Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CGk5FtIq0N.exe

Overview

General Information

Sample name:CGk5FtIq0N.exe
renamed because original name is a hash value
Original sample name:f19414e7e71407b3b1285178b8ff9a0b43d94ce8f716ce0b7ff99583286cbcce.exe
Analysis ID:1588579
MD5:6c99f740265dd788386ddaf2c2d5dae0
SHA1:ef301d794c8b66c7ee0821aece2bb1cd4766e73a
SHA256:f19414e7e71407b3b1285178b8ff9a0b43d94ce8f716ce0b7ff99583286cbcce
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • CGk5FtIq0N.exe (PID: 7656 cmdline: "C:\Users\user\Desktop\CGk5FtIq0N.exe" MD5: 6C99F740265DD788386DDAF2C2D5DAE0)
    • svchost.exe (PID: 7756 cmdline: "C:\Users\user\Desktop\CGk5FtIq0N.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2285756595.0000000003580000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.2285440540.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\CGk5FtIq0N.exe", CommandLine: "C:\Users\user\Desktop\CGk5FtIq0N.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\CGk5FtIq0N.exe", ParentImage: C:\Users\user\Desktop\CGk5FtIq0N.exe, ParentProcessId: 7656, ParentProcessName: CGk5FtIq0N.exe, ProcessCommandLine: "C:\Users\user\Desktop\CGk5FtIq0N.exe", ProcessId: 7756, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\CGk5FtIq0N.exe", CommandLine: "C:\Users\user\Desktop\CGk5FtIq0N.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\CGk5FtIq0N.exe", ParentImage: C:\Users\user\Desktop\CGk5FtIq0N.exe, ParentProcessId: 7656, ParentProcessName: CGk5FtIq0N.exe, ProcessCommandLine: "C:\Users\user\Desktop\CGk5FtIq0N.exe", ProcessId: 7756, ProcessName: svchost.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: CGk5FtIq0N.exeVirustotal: Detection: 63%Perma Link
          Source: CGk5FtIq0N.exeReversingLabs: Detection: 71%
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2285756595.0000000003580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2285440540.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: CGk5FtIq0N.exeJoe Sandbox ML: detected
          Source: CGk5FtIq0N.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: svchost.exe, 00000002.00000002.2285810566.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1942219244.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1940016430.0000000003400000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000002.00000002.2285810566.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1942219244.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1940016430.0000000003400000.00000004.00000020.00020000.00000000.sdmp

