Opcode Fuzzy Hash: 5e13dc8d16d1cb1a6840996b3cec8f6a1cc87c01a5490f89f83da57e4cb875b4
              • Instruction Fuzzy Hash: BA41F635E407549BCB25FFB49A06BEEBBB99F4B614B00077BE806EB352DA7488004791
              Function 03A6F71F Relevance: .1, Instructions: 143COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: abe8939629acf6f74f1629921e0e57b513a28d699f55ced77cb34f2c58e4a753
              • Instruction ID: 9a282a144b54202e5bd0a708d7673d338cd7a61dfa54191f7d7ba09c24769ee9
              • Opcode Fuzzy Hash: abe8939629acf6f74f1629921e0e57b513a28d699f55ced77cb34f2c58e4a753
              • Instruction Fuzzy Hash: 8741947AD05229AFDF11EBA8D984ABFB6BCAF05654F05016BE900FB700D634DE4187E4
              Function 03A601F8 Relevance: .1, Instructions: 138COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a13fe27dc36b64178cbd73f66f4d810b6ea9621728028c8166da154b9894bd6d
              • Instruction ID: cd74ec1f834fef3c3153543b04f7eb664e192176b9a14b5f8926dfacb357e63b
              • Opcode Fuzzy Hash: a13fe27dc36b64178cbd73f66f4d810b6ea9621728028c8166da154b9894bd6d
              • Instruction Fuzzy Hash: BD41AD369042149BCB14DFA8C440AEEF7B8BF88610F18816FE916EB340D7359C81CBA4
              Function 03A72750 Relevance: .1, Instructions: 137COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
              • Instruction ID: afcfc4699c94579a887cca113cd85968202e1e51533d46946c1a901978bf4a17
              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
              • Instruction Fuzzy Hash: 96512B76A00615DFCB15CF58C580AAEF7F6FF84710F2885AAD855A7350D734AE81CB90
              Function 03AAD1C0 Relevance: .1, Instructions: 135COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
              • Instruction ID: e9a6f7041004389dff19125b2f7aa8799e1f285cd93d13f3fbc6f5400b0d7e94
              • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
              • Instruction Fuzzy Hash: C4512776A00606DFCB18CF68C4916AAFBF1FF48314B18856ED859A7745E734EA90CF90
              Function 03A36154 Relevance: .1, Instructions: 133COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2387cf2c5b78db35841b9efe40dfae152d7dbb73d2704d80f96d98a73893a910
              • Instruction ID: 236daf51bb0c6ae78cf5fd7eb0101e8232631da74c31a31768f8dc81931cecfd
              • Opcode Fuzzy Hash: 2387cf2c5b78db35841b9efe40dfae152d7dbb73d2704d80f96d98a73893a910
              • Instruction Fuzzy Hash: 2E51F870904216EBDB29DB64CD44BE8BBB5EF02314F1842EBE429AB7D1E7785981CF40
              Function 03A2B136 Relevance: .1, Instructions: 131COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ef7d1b605d209e038ae8b93e532e6e9b02191fd236c340c03f71a01e6055b314
              • Instruction ID: 71ee399c0f34915b535935543d96d3c8e727deaaaf8301294af87332d382f584
              • Opcode Fuzzy Hash: ef7d1b605d209e038ae8b93e532e6e9b02191fd236c340c03f71a01e6055b314
              • Instruction Fuzzy Hash: 8341AC75640311EFDB25EF68CA80B6ABBB8EF50794F04446BE9559B690E774D800CFA0
              Function 03AFF0E0 Relevance: .1, Instructions: 129COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5e82f068e2f2f586f48d6c844784d22b7a51cb523507a4506aa1bcade9f7315d
              • Instruction ID: 64411042a8576488a333d1fa877dbe426e3e01269785eec26aed22b9841dbab5
              • Opcode Fuzzy Hash: 5e82f068e2f2f586f48d6c844784d22b7a51cb523507a4506aa1bcade9f7315d
              • Instruction Fuzzy Hash: B741D0712083418FD708CF65D8A497ABBE1EBD4315F088A5EF9D58B382C730D909CB61
              Function 03ADD5B0 Relevance: .1, Instructions: 128COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 48c74ee4c5d5cec4b37b7ae190121a5aa55c03bc0b6d38ced6f1a9704ab9af32
              • Instruction ID: 22a007878fb60635cccdfec5176d69b7744f50f8e29c92b4d960d46df4404588
              • Opcode Fuzzy Hash: 48c74ee4c5d5cec4b37b7ae190121a5aa55c03bc0b6d38ced6f1a9704ab9af32
              • Instruction Fuzzy Hash: 0541F330A182959FCB14DF29C495ABAFBF1FF49304F09849EE4C68F245C739A456DBA0
              Function 03A5D6E0 Relevance: .1, Instructions: 126COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 557f067e558d842146512f298a608c81dcb2e9df9331c59b11733928417bc36b
              • Instruction ID: 96665835fd596636859ec5ef78f3c4ef373738e8a1d8b4dfa067c19582c2ddd9
              • Opcode Fuzzy Hash: 557f067e558d842146512f298a608c81dcb2e9df9331c59b11733928417bc36b
              • Instruction Fuzzy Hash: C041B17A6043009FD734EF25CA90F6AB7E8EB55325F04062FF9159B791DB30A841CB91
              Function 03A2A020 Relevance: .1, Instructions: 122COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction ID: 85605252fdda36095df2e9976601e6e6b09bb849c7cbac62f9e63c5e19e2bf0c
              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction Fuzzy Hash: E9411831A08225DFDB24EFA985507BAFB72EB90754F19806FE9459B340DA35DD80CBA0
              Function 03A60710 Relevance: .1, Instructions: 121COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
              • Instruction ID: 156c34da78cfa37cd22670eaf5e2b5fe98b70a5d4b7a42969d9e23d2a21a96d1
              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
              • Instruction Fuzzy Hash: 85412E75A04705EFDB24CFA9C980AAAB7F8FF19700B10496EE556DB690D730EA84CF50
              Function 03A3262C Relevance: .1, Instructions: 119COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e0cb7fe9442b40dcd26970f5b1be242c54c9567b217bbdc7f8f4ae0b29bdfe9a
              • Instruction ID: 615f5e7d0505f0bed8799da86aaec5dcd9c9417d71e83394ee427c0df1ec41e0
              • Opcode Fuzzy Hash: e0cb7fe9442b40dcd26970f5b1be242c54c9567b217bbdc7f8f4ae0b29bdfe9a
              • Instruction Fuzzy Hash: 4341EE75901714CFCB21EF28DA40B69B7B5FF86314F148AAFE4169B7A0EB309941CB40
              Function 03AFFFB1 Relevance: .1, Instructions: 117COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c99b14e06c4aaadc6873958652cedf5628644bc831ec42239f22f5d7dee6f27
              • Instruction ID: 5eaa930af206372ec4c1c91922ee5680cba4040d3b7b44f758a32d8076ba939c
              • Opcode Fuzzy Hash: 6c99b14e06c4aaadc6873958652cedf5628644bc831ec42239f22f5d7dee6f27
              • Instruction Fuzzy Hash: 6F413831A042595BD740DB2685A0ABABFF1EF85209F0CC1FAD8C1DB286E639C506C770
              Function 03AB07C3 Relevance: .1, Instructions: 114COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ee9f20dfa75fcb94340cb645a87c0e383c330c020f1aa502f44ae28e523721a0
              • Instruction ID: dab232aaa158c20a5d6b7e951c0925530377887a9f5b6434fa6a72b5a524b4a8
              • Opcode Fuzzy Hash: ee9f20dfa75fcb94340cb645a87c0e383c330c020f1aa502f44ae28e523721a0
              • Instruction Fuzzy Hash: EA417C76508304AFD320EF69C945B9BBBE8FF88664F004A2FF998D7251D7709905CB92
              Function 03AFFA49 Relevance: .1, Instructions: 113COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 07f1b816e10b4df0c9ca3f7891afbf7c3364f832b540bc2d0d44f92a33f6ff88
              • Instruction ID: 7f0f85ee54c370ddac50931d314be29eeb5bf6057356eb64217508eb3eafa56f
              • Opcode Fuzzy Hash: 07f1b816e10b4df0c9ca3f7891afbf7c3364f832b540bc2d0d44f92a33f6ff88
              • Instruction Fuzzy Hash: 803159367001069FC718DF69CC44AA3BBA9EF84710F08867AFA18CB385E774D945C390
              Function 03AFEEDB Relevance: .1, Instructions: 113COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: db51585a54c2106c8cea4439f873848eaa7a3c032944ca4384e6e1da048bfa08
              • Instruction ID: 895409a17e050800ff0593ef7eca4f004c4270f221cf4b06a4151439ddee1234
              • Opcode Fuzzy Hash: db51585a54c2106c8cea4439f873848eaa7a3c032944ca4384e6e1da048bfa08
              • Instruction Fuzzy Hash: 5A418433E0412A8FCB18DF68D59197AF7F5FB4830475642BEE905AB294DB34AE05CB90
              Function 03AFFB76 Relevance: .1, Instructions: 109COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 99df16872ca346521ff76e8fd0c288bf1e648b919504b48b970d90989db0cb42
              • Instruction ID: 70f1bd8bc3b8287fa12f6188ef22cde2e920661b248cb4387545c364394762ba
              • Opcode Fuzzy Hash: 99df16872ca346521ff76e8fd0c288bf1e648b919504b48b970d90989db0cb42
              • Instruction Fuzzy Hash: C631F436610115AFD714DFA9CD48AABBBF5EF88354F44857AFA08CF244D634E902C790
              Function 0040E2F3 Relevance: .1, Instructions: 108COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
              • Instruction ID: 195b8b4f1f6b847c2f7d335df81756e7f4370e4413d10cbfb6fe233fc12569ad
              • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
              • Instruction Fuzzy Hash: B13172116587F14ED31E836E08BD675AEC18E9720174EC2FEDADA6F2F3C4988418D3A5
              Function 03A402E1 Relevance: .1, Instructions: 106COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction ID: 91c37f0ba8076008ccebf34710c73a99192e1493555dc1f27d2b366501c43c9f
              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction Fuzzy Hash: C9310732A04244AFDB21DB68CC44B9AFFF9FF45350F0885ABE855DB351D674A844CBA0
              Function 03A59274 Relevance: .1, Instructions: 105COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b20980e25f55a32faa56c6de298ff1685e3a4589dd3fd19363150c15c00d0785
              • Instruction ID: c1a608a8e716a2defa4559a10c55687a07381f7245e1b33901e01bf14dec8919
              • Opcode Fuzzy Hash: b20980e25f55a32faa56c6de298ff1685e3a4589dd3fd19363150c15c00d0785
              • Instruction Fuzzy Hash: DC314275A00328EFDB21DB24CD40B9BB7B9AF85760F55019EB94DAB380DB309E448B51
              Function 03A35702 Relevance: .1, Instructions: 104COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 85b1584032fba150422f2ef6af11059dc0812b7c552f82e51ddfbf8546a1b94e
              • Instruction ID: caf1a03fe6c60628a0dd6fc9f079145a43c22c04453db36417d2087b7fbf7f56
              • Opcode Fuzzy Hash: 85b1584032fba150422f2ef6af11059dc0812b7c552f82e51ddfbf8546a1b94e