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2285756595.0000000003580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2285440540.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Binary is likely a compiled AutoIt script file
          Source: CGk5FtIq0N.exe, 00000000.00000000.1378713597.0000000000864000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_77268a8f-1
          Source: CGk5FtIq0N.exe, 00000000.00000000.1378713597.0000000000864000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_f0af223b-f
          Source: CGk5FtIq0N.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_39e94e4f-4
          Source: CGk5FtIq0N.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_c904009e-5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C9E3 NtClose,2_2_0042C9E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038735C0 NtCreateMutant,LdrInitializeThunk,2_2_038735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872B60 NtClose,LdrInitializeThunk,2_2_03872B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03872DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03874340 NtSetContextThread,2_2_03874340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03873090 NtSetValueKey,2_2_03873090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03873010 NtOpenDirectoryObject,2_2_03873010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03874650 NtSuspendThread,2_2_03874650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872B80 NtQueryInformationFile,2_2_03872B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872BA0 NtEnumerateValueKey,2_2_03872BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872BE0 NtQueryValueKey,2_2_03872BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872BF0 NtAllocateVirtualMemory,2_2_03872BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872AB0 NtWaitForSingleObject,2_2_03872AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872AD0 NtReadFile,2_2_03872AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872AF0 NtWriteFile,2_2_03872AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038739B0 NtGetContextThread,2_2_038739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872F90 NtProtectVirtualMemory,2_2_03872F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872FA0 NtQuerySection,2_2_03872FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872FB0 NtResumeThread,2_2_03872FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872FE0 NtCreateFile,2_2_03872FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872F30 NtCreateSection,2_2_03872F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872F60 NtCreateProcessEx,2_2_03872F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872E80 NtReadVirtualMemory,2_2_03872E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872EA0 NtAdjustPrivilegesToken,2_2_03872EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872EE0 NtQueueApcThread,2_2_03872EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872E30 NtWriteVirtualMemory,2_2_03872E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872DB0 NtEnumerateKey,2_2_03872DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872DD0 NtDelayExecution,2_2_03872DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872D00 NtSetInformationFile,2_2_03872D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872D10 NtMapViewOfSection,2_2_03872D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03873D10 NtOpenProcessToken,2_2_03873D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872D30 NtUnmapViewOfSection,2_2_03872D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03873D70 NtOpenThread,2_2_03873D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872CA0 NtQueryInformationToken,2_2_03872CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872CC0 NtQueryVirtualMemory,2_2_03872CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872CF0 NtOpenProcess,2_2_03872CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872C00 NtQueryInformationProcess,2_2_03872C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872C60 NtCreateKey,2_2_03872C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872C70 NtFreeVirtualMemory,2_2_03872C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004030502_2_00403050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042F0832_2_0042F083
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101632_2_00410163
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402B662_2_00402B66
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402B702_2_00402B70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416B0E2_2_00416B0E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416B132_2_00416B13
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004103832_2_00410383
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E3832_2_0040E383
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E4D12_2_0040E4D1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E4D32_2_0040E4D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040274A2_2_0040274A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027502_2_00402750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0388739A2_2_0388739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E3F02_2_0384E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039003E62_2_039003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F132D2_2_038F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382D34C2_2_0382D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FA3522_2_038FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038452A02_2_038452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385B2C02_2_0385B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED2_2_038E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E02742_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384B1B02_2_0384B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039001AA2_2_039001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F81CC2_2_038F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038301002_2_03830100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA1182_2_038DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C81582_2_038C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0387516C2_2_0387516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F1722_2_0382F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390B16B2_2_0390B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EF0CC2_2_038EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C02_2_038470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F70E92_2_038F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FF0E02_2_038FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FF7B02_2_038FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383C7C02_2_0383C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038647502_2_03864750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038407702_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F16CC2_2_038F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385C6E02_2_0385C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039005912_2_03900591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DD5B02_2_038DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038405352_2_03840535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F75712_2_038F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EE4F62_2_038EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FF43F2_2_038FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F24462_2_038F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038314602_2_03831460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385FB802_2_0385FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F6BD72_2_038F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B5BF02_2_038B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0387DBF92_2_0387DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FAB402_2_038FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFB762_2_038FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA802_2_0383EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DDAAC2_2_038DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03885AA02_2_03885AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EDAC62_2_038EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFA492_2_038FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F7A462_2_038F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B3A6C2_2_038B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A02_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390A9A62_2_0390A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038499502_2_03849950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385B9502_2_0385B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038569622_2_03856962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038268B82_2_038268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038438E02_2_038438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E8F02_2_0386E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AD8002_2_038AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038428402_2_03842840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384A8402_2_0384A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841F922_2_03841F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFFB12_2_038FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03832FC82_2_03832FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384CFE02_2_0384CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFF092_2_038FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03882F282_2_03882F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03860F302_2_03860F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B4F402_2_038B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03852E902_2_03852E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FCE932_2_038FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03849EB02_2_03849EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FEEDB2_2_038FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FEE262_2_038FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840E592_2_03840E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03858DBF2_2_03858DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385FDC02_2_0385FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383ADE02_2_0383ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384AD002_2_0384AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03843D402_2_03843D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F1D5A2_2_038F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F7D732_2_038F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0CB52_2_038E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830CF22_2_03830CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFCF22_2_038FFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840C002_2_03840C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B9C322_2_038B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03887E54 appears 96 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0382B970 appears 268 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 038AEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 038BF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03875130 appears 36 times
          Source: CGk5FtIq0N.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: classification engineClassification label: mal80.troj.evad.winEXE@3/2@0/0
          Source: C:\Users\user\Desktop\CGk5FtIq0N.exeFile created: C:\Users\user\AppData\Local\Temp\autC1FD.tmpJump to behavior
          Source: CGk5FtIq0N.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\CGk5FtIq0N.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: CGk5FtIq0N.exeVirustotal: Detection: 63%
          Source: CGk5FtIq0N.exeReversingLabs: Detection: 71%
          Source: unknownProcess created: C:\Users\user\Desktop\CGk5FtIq0N.exe "C:\Users\user\Desktop\CGk5FtIq0N.exe"
          Source: C:\Users\user\Desktop\CGk5FtIq0N.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CGk5FtIq0N.exe"
          Source: C:\Users\user\Desktop\CGk5FtIq0N.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CGk5FtIq0N.exe"Jump to behavior
          Source: C:\Users\user\Desktop\CGk5FtIq0N.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\CGk5FtIq0N.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\CGk5FtIq0N.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\CGk5FtIq0N.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\CGk5FtIq0N.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\CGk5FtIq0N.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\CGk5FtIq0N.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\CGk5FtIq0N.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\CGk5FtIq0N.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\CGk5FtIq0N.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\CGk5FtIq0N.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\CGk5FtIq0N.exeSection loaded: ntmarta.dllJump to behavior
          Source: CGk5FtIq0N.exeStatic file information: File size 1220096 > 1048576
          Source: CGk5FtIq0N.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: CGk5FtIq0N.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: CGk5FtIq0N.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: CGk5FtIq0N.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: CGk5FtIq0N.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: CGk5FtIq0N.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: CGk5FtIq0N.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: svchost.exe, 00000002.00000002.2285810566.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1942219244.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1940016430.0000000003400000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000002.00000002.2285810566.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1942219244.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1940016430.0000000003400000.00000004.00000020.00020000.00000000.sdmp
          Source: CGk5FtIq0N.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: CGk5FtIq0N.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: CGk5FtIq0N.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: CGk5FtIq0N.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: CGk5FtIq0N.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416857 push esp; iretd 2_2_00416858
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D8D0 push esp; iretd 2_2_0040D8D1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004051E6 push esp; retf 2_2_00405205
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004032C0 push eax; ret 2_2_004032C2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D352 push dword ptr [ebp-59622DFFh]; iretd 2_2_0040D358
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414B13 pushad ; iretd 2_2_00414B78
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414B85 pushad ; iretd 2_2_00414B78
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414BA2 pushad ; iretd 2_2_00414B78
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004164A9 push es; retf 2_2_004164BD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416505 push es; retf 2_2_004164BD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413653 push ebx; retf 2_2_0041369C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038309AD push ecx; mov dword ptr [esp], ecx2_2_038309B6
          Source: C:\Users\user\Desktop\CGk5FtIq0N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CGk5FtIq0N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\CGk5FtIq0N.exeAPI/Special instruction interceptor: Address: 12E9264
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AD1C0 rdtsc 2_2_038AD1C0
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 7760Thread sleep time: -30000s >= -30000sJump to behavior
          Source: CGk5FtIq0N.exe, 00000000.00000003.1402321094.0000000001349000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareworkstation.exe
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AD1C0 rdtsc 2_2_038AD1C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417AA3 LdrLoadDll,2_2_00417AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]2_2_0382E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]2_2_0382E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]2_2_0382E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385438F mov eax, dword ptr fs:[00000030h]2_2_0385438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385438F mov eax, dword ptr fs:[00000030h]2_2_0385438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390539D mov eax, dword ptr fs:[00000030h]2_2_0390539D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0388739A mov eax, dword ptr fs:[00000030h]2_2_0388739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0388739A mov eax, dword ptr fs:[00000030h]2_2_0388739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]2_2_03828397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]2_2_03828397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]2_2_03828397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038533A5 mov eax, dword ptr fs:[00000030h]2_2_038533A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038633A0 mov eax, dword ptr fs:[00000030h]2_2_038633A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038633A0 mov eax, dword ptr fs:[00000030h]2_2_038633A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EC3CD mov eax, dword ptr fs:[00000030h]2_2_038EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]2_2_038383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]2_2_038383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]2_2_038383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]2_2_038383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B63C0 mov eax, dword ptr fs:[00000030h]2_2_038B63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EB3D0 mov ecx, dword ptr fs:[00000030h]2_2_038EB3D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EF3E6 mov eax, dword ptr fs:[00000030h]2_2_038EF3E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039053FC mov eax, dword ptr fs:[00000030h]2_2_039053FC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]2_2_0384E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]2_2_0384E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]2_2_0384E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038663FF mov eax, dword ptr fs:[00000030h]2_2_038663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B930B mov eax, dword ptr fs:[00000030h]2_2_038B930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B930B mov eax, dword ptr fs:[00000030h]2_2_038B930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B930B mov eax, dword ptr fs:[00000030h]2_2_038B930B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]2_2_0386A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]2_2_0386A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]2_2_0386A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382C310 mov ecx, dword ptr fs:[00000030h]2_2_0382C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03850310 mov ecx, dword ptr fs:[00000030h]2_2_03850310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F132D mov eax, dword ptr fs:[00000030h]2_2_038F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F132D mov eax, dword ptr fs:[00000030h]2_2_038F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385F32A mov eax, dword ptr fs:[00000030h]2_2_0385F32A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03827330 mov eax, dword ptr fs:[00000030h]2_2_03827330
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382D34C mov eax, dword ptr fs:[00000030h]2_2_0382D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382D34C mov eax, dword ptr fs:[00000030h]2_2_0382D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03905341 mov eax, dword ptr fs:[00000030h]2_2_03905341
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03829353 mov eax, dword ptr fs:[00000030h]2_2_03829353
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03829353 mov eax, dword ptr fs:[00000030h]2_2_03829353
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov ecx, dword ptr fs:[00000030h]2_2_038B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FA352 mov eax, dword ptr fs:[00000030h]2_2_038FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EF367 mov eax, dword ptr fs:[00000030h]2_2_038EF367
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D437C mov eax, dword ptr fs:[00000030h]2_2_038D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03837370 mov eax, dword ptr fs:[00000030h]2_2_03837370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03837370 mov eax, dword ptr fs:[00000030h]2_2_03837370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03837370 mov eax, dword ptr fs:[00000030h]2_2_03837370
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E284 mov eax, dword ptr fs:[00000030h]2_2_0386E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E284 mov eax, dword ptr fs:[00000030h]2_2_0386E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]2_2_038B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]2_2_038B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]2_2_038B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03905283 mov eax, dword ptr fs:[00000030h]2_2_03905283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386329E mov eax, dword ptr fs:[00000030h]2_2_0386329E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386329E mov eax, dword ptr fs:[00000030h]2_2_0386329E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038402A0 mov eax, dword ptr fs:[00000030h]2_2_038402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038402A0 mov eax, dword ptr fs:[00000030h]2_2_038402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038452A0 mov eax, dword ptr fs:[00000030h]2_2_038452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038452A0 mov eax, dword ptr fs:[00000030h]2_2_038452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038452A0 mov eax, dword ptr fs:[00000030h]2_2_038452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038452A0 mov eax, dword ptr fs:[00000030h]2_2_038452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F92A6 mov eax, dword ptr fs:[00000030h]2_2_038F92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F92A6 mov eax, dword ptr fs:[00000030h]2_2_038F92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F92A6 mov eax, dword ptr fs:[00000030h]2_2_038F92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F92A6 mov eax, dword ptr fs:[00000030h]2_2_038F92A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov ecx, dword ptr fs:[00000030h]2_2_038C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C72A0 mov eax, dword ptr fs:[00000030h]2_2_038C72A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C72A0 mov eax, dword ptr fs:[00000030h]2_2_038C72A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B92BC mov eax, dword ptr fs:[00000030h]2_2_038B92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B92BC mov eax, dword ptr fs:[00000030h]2_2_038B92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B92BC mov ecx, dword ptr fs:[00000030h]2_2_038B92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B92BC mov ecx, dword ptr fs:[00000030h]2_2_038B92BC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385B2C0 mov eax, dword ptr fs:[00000030h]2_2_0385B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385B2C0 mov eax, dword ptr fs:[00000030h]2_2_0385B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385B2C0 mov eax, dword ptr fs:[00000030h]2_2_0385B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385B2C0 mov eax, dword ptr fs:[00000030h]2_2_0385B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385B2C0 mov eax, dword ptr fs:[00000030h]2_2_0385B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385B2C0 mov eax, dword ptr fs:[00000030h]2_2_0385B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385B2C0 mov eax, dword ptr fs:[00000030h]2_2_0385B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038392C5 mov eax, dword ptr fs:[00000030h]2_2_038392C5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038392C5 mov eax, dword ptr fs:[00000030h]2_2_038392C5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382B2D3 mov eax, dword ptr fs:[00000030h]2_2_0382B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382B2D3 mov eax, dword ptr fs:[00000030h]2_2_0382B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382B2D3 mov eax, dword ptr fs:[00000030h]2_2_0382B2D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385F2D0 mov eax, dword ptr fs:[00000030h]2_2_0385F2D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385F2D0 mov eax, dword ptr fs:[00000030h]2_2_0385F2D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED mov eax, dword ptr fs:[00000030h]2_2_038E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED mov eax, dword ptr fs:[00000030h]2_2_038E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED mov eax, dword ptr fs:[00000030h]2_2_038E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED mov eax, dword ptr fs:[00000030h]2_2_038E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED mov eax, dword ptr fs:[00000030h]2_2_038E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED mov eax, dword ptr fs:[00000030h]2_2_038E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED mov eax, dword ptr fs:[00000030h]2_2_038E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED mov eax, dword ptr fs:[00000030h]2_2_038E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED mov eax, dword ptr fs:[00000030h]2_2_038E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED mov eax, dword ptr fs:[00000030h]2_2_038E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED mov eax, dword ptr fs:[00000030h]2_2_038E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED mov eax, dword ptr fs:[00000030h]2_2_038E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED mov eax, dword ptr fs:[00000030h]2_2_038E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED mov eax, dword ptr fs:[00000030h]2_2_038E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]2_2_038402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]2_2_038402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]2_2_038402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039052E2 mov eax, dword ptr fs:[00000030h]2_2_039052E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EF2F8 mov eax, dword ptr fs:[00000030h]2_2_038EF2F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038292FF mov eax, dword ptr fs:[00000030h]2_2_038292FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03867208 mov eax, dword ptr fs:[00000030h]2_2_03867208
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03867208 mov eax, dword ptr fs:[00000030h]2_2_03867208
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03905227 mov eax, dword ptr fs:[00000030h]2_2_03905227
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382823B mov eax, dword ptr fs:[00000030h]2_2_0382823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03829240 mov eax, dword ptr fs:[00000030h]2_2_03829240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03829240 mov eax, dword ptr fs:[00000030h]2_2_03829240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B8243 mov eax, dword ptr fs:[00000030h]2_2_038B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B8243 mov ecx, dword ptr fs:[00000030h]2_2_038B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386724D mov eax, dword ptr fs:[00000030h]2_2_0386724D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A250 mov eax, dword ptr fs:[00000030h]2_2_0382A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EB256 mov eax, dword ptr fs:[00000030h]2_2_038EB256
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EB256 mov eax, dword ptr fs:[00000030h]2_2_038EB256