              • Instruction Fuzzy Hash: B131CE35701A02FFDB55DB28CA80A99FBA9BF46354F04456BE8019BB50DB70E820CBD0
              Function 03A34260 Relevance: .1, Instructions: 102COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d094bcd91e6f5b04b4608259ca810b4c4d3347fedabf7c6c4b16d72ee756281a
              • Instruction ID: 7c6777e45114ee2b259e7384b5f4b27839a0686d70650b4eff9e356f0f0f83d7
              • Opcode Fuzzy Hash: d094bcd91e6f5b04b4608259ca810b4c4d3347fedabf7c6c4b16d72ee756281a
              • Instruction Fuzzy Hash: 9C41AF75100B449FDB26CF29C981BD6BBE9AB4A354F04442FF6999F650C774E804CB50
              Function 03A550E4 Relevance: .1, Instructions: 101COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
              • Instruction ID: f51081b46c23124f23162288773496e556541b234bf98df6a3c0a99c3cdb2721
              • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
              • Instruction Fuzzy Hash: A631D431A083419BEB21EB28C800767BAE5BF86754F0C856FFD868B381D274D841C7A2
              Function 03AF61C3 Relevance: .1, Instructions: 97COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a348b358dc08d9d8c7de24184ab9d6e1d3c38354b5f8742a355c3e05f5e97f6b
              • Instruction ID: 297e22d965ddef2e6cdf14a63723d190725b401a867a90b1fb916ccdd228f55d
              • Opcode Fuzzy Hash: a348b358dc08d9d8c7de24184ab9d6e1d3c38354b5f8742a355c3e05f5e97f6b
              • Instruction Fuzzy Hash: 9331A176E00215EFDB19DF98CD80BAEB7B9EB48740F49416AF500AB254D774ED01CB94
              Function 03AF6BD7 Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c8d9305d39b6f576c26170394a0df4607d0ef141741020f24c5b9962ed265b3d
              • Instruction ID: 441ad80234f9b85874db4fddd785552d8e70c6a0a34f7ed4df09092a6c3b1ad2
              • Opcode Fuzzy Hash: c8d9305d39b6f576c26170394a0df4607d0ef141741020f24c5b9962ed265b3d
              • Instruction Fuzzy Hash: 39316D316002049FCB24DF6AD9C5A5B7BF4FF49344F8585AAF908DF249D270E945CBA4
              Function 03AF60B8 Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bd8fefc32f358eee74250669a6c2a53541df8e2ff009ff38f824f3f7a0eb921c
              • Instruction ID: 5d4d80e6c21f5fba64785222863cb5c12074057b723899b21c9226861e9434ac
              • Opcode Fuzzy Hash: bd8fefc32f358eee74250669a6c2a53541df8e2ff009ff38f824f3f7a0eb921c
              • Instruction Fuzzy Hash: 2B31E235B00215AFDB22EBA9CD40B6EBBB9AB84354F0445BAF645DB361DA30DD008B94
              Function 03A307AF Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e5d71fa833a8d1c85d93ce40ea508961437422530057e66c6a80456ce13a7350
              • Instruction ID: 5136f9f8b664ba176c1beb75b89ca9d0b0bdac83ff35c779946e7b4587a3bd15
              • Opcode Fuzzy Hash: e5d71fa833a8d1c85d93ce40ea508961437422530057e66c6a80456ce13a7350
              • Instruction Fuzzy Hash: DE31A076A04751DBC711EF28C980E6BBBA5EF86760F05496BFC569B310DA30DC1187E1
              Function 03A2D6AA Relevance: .1, Instructions: 93COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
              • Instruction ID: eb43a35771edbffaabd0076309aedc849f8faa4c50c487ebd9d563ab6e2ac006
              • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
              • Instruction Fuzzy Hash: 1931E336A00A24AFDB21DF5CC980B2ABBB9DB81710F1D846FED259B242D338DD40CB50
              Function 0042EFD3 Relevance: .1, Instructions: 93COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 323a92139cc86694b5c1395d133b25a6ecbaf51b198634eaf1b2923f1c527413
              • Instruction ID: 0d681d265b8c90d4b081cec07bc1a55c6af914735c2eab6afc8f125b3556c89b
              • Opcode Fuzzy Hash: 323a92139cc86694b5c1395d133b25a6ecbaf51b198634eaf1b2923f1c527413
              • Instruction Fuzzy Hash: 7631C372B106265BD354CE3AD880656F7E1FB88310B94863AD918C3B41E774F966CBD4
              Function 03A357C0 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3f857d78d7158342fd077451c557b50127f55c0307c9fc97317628e47e034ca1
              • Instruction ID: 70ea2c1dc56c1e3ad4a3de7320778ec72efa835459b3db9d7361008fcc8a7484
              • Opcode Fuzzy Hash: 3f857d78d7158342fd077451c557b50127f55c0307c9fc97317628e47e034ca1
              • Instruction Fuzzy Hash: 66318339B15A05FFDB51DB24DA40A59BBA5FF46354F4490ABE9018BB50D731E831CBC0
              Function 03A6A6C7 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
              • Instruction ID: 44fd35d0e12f29d0f4970963481795f8dd9f28c962e129b4cbbeb5da9d8c92c8
              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
              • Instruction Fuzzy Hash: 033128B2B00B00AFD760CF69DE41B57B7F8AB09A50F08092EA59AD3650E730E900CB64
              Function 00403150 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4db16e4e4e87330f8a3787ad51054faf92a6a3aa01db0c8038466bb80a668ad3
              • Instruction ID: 408b092440a794190e816e06009f58152804081f26505ab252b54f0a42df555a
              • Opcode Fuzzy Hash: 4db16e4e4e87330f8a3787ad51054faf92a6a3aa01db0c8038466bb80a668ad3
              • Instruction Fuzzy Hash: B431B172A10A144FD368CE6ED846747B7E4AB8C300F458A3ED99AD7780CA78E901CB84
              Function 03A5438F Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 663a37088795cf2c3b3e837922d66265ba1aeb4edf4038e2b67683f210b208fc
              • Instruction ID: 9c84c3cef76a2a9b52a5f8459333ef394efc3a95333ed19f0e86abd975400cbe
              • Opcode Fuzzy Hash: 663a37088795cf2c3b3e837922d66265ba1aeb4edf4038e2b67683f210b208fc
              • Instruction Fuzzy Hash: 8D31D631B403059FDB24EFA9C980B6FB7F9AB98305F00852BE945E7654D770E985CB50
              Function 03A392C5 Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
              • Instruction ID: 41f29a22330a59c21a04975728f2cca3478fb6dcd4e2fe8ab7c2f222da2ba32f
              • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
              • Instruction Fuzzy Hash: 3E316BB56083499FCB01DF18D980A5ABBE9EF89350F04096EF9519B3A1D734DC14CBA2
              Function 03A87190 Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
              • Instruction ID: 8496094d4679e3b686f4be02aba5f420f422d013868d0591c44310e954c57651
              • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
              • Instruction Fuzzy Hash: 65318A75604206CFC710DF18C480956FBF5FF89350B2986AEE9589B325EB31ED46CB91
              Function 03AEC3CD Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction ID: b3f6e7d3d8c8a3883213dff33af035c1f032d0e2f1a715ff1d47f1c30f62f4ac
              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction Fuzzy Hash: C3210B3F600755A6CB14EBA58D44ABBF7B4EF50620F40841BFD668B792E634D950C360
              Function 03A2C156 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 10441682143ff2e10de1f0fbafad119bfaf6e13f04ad73d989a75c3fd091e69e
              • Instruction ID: 63f5049d048da65b0ce98542e13307ed5445b2d683e46318757187c724efc1c0
              • Opcode Fuzzy Hash: 10441682143ff2e10de1f0fbafad119bfaf6e13f04ad73d989a75c3fd091e69e
              • Instruction Fuzzy Hash: CB31E8755003108BCB31FF28CD41BA9B7B4AF41314F5885AEE8459F3C1DA78D985CB90
              Function 03A2E388 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction ID: 6be498ffc77f99da7f20357187ce17bdcc4030ce99e742110f029f2edc085d95
              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction Fuzzy Hash: B6319835600614EFDB25DF68C984F6ABBB9EF84354F1449AAE5128B790E730EE42CB50
              Function 03B003E6 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ca4fc2d2057f2b721026d9e3821c641e589cdf5e38f45c9aa7b9859f06b89267
              • Instruction ID: 842f19eb48e24731352997c2f9350ca748b29e7c628d8a17d6c6e99c31b900b6
              • Opcode Fuzzy Hash: ca4fc2d2057f2b721026d9e3821c641e589cdf5e38f45c9aa7b9859f06b89267
              • Instruction Fuzzy Hash: A1316671B00115AFCB14EBA5D994F9FBBB9FF88208F414179E905E7240DB306E04CB94
              Function 03AAE609 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fe0e0c0a6e68b9f076e0073759958ebc725c619241f1a18fd81638372ad471a7
              • Instruction ID: 5414556288cea4aca77af54bd0584462f8baaf486434672ffbac3bb4c914b861
              • Opcode Fuzzy Hash: fe0e0c0a6e68b9f076e0073759958ebc725c619241f1a18fd81638372ad471a7
              • Instruction Fuzzy Hash: 3231A076A00605DFCB14CF1CC884EAEB7B6FF88304B15495AF8099B390E775EA41CB90
              Function 03B00591 Relevance: .1, Instructions: 84COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3f996f56f7e18af1709c04f8104eed9d81abd0e8ce6b4e7374b6f01a7499018d
              • Instruction ID: 9b92ea5652eec92414f08be214399c4127a8bee0d9253d5814bdf9d0c5776272
              • Opcode Fuzzy Hash: 3f996f56f7e18af1709c04f8104eed9d81abd0e8ce6b4e7374b6f01a7499018d
              • Instruction Fuzzy Hash: 6721F3326002058FD728DE29C880BBABBA6EFD4308F5945B8E905CB2C5D730F845C750
              Function 0040E438 Relevance: .1, Instructions: 81COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e34233cf70e49777a1fb4434d53e6dac28de4b6090af324e981466a233ee1de2
              • Instruction ID: a2b2cdd6e78fcfafcc5e059ef843f90a228d223d8e1d833983f74fed9bd47263
              • Opcode Fuzzy Hash: e34233cf70e49777a1fb4434d53e6dac28de4b6090af324e981466a233ee1de2
              • Instruction Fuzzy Hash: 64213531A043449BD714CFBAC881BABB7F2BFC9304F058D6FD45AAB281D678A815CB50
              Function 03A5F32A Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
              • Instruction ID: 776df0fbfa74df8bb085ee9a9a24d65ac25c63c8521db731e0b29bba83dc814f
              • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
              • Instruction Fuzzy Hash: 37219D72200300DFD719DF15C545B6ABBF9EFA5365F15816EE91A8B3A0EBB0E801CB94
              Function 03AB06F1 Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 505861c4915b04f2863257ddab4115b3c054bc400dc3252a8b1146e6799410e6
              • Instruction ID: 35dabd07cad794f77d1305b6b6fb5542d963e8ac63f654862c33f5943f086e1e