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836259 mov eax, dword ptr fs:[00000030h]2_2_03836259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]2_2_03834260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]2_2_03834260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]2_2_03834260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FD26B mov eax, dword ptr fs:[00000030h]2_2_038FD26B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FD26B mov eax, dword ptr fs:[00000030h]2_2_038FD26B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382826B mov eax, dword ptr fs:[00000030h]2_2_0382826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03859274 mov eax, dword ptr fs:[00000030h]2_2_03859274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03871270 mov eax, dword ptr fs:[00000030h]2_2_03871270
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03871270 mov eax, dword ptr fs:[00000030h]2_2_03871270
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03870185 mov eax, dword ptr fs:[00000030h]2_2_03870185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EC188 mov eax, dword ptr fs:[00000030h]2_2_038EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EC188 mov eax, dword ptr fs:[00000030h]2_2_038EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]2_2_038B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]2_2_038B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]2_2_038B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]2_2_038B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]2_2_0382A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]2_2_0382A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]2_2_0382A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03887190 mov eax, dword ptr fs:[00000030h]2_2_03887190
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E11A4 mov eax, dword ptr fs:[00000030h]2_2_038E11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E11A4 mov eax, dword ptr fs:[00000030h]2_2_038E11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E11A4 mov eax, dword ptr fs:[00000030h]2_2_038E11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E11A4 mov eax, dword ptr fs:[00000030h]2_2_038E11A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384B1B0 mov eax, dword ptr fs:[00000030h]2_2_0384B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F61C3 mov eax, dword ptr fs:[00000030h]2_2_038F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F61C3 mov eax, dword ptr fs:[00000030h]2_2_038F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386D1D0 mov eax, dword ptr fs:[00000030h]2_2_0386D1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386D1D0 mov ecx, dword ptr fs:[00000030h]2_2_0386D1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]2_2_038AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]2_2_038AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_038AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]2_2_038AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]2_2_038AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039051CB mov eax, dword ptr fs:[00000030h]2_2_039051CB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038551EF mov eax, dword ptr fs:[00000030h]2_2_038551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038551EF mov eax, dword ptr fs:[00000030h]2_2_038551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038551EF mov eax, dword ptr fs:[00000030h]2_2_038551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038551EF mov eax, dword ptr fs:[00000030h]2_2_038551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038551EF mov eax, dword ptr fs:[00000030h]2_2_038551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038551EF mov eax, dword ptr fs:[00000030h]2_2_038551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038551EF mov eax, dword ptr fs:[00000030h]2_2_038551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038551EF mov eax, dword ptr fs:[00000030h]2_2_038551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038551EF mov eax, dword ptr fs:[00000030h]2_2_038551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038551EF mov eax, dword ptr fs:[00000030h]2_2_038551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038551EF mov eax, dword ptr fs:[00000030h]2_2_038551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038551EF mov eax, dword ptr fs:[00000030h]2_2_038551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038551EF mov eax, dword ptr fs:[00000030h]2_2_038551EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038351ED mov eax, dword ptr fs:[00000030h]2_2_038351ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D71F9 mov esi, dword ptr fs:[00000030h]2_2_038D71F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039061E5 mov eax, dword ptr fs:[00000030h]2_2_039061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038601F8 mov eax, dword ptr fs:[00000030h]2_2_038601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA118 mov ecx, dword ptr fs:[00000030h]2_2_038DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]2_2_038DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]2_2_038DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]2_2_038DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F0115 mov eax, dword ptr fs:[00000030h]2_2_038F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03860124 mov eax, dword ptr fs:[00000030h]2_2_03860124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03831131 mov eax, dword ptr fs:[00000030h]2_2_03831131
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03831131 mov eax, dword ptr fs:[00000030h]2_2_03831131
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382B136 mov eax, dword ptr fs:[00000030h]2_2_0382B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382B136 mov eax, dword ptr fs:[00000030h]2_2_0382B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382B136 mov eax, dword ptr fs:[00000030h]2_2_0382B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382B136 mov eax, dword ptr fs:[00000030h]2_2_0382B136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03905152 mov eax, dword ptr fs:[00000030h]2_2_03905152
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]2_2_038C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]2_2_038C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov ecx, dword ptr fs:[00000030h]2_2_038C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]2_2_038C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]2_2_038C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03829148 mov eax, dword ptr fs:[00000030h]2_2_03829148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03829148 mov eax, dword ptr fs:[00000030h]2_2_03829148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03829148 mov eax, dword ptr fs:[00000030h]2_2_03829148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03829148 mov eax, dword ptr fs:[00000030h]2_2_03829148
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03837152 mov eax, dword ptr fs:[00000030h]2_2_03837152
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382C156 mov eax, dword ptr fs:[00000030h]2_2_0382C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C8158 mov eax, dword ptr fs:[00000030h]2_2_038C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836154 mov eax, dword ptr fs:[00000030h]2_2_03836154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836154 mov eax, dword ptr fs:[00000030h]2_2_03836154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F172 mov eax, dword ptr fs:[00000030h]2_2_0382F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C9179 mov eax, dword ptr fs:[00000030h]2_2_038C9179
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383208A mov eax, dword ptr fs:[00000030h]2_2_0383208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382D08D mov eax, dword ptr fs:[00000030h]2_2_0382D08D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03835096 mov eax, dword ptr fs:[00000030h]2_2_03835096
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385D090 mov eax, dword ptr fs:[00000030h]2_2_0385D090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385D090 mov eax, dword ptr fs:[00000030h]2_2_0385D090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386909C mov eax, dword ptr fs:[00000030h]2_2_0386909C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C80A8 mov eax, dword ptr fs:[00000030h]2_2_038C80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F60B8 mov eax, dword ptr fs:[00000030h]2_2_038F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F60B8 mov ecx, dword ptr fs:[00000030h]2_2_038F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov eax, dword ptr fs:[00000030h]2_2_038470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov ecx, dword ptr fs:[00000030h]2_2_038470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov ecx, dword ptr fs:[00000030h]2_2_038470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov eax, dword ptr fs:[00000030h]2_2_038470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov ecx, dword ptr fs:[00000030h]2_2_038470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov ecx, dword ptr fs:[00000030h]2_2_038470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov eax, dword ptr fs:[00000030h]2_2_038470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov eax, dword ptr fs:[00000030h]2_2_038470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov eax, dword ptr fs:[00000030h]2_2_038470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov eax, dword ptr fs:[00000030h]2_2_038470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov eax, dword ptr fs:[00000030h]2_2_038470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov eax, dword ptr fs:[00000030h]2_2_038470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov eax, dword ptr fs:[00000030h]2_2_038470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov eax, dword ptr fs:[00000030h]2_2_038470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov eax, dword ptr fs:[00000030h]2_2_038470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov eax, dword ptr fs:[00000030h]2_2_038470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov eax, dword ptr fs:[00000030h]2_2_038470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C0 mov eax, dword ptr fs:[00000030h]2_2_038470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039050D9 mov eax, dword ptr fs:[00000030h]2_2_039050D9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AD0C0 mov eax, dword ptr fs:[00000030h]2_2_038AD0C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AD0C0 mov eax, dword ptr fs:[00000030h]2_2_038AD0C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B20DE mov eax, dword ptr fs:[00000030h]2_2_038B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038590DB mov eax, dword ptr fs:[00000030h]2_2_038590DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038550E4 mov eax, dword ptr fs:[00000030h]2_2_038550E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038550E4 mov ecx, dword ptr fs:[00000030h]2_2_038550E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0382A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038380E9 mov eax, dword ptr fs:[00000030h]2_2_038380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B60E0 mov eax, dword ptr fs:[00000030h]2_2_038B60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382C0F0 mov eax, dword ptr fs:[00000030h]2_2_0382C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038720F0 mov ecx, dword ptr fs:[00000030h]2_2_038720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B4000 mov ecx, dword ptr fs:[00000030h]2_2_038B4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]2_2_0384E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]2_2_0384E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]2_2_0384E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]2_2_0384E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A020 mov eax, dword ptr fs:[00000030h]2_2_0382A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382C020 mov eax, dword ptr fs:[00000030h]2_2_0382C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F903E mov eax, dword ptr fs:[00000030h]2_2_038F903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F903E mov eax, dword ptr fs:[00000030h]2_2_038F903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F903E mov eax, dword ptr fs:[00000030h]2_2_038F903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F903E mov eax, dword ptr fs:[00000030h]2_2_038F903E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03832050 mov eax, dword ptr fs:[00000030h]2_2_03832050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D705E mov ebx, dword ptr fs:[00000030h]2_2_038D705E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D705E mov eax, dword ptr fs:[00000030h]2_2_038D705E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385B052 mov eax, dword ptr fs:[00000030h]2_2_0385B052
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6050 mov eax, dword ptr fs:[00000030h]2_2_038B6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B106E mov eax, dword ptr fs:[00000030h]2_2_038B106E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03905060 mov eax, dword ptr fs:[00000030h]2_2_03905060
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841070 mov eax, dword ptr fs:[00000030h]2_2_03841070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841070 mov ecx, dword ptr fs:[00000030h]2_2_03841070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841070 mov eax, dword ptr fs:[00000030h]2_2_03841070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841070 mov eax, dword ptr fs:[00000030h]2_2_03841070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841070 mov eax, dword ptr fs:[00000030h]2_2_03841070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841070 mov eax, dword ptr fs:[00000030h]2_2_03841070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841070 mov eax, dword ptr fs:[00000030h]2_2_03841070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841070 mov eax, dword ptr fs:[00000030h]2_2_03841070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841070 mov eax, dword ptr fs:[00000030h]2_2_03841070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841070 mov eax, dword ptr fs:[00000030h]2_2_03841070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841070 mov eax, dword ptr fs:[00000030h]2_2_03841070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841070 mov eax, dword ptr fs:[00000030h]2_2_03841070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841070 mov eax, dword ptr fs:[00000030h]2_2_03841070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385C073 mov eax, dword ptr fs:[00000030h]2_2_0385C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AD070 mov ecx, dword ptr fs:[00000030h]2_2_038AD070
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EF78A mov eax, dword ptr fs:[00000030h]2_2_038EF78A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B97A9 mov eax, dword ptr fs:[00000030h]2_2_038B97A9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BF7AF mov eax, dword ptr fs:[00000030h]2_2_038BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BF7AF mov eax, dword ptr fs:[00000030h]2_2_038BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BF7AF mov eax, dword ptr fs:[00000030h]2_2_038BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BF7AF mov eax, dword ptr fs:[00000030h]2_2_038BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BF7AF mov eax, dword ptr fs:[00000030h]2_2_038BF7AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039037B6 mov eax, dword ptr fs:[00000030h]2_2_039037B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038307AF mov eax, dword ptr fs:[00000030h]2_2_038307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385D7B0 mov eax, dword ptr fs:[00000030h]2_2_0385D7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F7BA mov eax, dword ptr fs:[00000030h]2_2_0382F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F7BA mov eax, dword ptr fs:[00000030h]2_2_0382F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F7BA mov eax, dword ptr fs:[00000030h]2_2_0382F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F7BA mov eax, dword ptr fs:[00000030h]2_2_0382F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F7BA mov eax, dword ptr fs:[00000030h]2_2_0382F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F7BA mov eax, dword ptr fs:[00000030h]2_2_0382F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F7BA mov eax, dword ptr fs:[00000030h]2_2_0382F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F7BA mov eax, dword ptr fs:[00000030h]2_2_0382F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F7BA mov eax, dword ptr fs:[00000030h]2_2_0382F7BA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383C7C0 mov eax, dword ptr fs:[00000030h]2_2_0383C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038357C0 mov eax, dword ptr fs:[00000030h]2_2_038357C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038357C0 mov eax, dword ptr fs:[00000030h]2_2_038357C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038357C0 mov eax, dword ptr fs:[00000030h]2_2_038357C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B07C3 mov eax, dword ptr fs:[00000030h]2_2_038B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383D7E0 mov ecx, dword ptr fs:[00000030h]2_2_0383D7E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]2_2_038527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]2_2_038527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]2_2_038527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038347FB mov eax, dword ptr fs:[00000030h]2_2_038347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038347FB mov eax, dword ptr fs:[00000030h]2_2_038347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03837703 mov eax, dword ptr fs:[00000030h]2_2_03837703
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03835702 mov eax, dword ptr fs:[00000030h]2_2_03835702
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03835702 mov eax, dword ptr fs:[00000030h]2_2_03835702
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C700 mov eax, dword ptr fs:[00000030h]2_2_0386C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830710 mov eax, dword ptr fs:[00000030h]2_2_03830710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03860710 mov eax, dword ptr fs:[00000030h]2_2_03860710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386F71F mov eax, dword ptr fs:[00000030h]2_2_0386F71F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386F71F mov eax, dword ptr fs:[00000030h]2_2_0386F71F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EF72E mov eax, dword ptr fs:[00000030h]2_2_038EF72E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03833720 mov eax, dword ptr fs:[00000030h]2_2_03833720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384F720 mov eax, dword ptr fs:[00000030h]2_2_0384F720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384F720 mov eax, dword ptr fs:[00000030h]2_2_0384F720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384F720 mov eax, dword ptr fs:[00000030h]2_2_0384F720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F972B mov eax, dword ptr fs:[00000030h]2_2_038F972B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C720 mov eax, dword ptr fs:[00000030h]2_2_0386C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C720 mov eax, dword ptr fs:[00000030h]2_2_0386C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390B73C mov eax, dword ptr fs:[00000030h]2_2_0390B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390B73C mov eax, dword ptr fs:[00000030h]2_2_0390B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390B73C mov eax, dword ptr fs:[00000030h]2_2_0390B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390B73C mov eax, dword ptr fs:[00000030h]2_2_0390B73C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03829730 mov eax, dword ptr fs:[00000030h]2_2_03829730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03829730 mov eax, dword ptr fs:[00000030h]2_2_03829730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03865734 mov eax, dword ptr fs:[00000030h]2_2_03865734
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383973A mov eax, dword ptr fs:[00000030h]2_2_0383973A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383973A mov eax, dword ptr fs:[00000030h]2_2_0383973A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386273C mov eax, dword ptr fs:[00000030h]2_2_0386273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386273C mov ecx, dword ptr fs:[00000030h]2_2_0386273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386273C mov eax, dword ptr fs:[00000030h]2_2_0386273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AC730 mov eax, dword ptr fs:[00000030h]2_2_038AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03843740 mov eax, dword ptr fs:[00000030h]2_2_03843740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03843740 mov eax, dword ptr fs:[00000030h]2_2_03843740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03843740 mov eax, dword ptr fs:[00000030h]2_2_03843740
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386674D mov esi, dword ptr fs:[00000030h]2_2_0386674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386674D mov eax, dword ptr fs:[00000030h]2_2_0386674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386674D mov eax, dword ptr fs:[00000030h]2_2_0386674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830750 mov eax, dword ptr fs:[00000030h]2_2_03830750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872750 mov eax, dword ptr fs:[00000030h]2_2_03872750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872750 mov eax, dword ptr fs:[00000030h]2_2_03872750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03903749 mov eax, dword ptr fs:[00000030h]2_2_03903749
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B4755 mov eax, dword ptr fs:[00000030h]2_2_038B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382B765 mov eax, dword ptr fs:[00000030h]2_2_0382B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382B765 mov eax, dword ptr fs:[00000030h]2_2_0382B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382B765 mov eax, dword ptr fs:[00000030h]2_2_0382B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382B765 mov eax, dword ptr fs:[00000030h]2_2_0382B765
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838770 mov eax, dword ptr fs:[00000030h]2_2_03838770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B368C mov eax, dword ptr fs:[00000030h]2_2_038B368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B368C mov eax, dword ptr fs:[00000030h]2_2_038B368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B368C mov eax, dword ptr fs:[00000030h]2_2_038B368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B368C mov eax, dword ptr fs:[00000030h]2_2_038B368C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834690 mov eax, dword ptr fs:[00000030h]2_2_03834690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834690 mov eax, dword ptr fs:[00000030h]2_2_03834690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C6A6 mov eax, dword ptr fs:[00000030h]2_2_0386C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382D6AA mov eax, dword ptr fs:[00000030h]2_2_0382D6AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382D6AA mov eax, dword ptr fs:[00000030h]2_2_0382D6AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038276B2 mov eax, dword ptr fs:[00000030h]2_2_038276B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038276B2 mov eax, dword ptr fs:[00000030h]2_2_038276B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038276B2 mov eax, dword ptr fs:[00000030h]2_2_038276B2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038666B0 mov eax, dword ptr fs:[00000030h]2_2_038666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0386A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A6C7 mov eax, dword ptr fs:[00000030h]2_2_0386A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383B6C0 mov eax, dword ptr fs:[00000030h]2_2_0383B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383B6C0 mov eax, dword ptr fs:[00000030h]2_2_0383B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383B6C0 mov eax, dword ptr fs:[00000030h]2_2_0383B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383B6C0 mov eax, dword ptr fs:[00000030h]2_2_0383B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383B6C0 mov eax, dword ptr fs:[00000030h]2_2_0383B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383B6C0 mov eax, dword ptr fs:[00000030h]2_2_0383B6C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F16CC mov eax, dword ptr fs:[00000030h]2_2_038F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F16CC mov eax, dword ptr fs:[00000030h]2_2_038F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F16CC mov eax, dword ptr fs:[00000030h]2_2_038F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F16CC mov eax, dword ptr fs:[00000030h]2_2_038F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EF6C7 mov eax, dword ptr fs:[00000030h]2_2_038EF6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038616CF mov eax, dword ptr fs:[00000030h]2_2_038616CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C36EE mov eax, dword ptr fs:[00000030h]2_2_038C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C36EE mov eax, dword ptr fs:[00000030h]2_2_038C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C36EE mov eax, dword ptr fs:[00000030h]2_2_038C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C36EE mov eax, dword ptr fs:[00000030h]2_2_038C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C36EE mov eax, dword ptr fs:[00000030h]2_2_038C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C36EE mov eax, dword ptr fs:[00000030h]2_2_038C36EE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385D6E0 mov eax, dword ptr fs:[00000030h]2_2_0385D6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385D6E0 mov eax, dword ptr fs:[00000030h]2_2_0385D6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038636EF mov eax, dword ptr fs:[00000030h]2_2_038636EF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]2_2_038AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]2_2_038AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]2_2_038AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]2_2_038AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B06F1 mov eax, dword ptr fs:[00000030h]2_2_038B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B06F1 mov eax, dword ptr fs:[00000030h]2_2_038B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038ED6F0 mov eax, dword ptr fs:[00000030h]2_2_038ED6F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03861607 mov eax, dword ptr fs:[00000030h]2_2_03861607
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE609 mov eax, dword ptr fs:[00000030h]2_2_038AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386F603 mov eax, dword ptr fs:[00000030h]2_2_0386F603
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03833616 mov eax, dword ptr fs:[00000030h]2_2_03833616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03833616 mov eax, dword ptr fs:[00000030h]2_2_03833616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872619 mov eax, dword ptr fs:[00000030h]2_2_03872619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E627 mov eax, dword ptr fs:[00000030h]2_2_0384E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F626 mov eax, dword ptr fs:[00000030h]2_2_0382F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F626 mov eax, dword ptr fs:[00000030h]2_2_0382F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F626 mov eax, dword ptr fs:[00000030h]2_2_0382F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F626 mov eax, dword ptr fs:[00000030h]2_2_0382F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F626 mov eax, dword ptr fs:[00000030h]2_2_0382F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F626 mov eax, dword ptr fs:[00000030h]2_2_0382F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F626 mov eax, dword ptr fs:[00000030h]2_2_0382F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F626 mov eax, dword ptr fs:[00000030h]2_2_0382F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F626 mov eax, dword ptr fs:[00000030h]2_2_0382F626
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03866620 mov eax, dword ptr fs:[00000030h]2_2_03866620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03905636 mov eax, dword ptr fs:[00000030h]2_2_03905636

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\CGk5FtIq0N.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\CGk5FtIq0N.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2C02008Jump to behavior
          Source: C:\Users\user\Desktop\CGk5FtIq0N.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CGk5FtIq0N.exe"Jump to behavior
          Source: CGk5FtIq0N.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: CGk5FtIq0N.exe, 00000000.00000003.1412777182.0000000001349000.00000004.00000020.00020000.00000000.sdmp, CGk5FtIq0N.exe, 00000000.00000003.1412269177.0000000001349000.00000004.00000020.00020000.00000000.sdmp, CGk5FtIq0N.exe, 00000000.00000003.1380447293.00000000012CC000.00000004.00000020.00020000.00000000.sdmp, CGk5FtIq0N.exe, 00000000.00000003.1413564800.0000000001349000.00000004.00000020.00020000.00000000.sdmp, CGk5FtIq0N.exe, 00000000.00000003.1411865949.0000000001349000.00000004.00000020.00020000.00000000.sdmp, CGk5FtIq0N.exe, 00000000.00000003.1390385446.0000000001349000.00000004.00000020.00020000.00000000.sdmp, CGk5FtIq0N.exe, 00000000.00000003.1411309806.0000000001349000.00000004.00000020.00020000.00000000.sdmp, CGk5FtIq0N.exe, 00000000.00000003.1389919880.0000000001349000.00000004.00000020.00020000.00000000.sdmp, CGk5FtIq0N.exe, 00000000.00000003.1415763588.0000000001349000.00000004.00000020.00020000.00000000.sdmp, CGk5FtIq0N.exe, 00000000.00000003.1382776625.0000000001349000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: msmpeng.exe