              • Opcode Fuzzy Hash: 505861c4915b04f2863257ddab4115b3c054bc400dc3252a8b1146e6799410e6
              • Instruction Fuzzy Hash: 06218D75A00629ABCF20DF59C981ABFF7F8FF49740B54006AE541AB241D778AD52CBA0
              Function 03AB019F Relevance: .1, Instructions: 78COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4394f00247f787b554161ca54f03d8e85f3f4b4577b6125826e06ed32b0efdf6
              • Instruction ID: ead4f6dccd50184d9fe44f6895c31d9cb99c59526c4c7772cf63b4d90afd4fc4
              • Opcode Fuzzy Hash: 4394f00247f787b554161ca54f03d8e85f3f4b4577b6125826e06ed32b0efdf6
              • Instruction Fuzzy Hash: F721BC75600604AFCB15DB68D980F6AB7B8FF88740F14016AF944DB7A1D738ED50CBA8
              Function 0040E443 Relevance: .1, Instructions: 77COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 765b14f26b770d5b834003ef1fea84480a6aeb7583a3b8e0b7fdf33bacab8201
              • Instruction ID: 9b84867eb3a4ab19f30cdad46694ef64250b5ac5ceec8580fb632e0a86044172
              • Opcode Fuzzy Hash: 765b14f26b770d5b834003ef1fea84480a6aeb7583a3b8e0b7fdf33bacab8201
              • Instruction Fuzzy Hash: D0210230A043449BD714CFBAC881BABB7F6BF89304F058D7FD41AAB281D678A8118B54
              Function 03AB0283 Relevance: .1, Instructions: 74COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5d0e53e777885b1d2ca7fde7633ab3e0860f28b5d5fb482448331dac3c712cfe
              • Instruction ID: 02ab7f6b5abb7ad43a892a62fba816729fb9701e8973191bc19f537efc0a1226
              • Opcode Fuzzy Hash: 5d0e53e777885b1d2ca7fde7633ab3e0860f28b5d5fb482448331dac3c712cfe
              • Instruction Fuzzy Hash: 0721B0729043459BC711EF69C948BABF7FCBF81240F08455BBD80CB292D734D948C6A2
              Function 03AD71F9 Relevance: .1, Instructions: 74COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4f9a7c00cc92fa43c14c654dfc1b8f7e6e7d7632cc008b57d54ee1a349aeecc7
              • Instruction ID: c8cc6152edefe1855bd3dbef3f5c3104ed435eac425c76c8f4c07d1921548f1b
              • Opcode Fuzzy Hash: 4f9a7c00cc92fa43c14c654dfc1b8f7e6e7d7632cc008b57d54ee1a349aeecc7
              • Instruction Fuzzy Hash: 34212831A047908FC32CDF658940B2BB7E9EFC1314F14496FF8A787250CB71A9858791
              Function 00404754 Relevance: .1, Instructions: 74COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a7a2034fd536bfe09338ed4770e987aa12c524cded4f73252d045896f95abe03
              • Instruction ID: 9ae5db45ee56ff205bddc3cee12d1c43c7fecdfb2fcd96d903c49aea1e8b3d89
              • Opcode Fuzzy Hash: a7a2034fd536bfe09338ed4770e987aa12c524cded4f73252d045896f95abe03
              • Instruction Fuzzy Hash: 703136B0C012199FCF88DFB895426EEBFF4AB08700F20456AD519F6251E3359A45CFA9
              Function 03AAD0C0 Relevance: .1, Instructions: 73COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
              • Instruction ID: c699146f45b4bb1a427ab309b04656c33923b4e7aedf325ee4dc2aa737b0d378
              • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
              • Instruction Fuzzy Hash: 8321B072644B00ABD311DF1CCC51B5BBBB4EB89720F04052FF9859B7A0D730D90187A9
              Function 03B001AA Relevance: .1, Instructions: 71COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a7e7540d6b35ae0773defcbfdf58532279f93a25ff1c4da5357d5f6d1b62e69a
              • Instruction ID: 2f69d4ba6420ce59ad5e1e369c31798c21275ad31b46d0ff109f90485169308d
              • Opcode Fuzzy Hash: a7e7540d6b35ae0773defcbfdf58532279f93a25ff1c4da5357d5f6d1b62e69a
              • Instruction Fuzzy Hash: 4D21E4612042504FE745CB1A88B44B6BFE5EFD6229B0982E6D8C4CB346C135D907C7B0
              Function 03A6A30B Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 70d0f84faab431c625d840ca31eed989c339b15e834d3396036205dd3872479d
              • Instruction ID: fcda52dc117d75957cee4c037bd19ced99529df4bbe9c78f20a5036528925e5d
              • Opcode Fuzzy Hash: 70d0f84faab431c625d840ca31eed989c339b15e834d3396036205dd3872479d
              • Instruction Fuzzy Hash: FC217F7A200B119FC725DF29C901B56B7F5AF48704F1884AAA519DBB61E371E842CF94
              Function 03AC80A8 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
              • Instruction ID: 77636b453e6f7fce229158d08308e3613bf8e139e9214749da7fbd0edabf01df
              • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
              • Instruction Fuzzy Hash: D9216A76A00249AFDF12DF98CC40BAEBBF9FF88310F20485AF900A7250D778D9508B50
              Function 03A2B765 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 92d2e8cde5494efff6856a8dc7afe75558ac7ffe81cf384827968c51bb13822e
              • Instruction ID: 7538c14602a77caacf4f70c10952b4d8e2efa8e27f4860091f3245760eb7770d
              • Opcode Fuzzy Hash: 92d2e8cde5494efff6856a8dc7afe75558ac7ffe81cf384827968c51bb13822e
              • Instruction Fuzzy Hash: FB217C36100710DFC722EF58CA40F59BBF5FF58708F144A6EE0099BAA1C774A814CB54
              Function 03AFEE26 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 83e7f85f329b29a41cb252c81359b82f58bd3a56d5b9d7ec1fa6edebf5d7e441
              • Instruction ID: c4ee327196b94553d2f41869df296122e72dcebac36540ffd61e9e0161498653
              • Opcode Fuzzy Hash: 83e7f85f329b29a41cb252c81359b82f58bd3a56d5b9d7ec1fa6edebf5d7e441
              • Instruction Fuzzy Hash: 1A21B433A104119F9B18CF7DD804866F7E6EFDC31436A427AE512DB668D770BD118A84
              Function 03A60124 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction ID: adacb8655243f9cb1b2ea92db64297e0e72e7cfcc3f8a09e5bb704af25cef6d6
              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction Fuzzy Hash: 1811EF76600704BFD722DF84CD81FAABBB8EB80754F15042BE6008F280D675ED84CB60
              Function 03A38770 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d49c1d83830553d3e07570c50fb0d9046eb543e85c8f880416c2cbe8cc66c9ac
              • Instruction ID: 5ea207bf13b89a683a53eb9995577a93881d1ebff8a386588318ccd93ad01aeb
              • Opcode Fuzzy Hash: d49c1d83830553d3e07570c50fb0d9046eb543e85c8f880416c2cbe8cc66c9ac
              • Instruction Fuzzy Hash: 48119D356016209BCB11CF59C580A6AF7EEAF4B750B1880AFFD089F305D6B6E9058B90
              Function 03A33720 Relevance: .1, Instructions: 67COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e9e299812f574857b99bcd86c823c96a37f740f3bf3fc164ec5953cbe9a278ab
              • Instruction ID: cae6c3074c11ce79d111721a033156df3e51c5430e468a32260d0e9eee60ddf1
              • Opcode Fuzzy Hash: e9e299812f574857b99bcd86c823c96a37f740f3bf3fc164ec5953cbe9a278ab
              • Instruction Fuzzy Hash: 2A212978A043088BEB25DF5DC1487EEB7B4FB8A318F2D811DE812572D0CBB89945CB51
              Function 03A380E9 Relevance: .1, Instructions: 66COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 036517f9b12697cc6e1fd45c149029164eb74a2e45ecb244a40f7b886d66af03
              • Instruction ID: 691b6390283d5b07ef4983428d72cd93b3982a1ea4950a9d2b8ba1cffb9da2d0
              • Opcode Fuzzy Hash: 036517f9b12697cc6e1fd45c149029164eb74a2e45ecb244a40f7b886d66af03
              • Instruction Fuzzy Hash: 6D216D75A00205DFCB14CF98C581AAEBBB9FB89718F24416EE105AB310CB75AD0ACBD0
              Function 03A6674D Relevance: .1, Instructions: 65COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0e1e1933df3f500d2544e17744d502153d51c5589dd9116139bf4f1612243c8f
              • Instruction ID: 5ef95460c80dda2e7e429cd92b2e654d245c940edc320a6fd5eaeb0641633099
              • Opcode Fuzzy Hash: 0e1e1933df3f500d2544e17744d502153d51c5589dd9116139bf4f1612243c8f
              • Instruction Fuzzy Hash: 67215C75610B00EFC720DF69C881B66B3F8FF85650F44882EE4AAC7660DB70AC50CBA0
              Function 03A29240 Relevance: .1, Instructions: 64COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7ee79fa60ea518bf4f2a2fc2f01c75f572b1ec32169372753ba205b5f24e6057
              • Instruction ID: 9d5f3252acc0189fd9e81d26718db2e8af91ef8082507df3e87918604d5a1e61
              • Opcode Fuzzy Hash: 7ee79fa60ea518bf4f2a2fc2f01c75f572b1ec32169372753ba205b5f24e6057
              • Instruction Fuzzy Hash: 0311E63E010240EAD735EF55DA01B627BE8EBA4A88F14422AD8049BB54D378DD01CB65
              Function 03A666B0 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8f371a509242db5ada210891eb7059c96d87147fffca51f33e8b999bd44d5c5c
              • Instruction ID: 355e540f4e6692a6261fb9b7dfd766f34870c9cbb7fb461456ac2e0fde4203b7
              • Opcode Fuzzy Hash: 8f371a509242db5ada210891eb7059c96d87147fffca51f33e8b999bd44d5c5c
              • Instruction Fuzzy Hash: 7411A376A01244DFCB25DF59D680A5AFBF9EF95650F09407FE905AB320D674DD00CB90
              Function 03AFFF09 Relevance: .1, Instructions: 60COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a0c9d0e73ce862386d572329c5c94429b97462a0648df0adbd61630ea6f910d0
              • Instruction ID: 27386d4bcbf650731782c82569814aab5304472df069243e50b9e817c715be68
              • Opcode Fuzzy Hash: a0c9d0e73ce862386d572329c5c94429b97462a0648df0adbd61630ea6f910d0
              • Instruction Fuzzy Hash: 842183B1A102059FD754DF2AE980B42BBE4FB4C214B8586BAE90CCF64AE370D944CF90
              Function 03A527ED Relevance: .1, Instructions: 58COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f723a90eff920b781108c9886aa57008011debe952aa5b6d8d0456ef7dabbfb1
              • Instruction ID: 2233382c8d373267fbd14750b591aef4544a13c1bcafc7e890000b29dfd6f358
              • Opcode Fuzzy Hash: f723a90eff920b781108c9886aa57008011debe952aa5b6d8d0456ef7dabbfb1
              • Instruction Fuzzy Hash: C0010435605644ABE716E3A9D848F27A7DCEF80354F0944BBF8009B290DA24DC00C2A1
              Function 03A5B052 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fcd06e1585bef0ce6bc55920d5939abc2b4af3a11a93396533bcb62908ab218d
              • Instruction ID: 1a1e21968e36f335441ec0e40d1aa1a2dd63da86602f38834cfaa80bed65bf80
              • Opcode Fuzzy Hash: fcd06e1585bef0ce6bc55920d5939abc2b4af3a11a93396533bcb62908ab218d
              • Instruction Fuzzy Hash: 2401D676B04300ABD710EB699D81F6BB7F8DF84215F04042AFA05D7241EA70E9018631
              Function 03A34690 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3f9daa018b3cde203684e55e93fdf306ada4e58f1c499669076dbc8aeb0dc22e
              • Instruction ID: f009e94ddbada91fb366c59745f1439273ea083fb671783991e4a5438d52352b
              • Opcode Fuzzy Hash: 3f9daa018b3cde203684e55e93fdf306ada4e58f1c499669076dbc8aeb0dc22e
              • Instruction Fuzzy Hash: F611E53A240744AFCB25CF5BD940F56BBA8EB8B764F04411BF8148B650C370E800CF60
              Function 03AED6F0 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
              • Instruction ID: a80833ff01f498278c5cf6f6a7e1e8c1f19a70854a5c46d817dbbbdb3e2269d4
              • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
              • Instruction Fuzzy Hash: 56018479B00209FF9B04DBA6CA44DAFBBBDEFC6A44F05015AA915D7200E730EE01D760
              Function 03A66620 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 72dbfddae570842508e18fc55876b0e13275951522bf5257bfecc5a62fe8802b
              • Instruction ID: 686d38fa4f5c1679403a338e9e2ac2cd0eb9dc566b96f046e1e1200fc98af9eb
              • Opcode Fuzzy Hash: 72dbfddae570842508e18fc55876b0e13275951522bf5257bfecc5a62fe8802b
              • Instruction Fuzzy Hash: AC11E57AA00715ABCB26EF59DA80B5EF7B8EF84740F54045AE905AB310D778ED058B90
              Function 03A27330 Relevance: .1, Instructions: 55COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4fb7089c41d8fc78d4810b7fb7315dcfe123705544e046809eac73bfaafd070e
              • Instruction ID: b7e945504ff988ebb185ad29e3f9033da6e5248dc59b937be4559130a8e6c0a1
              • Opcode Fuzzy Hash: 4fb7089c41d8fc78d4810b7fb7315dcfe123705544e046809eac73bfaafd070e
              • Instruction Fuzzy Hash: CE11A0716007249FD721CF69C941FAB7BE8EB44304F05442EE985CB211D736ED00DBA1
              Function 03A5F2D0 Relevance: .1, Instructions: 54COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 20146239368a1e8721d0c2feea373b60b3f929618463e7bffa9b3844e265689e
              • Instruction ID: d1f9c5e04a603731c931ce34f5ffbc8c6ba733fe6c3655fd2a8eba26c0c986cd
              • Opcode Fuzzy Hash: 20146239368a1e8721d0c2feea373b60b3f929618463e7bffa9b3844e265689e
              • Instruction Fuzzy Hash: E511AC76600A48DFDB20DF69C984BAABBB8AB44610F1804ABE901AB781DB79D901C750
              Function 03AC72A0 Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
              • Instruction ID: 3f5b8faa1f0be129823cfa55df66fbbd08c596afa499f2242e692daab6f2d984
              • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
              • Instruction Fuzzy Hash: 0D01F57A240605BFD715EF16CD94F62FB7DFF84390B44492AF110466A0C732ACA0CBA4
              Function 03A2A250 Relevance: .1, Instructions: 52COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction ID: bd5c3b6c54513a6aba77e78c8fcbb1603c743e7f8f4aa566ee2bf752e2989c2e
              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction Fuzzy Hash: 9401D6725057219BCB34CF19D840A36BFBAEF45760705896EFC958B6A0DB35D420CB60
              Function 03A36259 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b90215f9172681e8044ef3d9cc4c7ff918e951fcd763fb77d3e92a5ec3a51c6d
              • Instruction ID: 30d7961c039d396571f10400dda3b839956ba8ef4c3044c9114bf7e18e9e7e41
              • Opcode Fuzzy Hash: b90215f9172681e8044ef3d9cc4c7ff918e951fcd763fb77d3e92a5ec3a51c6d
              • Instruction Fuzzy Hash: 5F119E74901318ABDF25EB64CE81FE8B378EB44710F5045D6A314AA1E0DB709E81CF84
              Function 03AAE1D0 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 47ec41ac85ad6d32585de4692333b6ed0fc875e395d4be067aff193e213e772d
              • Instruction ID: 366adb0a76b437d8ac7fa607e7497fdfd2af9c86198fd157296f6ca1397221b7
              • Opcode Fuzzy Hash: 47ec41ac85ad6d32585de4692333b6ed0fc875e395d4be067aff193e213e772d
              • Instruction Fuzzy Hash: 04117936241740EFCB15EF18CA80F56BBB8FF58B44F2400AAF9059B6A1C335ED01CAA0
              Function 03A3208A Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction ID: 5ffaccdbfd3a7dae6fac871b129ad893e2d3c32bfe6815e0622a4b6f4024d29a
              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction Fuzzy Hash: F60124322002108FDF10EB29D884BA6B76ABFC6700F1949ABFD058F245EA71CC81C790
              Function 03AB6050 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8f09bd4a8a8fff9bca57f865fdbeec149c1af2b131c4d875a02d138fcbe40057
              • Instruction ID: 43162754b09784779def1ec64d48b330b2b2b6bba78a440348060d86662f81c0
              • Opcode Fuzzy Hash: 8f09bd4a8a8fff9bca57f865fdbeec149c1af2b131c4d875a02d138fcbe40057
              • Instruction Fuzzy Hash: E6112977900119ABCB11DB95CD84DEFBB7CEF48258F044166E906E7211EA34EA14CBE0
              Function 03A720F0 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f6c4edc55f51f12780bc98ff4edd503ff0ad62ce3797b01c317bd70bcaea1045
              • Instruction ID: eb2999fd842df6bab6129686909134c1554a65704baff812e751b038013cdcc7
              • Opcode Fuzzy Hash: f6c4edc55f51f12780bc98ff4edd503ff0ad62ce3797b01c317bd70bcaea1045
              • Instruction Fuzzy Hash: D1116D35A0020CEBDF15EF64CD90FAE7BB9FB48240F00445AE9019B390DA35EE11CB90
              Function 03A2C020 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction ID: 900fbc7836c95dc13b988594fd4c43bd9379a9b314c3941fc9ce8e43ab6eb89c
              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction Fuzzy Hash: C001D8361007449FDB26E76AD900EABBBFDFFC4654F08881FA9568B680DE70E441CB50
              Function 0040E48C Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970657571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 41a0fb846596c415fb50592d9fda9d829d7eb905070bbc78f5896d00c67a3962
              • Instruction ID: 815297ca22f77ead07a54f1fd0ccd8a496c05e73832186dc978523d4524aa30a
              • Opcode Fuzzy Hash: 41a0fb846596c415fb50592d9fda9d829d7eb905070bbc78f5896d00c67a3962
              • Instruction Fuzzy Hash: 211173349042449FD724CFB6C481BABB7F2FF89314F05CDAAC45AAB291C675A951CB50
              Function 03A29353 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
              • Instruction ID: 227a5cc69cfbe1156be645cdfbddeaad564e70d8514a7f4472c0b3d438f9ee16
              • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
              • Instruction Fuzzy Hash: AA118B36900B219FD721DF19C880F22BBE4BF80B62F19886ED4894A5A5C374E890CB10
              Function 03A533A5 Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
              • Instruction ID: c3d66092e89ac09ba9a27b816b33b241d615acb30af9f14fecdf4d6e594216be
              • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
              • Instruction Fuzzy Hash: 2601623A700605ABCF12DB9BDD00F5EBA7C9FD4692B15442ABD15DB2A0EA30D901C760
              Function 03A6D1D0 Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
              • Instruction ID: 35baeaad087bc91c9677830348907f2cfff20f8c7eaaf9e6f36a6c4c6a409f6c
              • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
              • Instruction Fuzzy Hash: 9101D47AB016049BDB15DB64E800F69B7ADABC4664F14815BFA268F380DB34D941C791
              Function 03A2826B Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 241da477e144ad3a4b58035b7456bb19d86f3e078b058bbfb4f40fdea9a9a42f
              • Instruction ID: 57c5b19d648ef0d345c65cab2f4c5ad50b4f937d4e691e1ae5760105e4429e47
              • Opcode Fuzzy Hash: 241da477e144ad3a4b58035b7456bb19d86f3e078b058bbfb4f40fdea9a9a42f
              • Instruction Fuzzy Hash: 8901A735700618DBC71CEB69DE149AFBBBDEF44610B19416BA906AB740EE34DD01C7A1
              Function 03A4E016 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction ID: 4eed0441345b0b98b2512cdb6283b3d6224e03c7df57c0318af659ad18356a81
              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction Fuzzy Hash: 8A015672240A809FD322D71DCA48F77B7ECEB85750F0D44AAE815CBAA2D728DC40C621
              Function 03AEF367 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f6b9053da20044e91e4f27e4f6899b50b78bbd2270896c93f9d32ba54a67f9c4
              • Instruction ID: ea0ae34c62ba98caee40e8f85227ca39a39f2bfd1eaeffcf02a296590557d525
              • Opcode Fuzzy Hash: f6b9053da20044e91e4f27e4f6899b50b78bbd2270896c93f9d32ba54a67f9c4
              • Instruction Fuzzy Hash: EF017175A10358ABDB10EBA5D945FAFB7B8EF44700F04406BA500EB380D674D901C794
              Function 03AF972B Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
              • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
              • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
              • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
              Function 03B05636 Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 90caefed5ebe20e2177241082b7bc606a829a766ba66911957df796a16d6c366
              • Instruction ID: e81b654fbeef797b00d959997788ca1560c2d38a0a46e493c61c0c0f743e1f28
              • Opcode Fuzzy Hash: 90caefed5ebe20e2177241082b7bc606a829a766ba66911957df796a16d6c366
              • Instruction Fuzzy Hash: F9116D78D10249EBCB04DFA9D544AAEBBB8EF18304F14845AA814EB380DA34DA02CB95
              Function 03A2C310 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction ID: 368a86fe7e59a70ae6a517a23032af5f1cbac8e956bde417cc8636ddd118d208
              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction Fuzzy Hash: 02F0C8372447329BC732D75D4984F6FEDA58FC5AB4F190437E5099F244CA648C0156D0
              Function 03B05152 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a8c757f401af9b8aad867acdab572207c945558e8645fc443047324612908314
              • Instruction ID: 244cabd135d62c22107a0457f215ad1f84585de6a7db30a1e7b7116f5ae2fe70