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2285756595.0000000003580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2285440540.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2285756595.0000000003580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2285440540.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          DLL Side-Loading          		212
          Process Injection          		2
          Virtualization/Sandbox Evasion          		OS Credential Dumping131
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		212
          Process Injection          		LSASS Memory2
          Virtualization/Sandbox Evasion          		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
          Deobfuscate/Decode Files or Information          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          DLL Side-Loading          		NTDS11
          System Information Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
          Obfuscated Files or Information          		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          CGk5FtIq0N.exe64%VirustotalBrowse
          CGk5FtIq0N.exe71%ReversingLabsWin32.Trojan.AutoitInject
          CGk5FtIq0N.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          s-part-0017.t-0009.t-msedge.net
          		13.107.246.45
          		truefalse
            		high

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:42.0.0 Malachite
            Analysis ID:1588579
            Start date and time:2025-01-11 02:43:36 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 5m 37s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Run name:Run with higher sleep bypass
            Number of analysed new started processes analysed:6
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:CGk5FtIq0N.exe
            renamed because original name is a hash value
            Original Sample Name:f19414e7e71407b3b1285178b8ff9a0b43d94ce8f716ce0b7ff99583286cbcce.exe
            Detection:MAL
            Classification:mal80.troj.evad.winEXE@3/2@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 92%
            • Number of executed functions: 9
            • Number of non-executed functions: 322
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
            • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
            • Stop behavior analysis, all processes terminated