              • Opcode Fuzzy Hash: a8c757f401af9b8aad867acdab572207c945558e8645fc443047324612908314
              • Instruction Fuzzy Hash: 61012175A10209ABDB00DF69D9419EEBBB8FF49304F14405AE500E7380D6749A018BA1
              Function 03B050D9 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a0c5d66da2ce653d483f3172c78d6f70a16605179b5f5aeb6c4c10194c1eb9f6
              • Instruction ID: d9f08c81fdfbbf6bbe599d904ef22ccb8d2e73b3290b06cce8bc11cedde8f919
              • Opcode Fuzzy Hash: a0c5d66da2ce653d483f3172c78d6f70a16605179b5f5aeb6c4c10194c1eb9f6
              • Instruction Fuzzy Hash: B1012175A0030DABDB00DF69D9459EEBBB8EF49304F50405AE500F7380D67499018BA1
              Function 03B05060 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 18272093ab2be0949183936700a6989f2d5ad41d5ce07f0c2bc1f051c477ee53
              • Instruction ID: 2aaea022f879c4970b807fd3aa70bdcb40d1862f5a0bb96c977a102bb6ade968
              • Opcode Fuzzy Hash: 18272093ab2be0949183936700a6989f2d5ad41d5ce07f0c2bc1f051c477ee53
              • Instruction Fuzzy Hash: 27012175A103099BDB04DF69DA819EEBBB8EF49304F10405AF501EB381D674AA018BA1
              Function 03A5C073 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction ID: b8cb4db9df78cf46f588b48bd84d9a8d084f618b85617e0a675e1aa49731a42e
              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction Fuzzy Hash: F3F0C2B3A00610ABD324CF4DDD40E57F7EADBC0A90F08812EA905CB320EA31DD05CB90
              Function 03A65734 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
              • Instruction ID: 20e20ffd4aaa5b1fe9642b71c9415c759a8b9771f0847c40a58dd8244d1d99ce
              • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
              • Instruction Fuzzy Hash: 9DF0FF72A01214AFE319CF5CC940F6AF7EDEB46650F09407AD500DB230E671DE04CA94
              Function 03AEF78A Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7a764a145609fbc753075d1a20e732e999399882f46177dac8e974547751ac03
              • Instruction ID: a47382eea74cb12c64d764e1c41e1c75aa518cc41b0cdcbadb49dd4705a7f4f8
              • Opcode Fuzzy Hash: 7a764a145609fbc753075d1a20e732e999399882f46177dac8e974547751ac03
              • Instruction Fuzzy Hash: 91010CB4E00749AFCB44DFA9D545AAEBBF4EF48304F11806AA855EB381E674DA00DB91
              Function 03AB63C0 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
              • Instruction ID: 335c7ebc0b56f9dc14696a5dadf655d2fd3fe79158e561a7b54d60f7a8691421
              • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
              • Instruction Fuzzy Hash: CDF01D7620011DBFEF019F94DE80DEFBB7DEB59298B104125FA1196170D731DD21ABA0
              Function 03AEF2F8 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bf448e02fe1e66fd0f7b2a16a44b26e941c0045ca4e8cddd849c5824c191c41a
              • Instruction ID: 154b60ed44c8affb2bd8e57b03a36b87f48db01116ff1796c7864cdf67ea741a
              • Opcode Fuzzy Hash: bf448e02fe1e66fd0f7b2a16a44b26e941c0045ca4e8cddd849c5824c191c41a
              • Instruction Fuzzy Hash: B6F0A476A10348AFDB04DBB9C945AAEB7B8EF44710F00805BE511EB280DA74DA018791
              Function 03B061E5 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2c269547765d3a2dd13818bab8e48e2ca5bdac2b03c30ea6c51009e31f7a6b7d
              • Instruction ID: 68e25f42139357f4bbad57af540a46dc178041918628f63f851410c5bda78b12
              • Opcode Fuzzy Hash: 2c269547765d3a2dd13818bab8e48e2ca5bdac2b03c30ea6c51009e31f7a6b7d
              • Instruction Fuzzy Hash: AA012C75A002599BDB04DFA9D945AAEBBB8FF48314F14406AE501AB380D778AA01CB95
              Function 03A6724D Relevance: .0, Instructions: 40COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
              • Instruction ID: 39dd611ef6022837379d7785dd480d0cd67b4aee8731f6082bdeddb6314e9b8c
              • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
              • Instruction Fuzzy Hash: BEF0FC75A213556BDB18D7798940FABB7A8DF84714F08459BB9029B240DA31D940C750
              Function 03B053FC Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 16a159de9f277c120a734007c4b26e642358c6d019b3a6cf10f68d946351f82f
              • Instruction ID: 0228fd72447fb09baf68f5a7b202a53a2c41b0987b9bfc15bfff00d143ff7dfc
              • Opcode Fuzzy Hash: 16a159de9f277c120a734007c4b26e642358c6d019b3a6cf10f68d946351f82f
              • Instruction Fuzzy Hash: 31015A74A00209DFDB04DFA9C545B9EFBF4FF08304F0482AAA519EB381EA349A008B91
              Function 03A2C0F0 Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a1aaa6f882998730be31c0c367c2a4cfc2acb6b41e1e84dea7bd626fb58b5120
              • Instruction ID: 0bf5a89795d5d06e61c91cdb8afbd574c1a09d7b7f25a9d3dd65629342a4eac4
              • Opcode Fuzzy Hash: a1aaa6f882998730be31c0c367c2a4cfc2acb6b41e1e84dea7bd626fb58b5120
              • Instruction Fuzzy Hash: 50F0B4712043255BF714D75DAD02B667BAAEBC0761F29806BEB058F2D0FA71EC4183A4
              Function 03B03749 Relevance: .0, Instructions: 38COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
              • Instruction ID: 242679b9bf93a3c5238942c0e85699314d958ab90854808c27c10d2843c4c417
              • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
              • Instruction Fuzzy Hash: EEF04FBA940304BFE711EBA4CD41FDA77FCEB44714F100166A916DA2D0EA70AA44CB90
              Function 03AD437C Relevance: .0, Instructions: 37COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction ID: efb955027b8e65a0d8b6b3a5ab5985aee7f51d0e6423636e625f49a39edd5bd7
              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction Fuzzy Hash: EAF0BE3A749B1287DB35EB2F8520A2AE296AF84A00B49052F9803CBB80DF30D8009790
              Function 03AEF3E6 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b410cd004dfa54344d66e17f3581bd4abafe994b753d0e6187e691ec8858921
              • Instruction ID: 8b70ec4f32ddc7be9db3f551646989001fa90306880618274160b5b70c1d0e75
              • Opcode Fuzzy Hash: 2b410cd004dfa54344d66e17f3581bd4abafe994b753d0e6187e691ec8858921
              • Instruction Fuzzy Hash: E8F04F75A01348EFCB04EFA9DA45A9EB7F4EF58300F40806AB945EB381D674DA01CB55
              Function 03A292FF Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a1a7c99277005009633fa1d619d8fbd635503e142ce4a2e4b886860de6503e8d
              • Instruction ID: 797146a52f54416aab23155d738f4754403e5405fd88ba3f8bfb5db2c50b135f
              • Opcode Fuzzy Hash: a1a7c99277005009633fa1d619d8fbd635503e142ce4a2e4b886860de6503e8d
              • Instruction Fuzzy Hash: D1F0FA32200340ABD731EB09CE08F9BBBEDEF84B00F08012EA94683190C7A0A909C660
              Function 03A347FB Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dfb632500084406fa95daede6d3799fe8515035826054c76bd46a701b3c10f06
              • Instruction ID: 9483396a014365a0e81710263047f863fc043512364172cafe7c630508a92f08
              • Opcode Fuzzy Hash: dfb632500084406fa95daede6d3799fe8515035826054c76bd46a701b3c10f06
              • Instruction Fuzzy Hash: 83F0BE399127E49FD732CB6BC548B61B7D8DB0A764F0C89AFF48987641C764D881CA50
              Function 03AEF6C7 Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4a46f318d9e2c2fe75cbc791f75c1951b162018870994d98631c629eaec64aee
              • Instruction ID: cc8e4f7b964f211a37d478392a9c0ef19987c0b06a34a57d373e65dfc20ba3a4
              • Opcode Fuzzy Hash: 4a46f318d9e2c2fe75cbc791f75c1951b162018870994d98631c629eaec64aee
              • Instruction Fuzzy Hash: 8CF06D79A10348EFDB04EFA9D955EAEB7F4EF48304F00406AE501EB381EA74DA01CB54
              Function 03AF0115 Relevance: .0, Instructions: 32COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c9ed94aa2e45b5dc5c3d06883dbe7b7681d43796a27f2321c5731e6847bed85
              • Instruction ID: f0fe6c4bfcaf9779305a55cc4ebde8500756a773662c32e3aedeb1fa696012e5
              • Opcode Fuzzy Hash: 6c9ed94aa2e45b5dc5c3d06883dbe7b7681d43796a27f2321c5731e6847bed85
              • Instruction Fuzzy Hash: 3FF0273A4167C04ECF32FB6866903D1BF58975A118F1D158FD6A15B606C9B48483C628
              Function 03B0539D Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: df3f4b144618c593f4bf76c3e722b9829cebe9d61e4739b0431f71751371a18e
              • Instruction ID: a8686020698d4ecdd599e830beedcce294fe4c1dbf5e30c8f63237742b660ca5
              • Opcode Fuzzy Hash: df3f4b144618c593f4bf76c3e722b9829cebe9d61e4739b0431f71751371a18e
              • Instruction Fuzzy Hash: E7F05474A1434C9FDB14EB79D545E6EB7B4EF48304F1084A6E502EB3C1DA74DA01CB65
              Function 03B05283 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f793b8822659d24f0f2cfa7545c4042845d7e8a657ef7f2b955e66223012c931
              • Instruction ID: be3a8696d41d52c25e9478716312e8a9fdf7ab436fabdfffc18ec64efac5b1db
              • Opcode Fuzzy Hash: f793b8822659d24f0f2cfa7545c4042845d7e8a657ef7f2b955e66223012c931
              • Instruction Fuzzy Hash: BFF0B474A10308DBDB14EBA5DA45E6EB7B4FF04304F00446AA441EB3C1EA34D9008B50
              Function 03B052E2 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6584b024a7a24b63fabdf17cd116427f7c020bda76d7e13e9cd24dc6fbb9e797
              • Instruction ID: bba30d62e3b0f0d79f64268220767b0a30a7ad23dd812a5a1234da843304a805
              • Opcode Fuzzy Hash: 6584b024a7a24b63fabdf17cd116427f7c020bda76d7e13e9cd24dc6fbb9e797
              • Instruction Fuzzy Hash: 4BF0B474A103489BDB14EFB5DA45E6EB7B4EF04304F04446AA401EB3C0DA74DA00CB54
              Function 03B05341 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8ea71efe9a902dc11e2f20bc60f5f2287d9a33bd699f8fcaa5256dd0d64046ab
              • Instruction ID: 550d48c5d2501edc3fb5a6699c1624780c5fcb7aa02c63a54cbce5dcdebee32f
              • Opcode Fuzzy Hash: 8ea71efe9a902dc11e2f20bc60f5f2287d9a33bd699f8fcaa5256dd0d64046ab
              • Instruction Fuzzy Hash: A3F02774A0430CEBCF14EBB9DA45E9EB7B8EF09304F1041AAE402EB3D0EA74DA008714
              Function 03B05227 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5b425683458b36015aea062c3d5a734d17ef5387a4241251d6dc09c74b50c86d
              • Instruction ID: 6ef104c3e5a4b18a213a6993d832ac2b19988d953ab54c741273b27ff2656376
              • Opcode Fuzzy Hash: 5b425683458b36015aea062c3d5a734d17ef5387a4241251d6dc09c74b50c86d
              • Instruction Fuzzy Hash: 7FF08274A14348ABDB14EBA9DA45E6EB7B8EF44704F0404AAA901EB3C1EA74D9018755
              Function 03A67208 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9f45b5cf61fa98a58302badd4688afe0631e8a4380195cd2b4e2fea6d7e5a55b
              • Instruction ID: 1c307cc8d6f9db428a611ada13e91b7745b30e3e1d434c668e2254853228184c
              • Opcode Fuzzy Hash: 9f45b5cf61fa98a58302badd4688afe0631e8a4380195cd2b4e2fea6d7e5a55b
              • Instruction Fuzzy Hash: 04F02773951A969FD721C32EC184B11B7D99F08774F0C80ABF4058F741CBA8CC80C251
              Function 03B051CB Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 45982d174c7a7194c462f46ca01dafdfc4752cddc91f5d6cee5f6d596fac5991
              • Instruction ID: 50af4419705548532fd641c9c542bbcb829f6aab6fbdef7111521f89975bbbdb
              • Opcode Fuzzy Hash: 45982d174c7a7194c462f46ca01dafdfc4752cddc91f5d6cee5f6d596fac5991
              • Instruction Fuzzy Hash: 9FF08974A14248DBDB14EBA5DA45E6E77B4EF04308F040456A501DB3C1EA74D901C755
              Function 03AAD070 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
              • Instruction ID: cc3639708699b33f3e217780a3bc053540b6ccfb31a02fb15b913a0ea473a169
              • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
              • Instruction Fuzzy Hash: F4F0E53360461467C230AA0D8C05F5BFBACDBD5B70F10471ABA649B2D0DA70A911D7D6
              Function 03AEF72E Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 420dc8a6c2d171b249e6534ad8805fece9e7f7abfb581fd84e80b4676ba7a132
              • Instruction ID: 97f1dec1c1cb2a0231a85d49e12b5e06522336799feb5dba1921d9b3f05c8eb6
              • Opcode Fuzzy Hash: 420dc8a6c2d171b249e6534ad8805fece9e7f7abfb581fd84e80b4676ba7a132
              • Instruction Fuzzy Hash: 29F08275A10348AFDB04EBA9DA59E9E77B8EF08704F05005AE541EB3C0D974D9019755
              Function 03A30710 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
              • Instruction ID: d8b9f8f3ce6128362001d2ad11cd85a4320b1d83ba7fa17250fe40474574c3ba
              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
              • Instruction Fuzzy Hash: 38F06D7E204B44DBDB16DF1AD150AA57BA8EB46360F0444DAF8468B351EB31E982CB94
              Function 03B037B6 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
              • Instruction ID: 3dcd295184362b39179723e88b3cd508f60b2b3fdb67deb98148697c0c983add
              • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
              • Instruction Fuzzy Hash: 7FE09276210200BFE764DB58CE49FE673ECEB40720F140269B119971D0DBB0BE40CB60
              Function 03AB4000 Relevance: .0, Instructions: 22COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
              • Instruction ID: 77d2075e9afeeef6d68ab2e0df54db4a0504bb3a213196d68c54f1e257b2ccc7
              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
              • Instruction Fuzzy Hash: 89E052753003459FD715CF1AC054BA6B7BABFD9A50F28C069A8488F206EB36E942DB51
              Function 03AEB3D0 Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
              • Instruction ID: bebb8406a9526c31a1da8972a3d9af41289572bbd4e274aa09faba94afa07283
              • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
              • Instruction Fuzzy Hash: 3EE0CD35244314B7DB22AB44CD04F697B15DB507E0F104033FA085EB90C5B19C51D6D4
              Function 03A2823B Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction ID: 6df77792f9dd573587d72fd9da3d0319bce509369d3a577792f4e907219690ea
              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction Fuzzy Hash: 7CE08C35101A20EEDB35FF19DE04B527AA9FB84B10F14486BF0820A5A487B8A891DB54
              Function 03AB92BC Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c95800db9e9f72fed0cc7f01bdcde1f15b9c4fb4cf88abc721372dced68286a1
              • Instruction ID: 1200c969e43a5743e8d64b2310c09a40d4fd98969fbbf5507d2f6ab88761736d
              • Opcode Fuzzy Hash: c95800db9e9f72fed0cc7f01bdcde1f15b9c4fb4cf88abc721372dced68286a1
              • Instruction Fuzzy Hash: 0EF0ED34651B84CFE72ADF04C1E1B5273BDF755B44F50055DD4464BFA2C73A9941CA40
              Function 03A32050 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 54894a372e807c2b5fb1d07b876bc0dc0cb3b510034075ec717764bb77085704
              • Instruction ID: 601dad5c80c12617f5d4743ce3e23024aaa2b594b4ad4ab87c3519fc28093661
              • Opcode Fuzzy Hash: 54894a372e807c2b5fb1d07b876bc0dc0cb3b510034075ec717764bb77085704
              • Instruction Fuzzy Hash: 4DE0C2322006506BC722FF5DEE00F8A739EEFA5360F004222F1508B7D0CB64AC00C794
              Function 03A2A0E3 Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction ID: 5ca58db2cdc55280e822d0ef860c04dbec8a2b73236f7070fd50ea0e26cf28eb
              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction Fuzzy Hash: 1ED0123631617097CF29E7596914F67AD159BC1AA4F1A006E780AD7940C9158C42D6E0
              Function 03A402A0 Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
              • Instruction ID: 880e27663e21d8a20c9055a319c5d6904da45485ca8a29adbb4b079c6035c6ac
              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
              • Instruction Fuzzy Hash: 4DD0C935212E80CFDA1ACF0DC5A4B16B3B8BB84B44F8504D6E641CBB61D66CD940CE00
              Function 03AB930B Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
              • Instruction ID: 632d3b0d76bb7d08aee6107e8458d0d5c7023bb214be5985c1e856d51f911031
              • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
              • Instruction Fuzzy Hash: 43D01735945AC48FE727CB08C165B917BF8F705B40F89009DE04247AA2C37C9984CB10
              Function 03A6C700 Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
              • Instruction ID: 0c8f2f15a9ff17853e7808da0b1fe326ad6be17876a823b7d93c5f23639fae69
              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
              • Instruction Fuzzy Hash: A8C01236250644AFC711EA94CD01F0177A9E798B40F004021F2044B670C571E820D644
              Function 03A50310 Relevance: .0, Instructions: 11COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction ID: 95bff0504406cec5cc201f72e0cf991c6552edae0daec6b6adc423965ac4311d
              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction Fuzzy Hash: 7ED01236100248EFCB01DF41D990D9A772AFBD8710F149019FD190B7108A31ED62DA50
              Function 03A30750 Relevance: .0, Instructions: 9COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
              • Instruction ID: 54cf3c959cba6ba43dd42daf1549acb4edaae4b9eb13ace2f51034a607eecbb7
              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
              • Instruction Fuzzy Hash: A5C048B9B01A41CFCF15EB2AD398F4977E8FB84740F1948D1E805CBB21E624E811CA10
              Function 03A74340 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 68c526662f9eaac2dc143cb60ac73e07b925d6bfbb7f06ab4b7d19c33b5057f9
              • Instruction ID: 4f5b4623c9dff27b171f5295851ec73d05e3a1f9d48205e9d262bdda1c1e9b40
              • Opcode Fuzzy Hash: 68c526662f9eaac2dc143cb60ac73e07b925d6bfbb7f06ab4b7d19c33b5057f9
              • Instruction Fuzzy Hash: 56900231605804129140B25848C4586800A97E0301B96C012E0424558C8F188A565371
              Function 03A73090 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 39a5df7367ab553756e9914722894eb56deb5e3fa822f085525e943d64cddd48
              • Instruction ID: 1d54d1d9bd09668607714e1ffd1c9049cf6b1357f8c7e39cd06b43f6e8a6e90e
              • Opcode Fuzzy Hash: 39a5df7367ab553756e9914722894eb56deb5e3fa822f085525e943d64cddd48
              • Instruction Fuzzy Hash: FA90022124140C02D140B2588454747400BC7D0701F96C012A0024558D8B1A8A6566B1
              Function 03A73010 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7ce61163c570eb71effab79aca9290af278e8b1b65eb8bf01d7185b76370a12a
              • Instruction ID: a9f046f472ae041aa9ab1269dc12bb4c1ca045a3c2b9b053e93a73cc8fea41fe
              • Opcode Fuzzy Hash: 7ce61163c570eb71effab79aca9290af278e8b1b65eb8bf01d7185b76370a12a
              • Instruction Fuzzy Hash: CB90022120184842D140B3584844B4F810A87E1302FD6C01AA4156558CCE1989555731
              Function 03A74650 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7a53c565c7e2089dbd264bf25a15b57c5dae226d02f09b87817634c432705d30
              • Instruction ID: 9b6c94d190057ec0c99f38a1ffbe42ed098602b745881b9a3c029e2c805014b7
              • Opcode Fuzzy Hash: 7a53c565c7e2089dbd264bf25a15b57c5dae226d02f09b87817634c432705d30
              • Instruction Fuzzy Hash: D5900261601504424140B2584844446A00A97E13013D6C116A0554564C8B1C89559279
              Function 03A72BA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8d20371795200f7d6214868c544299361f11c4b1892bb3189543ee8c8c91eccf
              • Instruction ID: bd5aec11f7a917f59858093a662180b6b57f313dec5733e9e4d6197ace2d1c29
              • Opcode Fuzzy Hash: 8d20371795200f7d6214868c544299361f11c4b1892bb3189543ee8c8c91eccf
              • Instruction Fuzzy Hash: 8F90023160540C02D150B2584454786400A87D0301F96C012A0024658D8B598B5576B1
              Function 03A72B80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1981b2a18ec334b45b6691ae50d0b5dd9f5ef5ef4770d89bd83fdb9a71b7165a
              • Instruction ID: 9f0212bf7eaeeebf89fe636263a96049ff3b913ef59b41b21d89ae7b387dfc7a
              • Opcode Fuzzy Hash: 1981b2a18ec334b45b6691ae50d0b5dd9f5ef5ef4770d89bd83fdb9a71b7165a
              • Instruction Fuzzy Hash: DC90023120140C02D104B25848446C6400A87D0301F96C012A6024659E9B6989917131