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
            • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            s-part-0017.t-0009.t-msedge.netKtPCqWWnqM.exeGet hashmaliciousUnknownBrowse
            • 13.107.246.45
            kQibsaGS2E.exeGet hashmaliciousUnknownBrowse
            • 13.107.246.45
            1907125702104121563.jsGet hashmaliciousStrela DownloaderBrowse
            • 13.107.246.45
            2937924646314313784.jsGet hashmaliciousStrela DownloaderBrowse
            • 13.107.246.45
            RdichqztBg.exeGet hashmaliciousFormBookBrowse
            • 13.107.246.45
            AraK29dzhH.exeGet hashmaliciousFormBookBrowse
            • 13.107.246.45
            YrCSUX2O3I.exeGet hashmaliciousGuLoaderBrowse
            • 13.107.246.45
            http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==Get hashmaliciousUnknownBrowse
            • 13.107.246.45
            uG3I84bQEr.exeGet hashmaliciousFormBookBrowse
            • 13.107.246.45
            12621132703258916868.jsGet hashmaliciousStrela DownloaderBrowse
            • 13.107.246.45

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Temp\autC1FD.tmp

            Download File
            Process:C:\Users\user\Desktop\CGk5FtIq0N.exe
            File Type:data
            Category:dropped
            Size (bytes):289280
            Entropy (8bit):7.995407021656606
            Encrypted:true
            SSDEEP:6144:lIwfC4Vira77aoxQUI/TXMUgqpAwSCKj+OJga3v2qVfzupFjMqr:lNVIvNUsTcUppAwPK6OJreqVzupFjBr
            MD5:D3146BEF0BEF30592AB1C34C25E4E744
            SHA1:E21ECF0B1EB199C7FD3774DF81735F4B6899A490
            SHA-256:B7EFD057BDDDA45F0E2EF76969F63133E5BB30B7D4B7C9C800D44CF34B998EDF
            SHA-512:6FDFDBE1ECF173CEE5F8154519BDA55E5085FAE2926DAA9ED3DA1037EC973593252ACE3404881B01F9E9A587CE6267FCFB74F7D092F19FCB44E8CF828DA983EC
            Malicious:false
            Reputation:low
            Preview:u..L5W77PZB0..HT.COZ3R4Z.69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ6.ANL8H.9T.K.b.I..b.2Z!.*5Y^?0[."/"X8C.6?bB68h=&c..`rY5#S.@\<.ANL6W77-[K.~6/.u#(..2S.]...kV_.T..W3.X..t4/..3P:.: .9MQ68ANLf.77.[C0..!.HCOZ3R4Z.6;LZ73AN.2W77TZB0CV.GHCOJ3R4*C69M.68QNL6U77RZB0CVHTNCOZ3R4ZGF=MQ48ANL6W57..B0SVHDHCOZ#R4JG69MQ6(ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0m"-,<COZ..0ZG&9MQn<AN\6W77TZB0CVHTHCoZ324ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZ

            C:\Users\user\AppData\Local\Temp\parters

            Download File
            Process:C:\Users\user\Desktop\CGk5FtIq0N.exe
            File Type:data
            Category:dropped
            Size (bytes):289280
            Entropy (8bit):7.995407021656606
            Encrypted:true
            SSDEEP:6144:lIwfC4Vira77aoxQUI/TXMUgqpAwSCKj+OJga3v2qVfzupFjMqr:lNVIvNUsTcUppAwPK6OJreqVzupFjBr
            MD5:D3146BEF0BEF30592AB1C34C25E4E744
            SHA1:E21ECF0B1EB199C7FD3774DF81735F4B6899A490
            SHA-256:B7EFD057BDDDA45F0E2EF76969F63133E5BB30B7D4B7C9C800D44CF34B998EDF
            SHA-512:6FDFDBE1ECF173CEE5F8154519BDA55E5085FAE2926DAA9ED3DA1037EC973593252ACE3404881B01F9E9A587CE6267FCFB74F7D092F19FCB44E8CF828DA983EC
            Malicious:false
            Reputation:low
            Preview:u..L5W77PZB0..HT.COZ3R4Z.69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ6.ANL8H.9T.K.b.I..b.2Z!.*5Y^?0[."/"X8C.6?bB68h=&c..`rY5#S.@\<.ANL6W77-[K.~6/.u#(..2S.]...kV_.T..W3.X..t4/..3P:.: .9MQ68ANLf.77.[C0..!.HCOZ3R4Z.6;LZ73AN.2W77TZB0CV.GHCOJ3R4*C69M.68QNL6U77RZB0CVHTNCOZ3R4ZGF=MQ48ANL6W57..B0SVHDHCOZ#R4JG69MQ6(ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0m"-,<COZ..0ZG&9MQn<AN\6W77TZB0CVHTHCoZ324ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZB0CVHTHCOZ3R4ZG69MQ68ANL6W77TZ