              Function 03A72BE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 80cbff06bf80c0e2aa0fb2f0763fea77ec6522d48615e2989a6f35af46e81d6a
              • Instruction ID: 99f1909509e894226c65ffe029000fa59f8593dff52a4795a55c379d7f220421
              • Opcode Fuzzy Hash: 80cbff06bf80c0e2aa0fb2f0763fea77ec6522d48615e2989a6f35af46e81d6a
              • Instruction Fuzzy Hash: F990023120544C42D140B2584444A86401A87D0305F96C012A0064698D9B298E55B671
              Function 03A72BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4092c4c0539e6af747af659d731272539888c7c5ab560a979c00cb38991e8eda
              • Instruction ID: 2b52c13725e8dd7f0cd6669340a04226487b6a364c2a99490ef91d9da8a08125
              • Opcode Fuzzy Hash: 4092c4c0539e6af747af659d731272539888c7c5ab560a979c00cb38991e8eda
              • Instruction Fuzzy Hash: 4190023120140C02D180B258444468A400A87D1301FD6C016A0025658DCF198B5977B1
              Function 03A72AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 52888675d200e506bc2b322d23e9808c2cc9c5044c8c63cb38af478ad7a2b7b7
              • Instruction ID: 49060d19ecef0a5904bf1671d538003d4a171ee58bfddd45c12a31b441553543
              • Opcode Fuzzy Hash: 52888675d200e506bc2b322d23e9808c2cc9c5044c8c63cb38af478ad7a2b7b7
              • Instruction Fuzzy Hash: D79002A1201544924500F3588444B4A850A87E0301B96C017E1054564CCA2989519135
              Function 03A72AF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 47f35ad641ac83e2186a6eb4d232ee54244e75c1077c22e31e6da9ea883eb012
              • Instruction ID: a5223688f6abb881e12cf11eaba9a95051dd7c49413644d08c58e0321b2e575e
              • Opcode Fuzzy Hash: 47f35ad641ac83e2186a6eb4d232ee54244e75c1077c22e31e6da9ea883eb012
              • Instruction Fuzzy Hash: EE900225221404020145F658064454B444A97D63513D6C016F1416594CCB2589655331
              Function 03A72AD0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e6902ab728e85863d3f4bda96277ad561ed39ac51406dcff81c3992767dc2b68
              • Instruction ID: 59f9088fff3487e3ea323a96c53c24ff27f134106eddd6390f43d77e3a418e95
              • Opcode Fuzzy Hash: e6902ab728e85863d3f4bda96277ad561ed39ac51406dcff81c3992767dc2b68
              • Instruction Fuzzy Hash: 4B900435311404030105F75C0744547404FC7D53513D7C033F1015554CDF35CD715131
              Function 03A739B0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cf369254d1442b133412931394f5493e607a14cd8e11e3d0028d41554af0dd56
              • Instruction ID: 7e3f6e138cf15bcf951c92bf1d94aae68fc09b48b1a9639f62d079b5cdaa2739
              • Opcode Fuzzy Hash: cf369254d1442b133412931394f5493e607a14cd8e11e3d0028d41554af0dd56
              • Instruction Fuzzy Hash: BD90022124545502D150B25C4444656800AA7E0301F96C022A0814598D8A5989556231
              Function 03A72FA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a7b9f996df2abde099f42cfc5af05c71f0c0d7132c79f02fb958c1306fc47d1c
              • Instruction ID: 862c9a2c29e6b4f4d9be7dafc4b8161a4e5858567f33c7d16480529c7f84f6cf
              • Opcode Fuzzy Hash: a7b9f996df2abde099f42cfc5af05c71f0c0d7132c79f02fb958c1306fc47d1c
              • Instruction Fuzzy Hash: 5290023120180802D100B2584848787400A87D0302F96C012A5164559E8B69C9916531
              Function 03A72FB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1600046cbbb195b19ec7098c4622af91ab2dc97aa8f6916553bdbe82b1702426
              • Instruction ID: f395d6521db4a6659c57406cb5216dcf6c434b789d4011497581894ad8c81e27
              • Opcode Fuzzy Hash: 1600046cbbb195b19ec7098c4622af91ab2dc97aa8f6916553bdbe82b1702426
              • Instruction Fuzzy Hash: E3900221601404424140B2688884946800AABE1311796C122A0998554D8A5D89655675
              Function 03A72F90 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8679b508a523df612dbdc91b9e802291fba349013447b279d6aaaedfadb40da0
              • Instruction ID: 85e24c5b67aef11bc723c4417f91d54dec2a8bee427fcca3f63a43713e790caa
              • Opcode Fuzzy Hash: 8679b508a523df612dbdc91b9e802291fba349013447b279d6aaaedfadb40da0
              • Instruction Fuzzy Hash: 9A90023120180802D100B258485474B400A87D0302F96C012A1164559D8B2989516571
              Function 03A72FE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 19ed4ca94fbcb0ce4136e1c08095813115e6bbc47b29a5353b9d79ee7366c560
              • Instruction ID: 269aa5b9903bf4c6c8ee247f90942a250528b3b8f4b6f402b25910e3670f4eb2
              • Opcode Fuzzy Hash: 19ed4ca94fbcb0ce4136e1c08095813115e6bbc47b29a5353b9d79ee7366c560
              • Instruction Fuzzy Hash: F4900221211C0442D200B6684C54B47400A87D0303F96C116A0154558CCE1989615531
              Function 03A72F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2e6367d51e3f464020c64b0e0342dd17d4ce4b7d184fa149db916abad78e5668
              • Instruction ID: 7e5bb11c719795e81707f8a49892f40e9e9ba9841dca345d0b2f30796632da34
              • Opcode Fuzzy Hash: 2e6367d51e3f464020c64b0e0342dd17d4ce4b7d184fa149db916abad78e5668
              • Instruction Fuzzy Hash: E990026134140842D100B2584454B46400AC7E1301F96C016E1064558D8B1DCD526136
              Function 03A72F60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9b625b05b53d64212807664abcda754801856069ec9c70f1cbae2cc81bde0342
              • Instruction ID: d8c1f408ebad77ecb54ddd81f3f78bc7baf83078ee147537737722d54d015f8d
              • Opcode Fuzzy Hash: 9b625b05b53d64212807664abcda754801856069ec9c70f1cbae2cc81bde0342
              • Instruction Fuzzy Hash: 9390026121140442D104B2584444746404A87E1301F96C013A2154558CCA2D8D615135
              Function 03A72EA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8b7fe70b6d7b1db1a1db442cb7230ac382e9fb1f15c8df4b983fd3b836789434
              • Instruction ID: e8a50da451d5a3d606a2b96a9272713038d03c5b8b2a4a6807586778a7e61d52
              • Opcode Fuzzy Hash: 8b7fe70b6d7b1db1a1db442cb7230ac382e9fb1f15c8df4b983fd3b836789434
              • Instruction Fuzzy Hash: 0590027120140802D140B2584444786400A87D0301F96C012A5064558E8B5D8ED56675
              Function 03A72E80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c44e75ba04b98fd6e0901ef61242ad5f84440c998719e80c8d90d03f9934c765
              • Instruction ID: e303f57d1a5663c1869d8415abfae552c449150872fe418899db69d36fc75ad6
              • Opcode Fuzzy Hash: c44e75ba04b98fd6e0901ef61242ad5f84440c998719e80c8d90d03f9934c765
              • Instruction Fuzzy Hash: 8190022160140902D101B2584444656400F87D0341FD6C023A1024559ECF298A92A131
              Function 03A72EE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b9387c15e0f304d47f3eb94e3319f8025b068b97077c8ab15c80d1f38587ebfd
              • Instruction ID: 241df3eaa6b3a87db98e35d66bfdd7e7a09ee1ce0026968ea7d9cd5be3f9d148
              • Opcode Fuzzy Hash: b9387c15e0f304d47f3eb94e3319f8025b068b97077c8ab15c80d1f38587ebfd
              • Instruction Fuzzy Hash: 9590026120180803D140B6584844647400A87D0302F96C012A2064559E8F2D8D516135
              Function 03A72E30 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6037c3c08fc68a310cf7559adb636d79ffe3402f9f1345dd05f608bc5426b007
              • Instruction ID: 5d635efbf04ea7e90f25870dc8807114b4e00bb39f390a9a5b947059099fe3f3
              • Opcode Fuzzy Hash: 6037c3c08fc68a310cf7559adb636d79ffe3402f9f1345dd05f608bc5426b007
              • Instruction Fuzzy Hash: 9990022130140802D102B2584454646400EC7D1345FD6C013E1424559D8B298A53A132
              Function 03A72DB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 357e3815be04e383424d7202da5bdd3256bec30c73c0ea87fea3450405d28a36
              • Instruction ID: d9e24f8b6617e462a143ba2d99d78a6a6a85e7ba63dd81d1f0a27f8a403b8dd0
              • Opcode Fuzzy Hash: 357e3815be04e383424d7202da5bdd3256bec30c73c0ea87fea3450405d28a36
              • Instruction Fuzzy Hash: 5990023124140802D141B2584444646400E97D0341FD6C013A0424558E8B598B56AA71
              Function 03A72DD0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 76a9db35322fc9f15a5f5e5c38d9b97aa2079b6956dfc159d178729138af2050
              • Instruction ID: 3702aab53614c89fc6c766f202ce157726bd2c79021f55c8adddd5991e8c949d
              • Opcode Fuzzy Hash: 76a9db35322fc9f15a5f5e5c38d9b97aa2079b6956dfc159d178729138af2050
              • Instruction Fuzzy Hash: F8900221242445525545F2584444547800B97E03417D6C013A1414954C8A2A9956D631
              Function 03A72D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8db3b0099dde00c0ce7373548a94028dcea12e34a0f0f36300315bf1e096eb20
              • Instruction ID: da7d611ebaac140cdcaa956a8a9830bc49e02b782710f09473408fd84780ea82
              • Opcode Fuzzy Hash: 8db3b0099dde00c0ce7373548a94028dcea12e34a0f0f36300315bf1e096eb20
              • Instruction Fuzzy Hash: A490022130140403D140B2585458646800AD7E1301F96D012E0414558CDE1989565232
              Function 03A72D00 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 962df8df9f84fa4dbfcd20879f6945b8480713fe2257470b93e01b3f55978ca6
              • Instruction ID: 202c1a662dbb0a8b21df97da26fdbef98c899174412a8f14635dcb71552abba8
              • Opcode Fuzzy Hash: 962df8df9f84fa4dbfcd20879f6945b8480713fe2257470b93e01b3f55978ca6
              • Instruction Fuzzy Hash: BD90022120544842D100B6585448A46400A87D0305F96D012A1064599DCB398951A131
              Function 03A72D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fb5a18b1fbaca51a1bb437f9345af34e51edeb33ed0e96870f1f040ef618d3e8
              • Instruction ID: 30d74a254c04f7e8553604c7050cade66c232875b9a70b6c2cc632ce732dcee0
              • Opcode Fuzzy Hash: fb5a18b1fbaca51a1bb437f9345af34e51edeb33ed0e96870f1f040ef618d3e8
              • Instruction Fuzzy Hash: B090022921340402D180B258544864A400A87D1302FD6D416A001555CCCE1989695331
              Function 03A73D10 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d09e79b07f4f0c9f03a70a93e72db37cb9da632792e0a7e4a2cc9686161b0c92
              • Instruction ID: 672b4469694b36afb9e820c61ce8931173e1ebe7a4825f9cc632e706461aa190
              • Opcode Fuzzy Hash: d09e79b07f4f0c9f03a70a93e72db37cb9da632792e0a7e4a2cc9686161b0c92
              • Instruction Fuzzy Hash: B1900231202405429540B3585844A8E810A87E1302BD6D416A0015558CCE1889615231
              Function 03A73D70 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0724a55702557b88eab522a681f65254646a936601d49c18b871fd219445dc67
              • Instruction ID: 075ed57014af68d780c9e581c0fd3fd5d9054d15b653e7f65f31ac4293f73864
              • Opcode Fuzzy Hash: 0724a55702557b88eab522a681f65254646a936601d49c18b871fd219445dc67
              • Instruction Fuzzy Hash: 5990023520140802D510B2585844686404B87D0301F96D412A042455CD8B5889A1A131
              Function 03A72CA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f6bbe34faf38423a2af5c2874f69607b4429775ac7edf08cb935ebffec54d0f0
              • Instruction ID: 806b039d6371e4f527156db2afec7b665d7abe141e3f5d8ac3d59411953d7dfb
              • Opcode Fuzzy Hash: f6bbe34faf38423a2af5c2874f69607b4429775ac7edf08cb935ebffec54d0f0
              • Instruction Fuzzy Hash: 9C90023120140802D100B6985448686400A87E0301F96D012A5024559ECB6989916131
              Function 03A72CF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 07a98a7412d0fe01d53a863fbbd752a3e3e2cc27cdaa43e0ae0223f92ba8f990
              • Instruction ID: 91d7a4e47c06e320ca148faec19256fb603671885ea1973d301cb26e87b3080e
              • Opcode Fuzzy Hash: 07a98a7412d0fe01d53a863fbbd752a3e3e2cc27cdaa43e0ae0223f92ba8f990
              • Instruction Fuzzy Hash: A390023120140803D100B2585548747400A87D0301F96D412A042455CDDB5A89516131
              Function 03A72CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fd0cd61c70e95480d2a22868317c37e6d12c7c3576a11faf8e072a87fbaa05e0
              • Instruction ID: 6c875257121a20332aef1164de5238a92b1e09c82d1a6603dc0ec3062c1801e7
              • Opcode Fuzzy Hash: fd0cd61c70e95480d2a22868317c37e6d12c7c3576a11faf8e072a87fbaa05e0
              • Instruction Fuzzy Hash: 2090022160540802D140B2585458746401A87D0301F96D012A0024558DCB5D8B5566B1
              Function 03A72C60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ba9005bb96f146622660bdcdccae020250d42037b06e37970c204efd3a20bee6
              • Instruction ID: cf8172b1e8da8ad95efb9db8a736e593390540e95d237bffdc2c3e332be5f8f9
              • Opcode Fuzzy Hash: ba9005bb96f146622660bdcdccae020250d42037b06e37970c204efd3a20bee6
              • Instruction Fuzzy Hash: 1490023120140C42D100B2584444B86400A87E0301F96C017A0124658D8B19C9517531
              Function 03A72C70 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c081755656b2c2ee4a0969a0f1751c74fcfc9b71dfa9df4a6f7a36a7b831ef4e
              • Instruction ID: 85a7ce7d1fba9afba6edc3cc0ec763e3c3ffde9bd170bc9b91b8edcd9a3683d3
              • Opcode Fuzzy Hash: c081755656b2c2ee4a0969a0f1751c74fcfc9b71dfa9df4a6f7a36a7b831ef4e
              • Instruction Fuzzy Hash: 3D90023120148C02D110B258844478A400A87D0301F9AC412A442465CD8B9989917131
              Function 03A72C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction ID: 753309e0dc3e3b2c57bf69f5c6ba90d10068aba477833187e49ad9ddd6b483c7
              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction Fuzzy Hash:
              Function 03A72890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
              • API String ID: 48624451-2108815105
              • Opcode ID: efdb772acde483bd6861764ebe7ee4a00185b0615d695e62262ad3eeb6309758
              • Instruction ID: ec548c573cde0ac30e1b9fc2c60b262bfd6e5c1b0492a2015831f35271c54223
              • Opcode Fuzzy Hash: efdb772acde483bd6861764ebe7ee4a00185b0615d695e62262ad3eeb6309758
              • Instruction Fuzzy Hash: 9451B6B6A04616BFCB10DB9C8DD0A7EF7F8BB09200B18856BE4A5D7641D334DE44CBA0
              Function 03A67630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
              Download Yara Rule
              Strings
              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03AA4725
              • CLIENT(ntdll): Processing section info %ws..., xrefs: 03AA4787
              • Execute=1, xrefs: 03AA4713
              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03AA4742
              • ExecuteOptions, xrefs: 03AA46A0
              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 03AA46FC
              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03AA4655
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
              • API String ID: 0-484625025
              • Opcode ID: 7620e91770c2155ed5f3670237c5494f1820e3e3002a7780dea0961e5db58653
              • Instruction ID: d804800f09c69c4131d25540a1b71c262a40e26422fdb78533fe97d5d351d51e
              • Opcode Fuzzy Hash: 7620e91770c2155ed5f3670237c5494f1820e3e3002a7780dea0961e5db58653
              • Instruction Fuzzy Hash: E0511B396103197EDF10EB69DD85FAE73BCEF09308F0801ABE505AB291E7769A418F50
              Function 03A7B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-$0$0
              • API String ID: 1302938615-699404926
              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
              • Instruction ID: 692d9c299c65e652c387dedeb3a643475e05cd2aeb33f94cf9d3aef3ba7e780e
              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
              • Instruction Fuzzy Hash: 96816BB4E062499EDF24CF68CCD17EEBBB6AF46250F1C425FD861AB391C63499408B70
              Function 03A5F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
              Download Yara Rule
              Strings
              • RTL: Re-Waiting, xrefs: 03AA031E
              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 03AA02E7
              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 03AA02BD
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
              • API String ID: 0-2474120054
              • Opcode ID: 8171a73a522a2e2ae02657b52d39fa63da7ae1955ecb5dc9dfb5641cec53ac31
              • Instruction ID: a829cdd8fd70b01a40f07c48e17ebcbf59ac56834db0bff96b6692793dc9fac0
              • Opcode Fuzzy Hash: 8171a73a522a2e2ae02657b52d39fa63da7ae1955ecb5dc9dfb5641cec53ac31
              • Instruction Fuzzy Hash: 57E1CC31608B41DFD724CF28C984B2AB7E4BF89314F180A6EF9A58B6E1D774D944CB52
              Function 03A6BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
              Download Yara Rule
              Strings
              • RTL: Re-Waiting, xrefs: 03AA7BAC
              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03AA7B7F
              • RTL: Resource at %p, xrefs: 03AA7B8E
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 0-871070163
              • Opcode ID: 61908beaef8b2c082e8c6ead0c6af44ea67c14cd38f2fc56d018a4c2fc5bec77
              • Instruction ID: 9c081307b8ba9ad594f599379f55e6de82f50171cc0e9ed5beb7c738b348f49c
              • Opcode Fuzzy Hash: 61908beaef8b2c082e8c6ead0c6af44ea67c14cd38f2fc56d018a4c2fc5bec77
              • Instruction Fuzzy Hash: D541B2367007029FC724DF69CD40B6AB7E9EB89710F140A2EE956DB690DB71E4058BA1
              Function 03A6B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              APIs
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03AA728C
              Strings
              • RTL: Re-Waiting, xrefs: 03AA72C1
              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03AA7294
              • RTL: Resource at %p, xrefs: 03AA72A3
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 885266447-605551621
              • Opcode ID: dd123cc5c18aee18e19779f90ea561fd81ed4fff567570b827424dcb1576b59f
              • Instruction ID: 0a863f17a1bc196f58818d7adb1a92f36501d85c610dbd7bd0b90e1c26c2093c
              • Opcode Fuzzy Hash: dd123cc5c18aee18e19779f90ea561fd81ed4fff567570b827424dcb1576b59f
              • Instruction Fuzzy Hash: 2B41E136600706AFC724DF69CC41B6AB7A9FB94710F140A2FF855DB240DB31E81687E1
              Function 03A77D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-
              • API String ID: 1302938615-2137968064
              • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
              • Instruction ID: eac62f73c55acd8fb255fd76053b445bae2821f540de45e3cc07a6c78ae7ed7e
              • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
              • Instruction Fuzzy Hash: 3E91A071E002169EDB24DF69CDC1ABEB7B9AF44320F58462FE865E72C0D7368942CB50
              Function 03A39126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $$@
              • API String ID: 0-1194432280
              • Opcode ID: 63a5f381fc25654856b3000758802225db1f937adccef64e4812b2e7955b3615
              • Instruction ID: 2827f768d20e42e7bebd5ce388238204eb0253c011ccd7e41c5e8bbc1d3255ab
              • Opcode Fuzzy Hash: 63a5f381fc25654856b3000758802225db1f937adccef64e4812b2e7955b3615
              • Instruction Fuzzy Hash: 55813A76D002699BDB31DF54CD44BEAB7B8AB48710F0445EBA90DB7680E7709E84CFA0
              Function 03ABCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
              Download Yara Rule
              APIs
              • @_EH4_CallFilterFunc@8.LIBCMT ref: 03ABCFBD
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.1970980118.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3a00000_svchost.jbxd
              Similarity
              • API ID: CallFilterFunc@8
              • String ID: @$@4_w@4_w
              • API String ID: 4062629308-713214301
              • Opcode ID: fe8ba21721b095157a37d8375fabe7dd780dd29d9779efa5d68bfa52154ebb89
              • Instruction ID: 73c1969ad39ba0ea85eee9d84a630e85ee2ce8e84f7ddc24cbaa14fcdde0253e
              • Opcode Fuzzy Hash: fe8ba21721b095157a37d8375fabe7dd780dd29d9779efa5d68bfa52154ebb89
              • Instruction Fuzzy Hash: 1141CF79900324DFCB21DFA4C980AAEBBB8EF85714F04456BE915DB365D774C801CB61