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):7.202578493158035
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:CGk5FtIq0N.exe
            File size:1'220'096 bytes
            MD5:6c99f740265dd788386ddaf2c2d5dae0
            SHA1:ef301d794c8b66c7ee0821aece2bb1cd4766e73a
            SHA256:f19414e7e71407b3b1285178b8ff9a0b43d94ce8f716ce0b7ff99583286cbcce
            SHA512:8ca777072ba4cf4a13d3d5869160e70031f235c2203a8279151f1c3faf658c6b62a0264b623274fa7ee95c437c6fe73fb4ed50efaab3c46286c9e1a8d23148f4
            SSDEEP:24576:su6J33O0c+JY5UZ+XC0kGso6FasX51DU2LyQwnCB6gGeiZ4hWY:2u0c++OCvkGs9FasX5twng6YeZY
            TLSH:1045CF22B3DDC360CB669173BF69B7016EBF7C614630B85B1F880D7DA950162262D7A3
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

            File Icon

            Icon Hash:aaf3e3e3938382a0

            Static PE Info

            General

            Entrypoint:0x427dcd
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
            Time Stamp:0x67512701 [Thu Dec 5 04:07:29 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:1
            File Version Major:5
            File Version Minor:1
            Subsystem Version Major:5
            Subsystem Version Minor:1
            Import Hash:afcdf79be1557326c854b6e20cb900a7

            Entrypoint Preview

            Instruction
            call 00007F9C14DF96CAh
            jmp 00007F9C14DEC494h
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            push edi
            push esi
            mov esi, dword ptr [esp+10h]
            mov ecx, dword ptr [esp+14h]
            mov edi, dword ptr [esp+0Ch]
            mov eax, ecx
            mov edx, ecx
            add eax, esi
            cmp edi, esi
            jbe 00007F9C14DEC61Ah
            cmp edi, eax
            jc 00007F9C14DEC97Eh
            bt dword ptr [004C31FCh], 01h
            jnc 00007F9C14DEC619h
            rep movsb
            jmp 00007F9C14DEC92Ch
            cmp ecx, 00000080h
            jc 00007F9C14DEC7E4h
            mov eax, edi
            xor eax, esi
            test eax, 0000000Fh
            jne 00007F9C14DEC620h
            bt dword ptr [004BE324h], 01h
            jc 00007F9C14DECAF0h
            bt dword ptr [004C31FCh], 00000000h
            jnc 00007F9C14DEC7BDh
            test edi, 00000003h
            jne 00007F9C14DEC7CEh
            test esi, 00000003h
            jne 00007F9C14DEC7ADh
            bt edi, 02h
            jnc 00007F9C14DEC61Fh
            mov eax, dword ptr [esi]
            sub ecx, 04h
            lea esi, dword ptr [esi+04h]
            mov dword ptr [edi], eax
            lea edi, dword ptr [edi+04h]
            bt edi, 03h
            jnc 00007F9C14DEC623h
            movq xmm1, qword ptr [esi]
            sub ecx, 08h
            lea esi, dword ptr [esi+08h]
            movq qword ptr [edi], xmm1
            lea edi, dword ptr [edi+08h]
            test esi, 00000007h
            je 00007F9C14DEC675h
            bt esi, 03h
            jnc 00007F9C14DEC6C8h

            Rich Headers

            Programming Language:
            • [ASM] VS2013 build 21005
            • [ C ] VS2013 build 21005
            • [C++] VS2013 build 21005
            • [ C ] VS2008 SP1 build 30729
            • [IMP] VS2008 SP1 build 30729
            • [ASM] VS2013 UPD4 build 31101
            • [RES] VS2013 build 21005
            • [LNK] VS2013 UPD4 build 31101

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x614e0.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1290000x711c.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0xc70000x614e00x61600dc0f6f61daf88147da8bd8ab92e5ef8fFalse0.9324354139922978data7.904580260511708IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x1290000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
            RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
            RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
            RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
            RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
            RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
            RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
            RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
            RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
            RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
            RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
            RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
            RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
            RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
            RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
            RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
            RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
            RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
            RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
            RT_RCDATA0xcf7b80x587a5data1.0003338806031925
            RT_GROUP_ICON0x127f600x76dataEnglishGreat Britain0.6610169491525424
            RT_GROUP_ICON0x127fd80x14dataEnglishGreat Britain1.25
            RT_GROUP_ICON0x127fec0x14dataEnglishGreat Britain1.15
            RT_GROUP_ICON0x1280000x14dataEnglishGreat Britain1.25
            RT_VERSION0x1280140xdcdataEnglishGreat Britain0.6181818181818182
            RT_MANIFEST0x1280f00x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

            Imports

            DLLImport
            WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
            VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
            COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
            MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
            WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
            PSAPI.DLLGetProcessMemoryInfo
            IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
            USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
            UxTheme.dllIsThemeActive
            KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
            USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
            GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
            COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
            ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
            SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
            OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishGreat Britain

            Network Behavior

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Jan 11, 2025 02:44:36.078577042 CET1.1.1.1192.168.2.110xa696No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
            Jan 11, 2025 02:44:36.078577042 CET1.1.1.1192.168.2.110xa696No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:20:44:40
            Start date:10/01/2025
            Path:C:\Users\user\Desktop\CGk5FtIq0N.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\CGk5FtIq0N.exe"
            Imagebase:0x7b0000
            File size:1'220'096 bytes
            MD5 hash:6C99F740265DD788386DDAF2C2D5DAE0
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:2
            Start time:20:44:46
            Start date:10/01/2025
            Path:C:\Windows\SysWOW64\svchost.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\CGk5FtIq0N.exe"
            Imagebase:0x360000
            File size:46'504 bytes
            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2285756595.0000000003580000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2285440540.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            Reputation:high
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:0.8%
              Dynamic/Decrypted Code Coverage:6.6%
              Signature Coverage:11%
              Total number of Nodes:91
              Total number of Limit Nodes:7
              execution_graph 80293 42c003 80294 42c01d 80293->80294 80297 3872df0 LdrInitializeThunk 80294->80297 80295 42c045 80297->80295 80298 42ec03 80301 42cd23 80298->80301 80300 42ec1e 80302 42cd3d 80301->80302 80303 42cd4e RtlAllocateHeap 80302->80303 80303->80300 80304 42fc23 80307 42eb23 80304->80307 80310 42cd73 80307->80310 80309 42eb3c 80311 42cd90 80310->80311 80312 42cda1 RtlFreeHeap 80311->80312 80312->80309 80313 4250a3 80316 4250bc 80313->80316 80314 42514c 80315 425107 80317 42eb23 RtlFreeHeap 80315->80317 80316->80314 80316->80315 80319 425147 80316->80319 80318 425117 80317->80318 80320 42eb23 RtlFreeHeap 80319->80320 80320->80314 80326 424d13 80327 424d2f 80326->80327 80328 424d57 80327->80328 80329 424d6b 80327->80329 80330 42c9e3 NtClose 80328->80330 80336 42c9e3 80329->80336 80332 424d60 80330->80332 80333 424d74 80339 42ec43 RtlAllocateHeap 80333->80339 80335 424d7f 80337 42c9fd 80336->80337 80338 42ca0e NtClose 80337->80338 80338->80333 80339->80335 80321 417aa3 80322 417ac7 80321->80322 80323 417b03 LdrLoadDll 80322->80323 80324 417ace 80322->80324 80323->80324 80340 413f73 80344 413f93 80340->80344 80342 413ffc 80343 413ff2 80344->80342 80345 41b6e3 RtlFreeHeap LdrInitializeThunk 80344->80345 80345->80343 80325 3872b60 LdrInitializeThunk 80346 4019f7 80347 401a07 80346->80347 80350 430093 80347->80350 80353 42e673 80350->80353 80354 42e6bc 80353->80354 80363 4073a3 80354->80363 80356 42e6d2 80357 401ae0 80356->80357 80366 41b3d3 80356->80366 80359 42e6f1 80360 42e706 80359->80360 80361 42cdc3 ExitProcess 80359->80361 80377 42cdc3 80360->80377 80361->80360 80365 4073b0 80363->80365 80380 416763 80363->80380 80365->80356 80367 41b3ff 80366->80367 80398 41b2c3 80367->80398 80370 41b444 80373 41b460 80370->80373 80375 42c9e3 NtClose 80370->80375 80371 41b42c 80372 41b437 80371->80372 80374 42c9e3 NtClose 80371->80374 80372->80359 80373->80359 80374->80372 80376 41b456 80375->80376 80376->80359 80378 42cde0 80377->80378 80379 42cdf1 ExitProcess 80378->80379 80379->80357 80381 41677d 80380->80381 80383 416796 80381->80383 80384 42d453 80381->80384 80383->80365 80386 42d46d 80384->80386 80385 42d49c 80385->80383 80386->80385 80391 42c053 80386->80391 80389 42eb23 RtlFreeHeap 80390 42d515 80389->80390 80390->80383 80392 42c070 80391->80392 80395 3872c0a 80392->80395 80393 42c09c 80393->80389 80396 3872c11 80395->80396 80397 3872c1f LdrInitializeThunk 80395->80397 80396->80393 80397->80393 80399 41b3b9 80398->80399 80400 41b2dd 80398->80400 80399->80370 80399->80371 80404 42c0f3 80400->80404 80403 42c9e3 NtClose 80403->80399 80405 42c10d 80404->80405 80408 38735c0 LdrInitializeThunk 80405->80408 80406 41b3ad 80406->80403 80408->80406

              Executed Functions

              Function 00417AA3 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 21 417aa3-417acc call 42f703 24 417ad2-417ae0 call 42fd03 21->24 25 417ace-417ad1 21->25 28 417af0-417b01 call 42e143 24->28 29 417ae2-417aed call 42ffa3 24->29 34 417b03-417b17 LdrLoadDll 28->34 35 417b1a-417b1d 28->35 29->28 34->35
              APIs
              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417B15
              Memory Dump Source
              • Source File: 00000002.00000002.2285440540.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID: Load
              • String ID:
              • API String ID: 2234796835-0
              • Opcode ID: f28a75e70005662aac919bafd6ad0b2047ad25553c9df7d2cae425ddc504f24a
              • Instruction ID: f2f8bdc627ba45e271867e2eb18f0b5e1b288f905a57bf74de3ed4d301cfce4b
              • Opcode Fuzzy Hash: f28a75e70005662aac919bafd6ad0b2047ad25553c9df7d2cae425ddc504f24a
              • Instruction Fuzzy Hash: 9D0112B5E4410DABDB10DBE5DC42FDEB3789F54308F4041AAE90897240F675EB588B95
              Function 0042C9E3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 46 42c9e3-42ca1c call 404763 call 42dc43 NtClose
              APIs
              • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CA17
              Memory Dump Source
              • Source File: 00000002.00000002.2285440540.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: 8be62b21c78d17fff9b7950ade04e5336d6a2e63ac572937bb5c99b7ea6e1980
              • Instruction ID: f5581ce56d1ab826025e375939d2ca643fe53eabff5439c8b217a1c3e0a247a4
              • Opcode Fuzzy Hash: 8be62b21c78d17fff9b7950ade04e5336d6a2e63ac572937bb5c99b7ea6e1980
              • Instruction Fuzzy Hash: 2CE086712012147BD210FA5AEC41F9B776CDFC5714F00445AFA0C67141C7B0791187F4
              Function 038735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 62 38735c0-38735cc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: de5b455dfe2440bb83c49f27617af67ad353f9e0ee9afe5f53598bf78526276a
              • Instruction ID: 0c4895d414c41d1d18866422d722d3ae31371503f4fc5ca20503da01dc16948f
              • Opcode Fuzzy Hash: de5b455dfe2440bb83c49f27617af67ad353f9e0ee9afe5f53598bf78526276a
              • Instruction Fuzzy Hash: C890023160550806D100B2984554746100687D0301FB5C451A142856CD87958A5565A3
              Function 03872B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 60 3872b60-3872b6c LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: c1e5b7597785240be0e9ec2235edd01c1abb81e717ad92d7f2c7ee12047d5502
              • Instruction ID: 66871c75473c08b40d51fe63dc972a439c0af9b2931c27f22c3969a41cc9069c
              • Opcode Fuzzy Hash: c1e5b7597785240be0e9ec2235edd01c1abb81e717ad92d7f2c7ee12047d5502
              • Instruction Fuzzy Hash: A7900261202404074105B2984454656400B87E0301BA5C061E2018594DC62589956126
              Function 03872DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 61 3872df0-3872dfc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: c135aeca0045f0a8c4d147d499c42d4321a773d51b060400ed67cf65d732a290
              • Instruction ID: 7152e8f79309b5124c13b769bd57648f4b61710c2819786d3777204fada2906f
              • Opcode Fuzzy Hash: c135aeca0045f0a8c4d147d499c42d4321a773d51b060400ed67cf65d732a290
              • Instruction Fuzzy Hash: 0C90023120140817D111B2984544747000A87D0341FE5C452A142855CD97568A56A122
              Function 0042CD73 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 41 42cd73-42cdb7 call 404763 call 42dc43 RtlFreeHeap
              APIs
              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,8CEC9C1E,00000007,00000000,00000004,00000000,0041732D,000000F4), ref: 0042CDB2
              Memory Dump Source
              • Source File: 00000002.00000002.2285440540.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: abb2cda5b05bca4b8e8b8d1afbd648866c45280468f95d9b86b38922dd16f8bf
              • Instruction ID: ddcabf5f81aa0a8097e747d0f2cf85b663cb37239693cd169bc6d9e053757976
              • Opcode Fuzzy Hash: abb2cda5b05bca4b8e8b8d1afbd648866c45280468f95d9b86b38922dd16f8bf
              • Instruction Fuzzy Hash: 79E06DB26012047BDA14EE5AEC81EDB77ACDFC5710F504019FD08A7242C770B910C7B5
              Function 0042CD23 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 36 42cd23-42cd64 call 404763 call 42dc43 RtlAllocateHeap
              APIs
              • RtlAllocateHeap.NTDLL(?,0041E8B4,?,?,00000000,?,0041E8B4,?,?,?), ref: 0042CD5F
              Memory Dump Source
              • Source File: 00000002.00000002.2285440540.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 2486aa3a2b951297197509ef053ebe20fa15138ca0d184e777ce7be2f8a7706d
              • Instruction ID: faca62bed6c505046a3e654f36986b9fa5595a81f7d009c5e9b58dfd8d0991fa
              • Opcode Fuzzy Hash: 2486aa3a2b951297197509ef053ebe20fa15138ca0d184e777ce7be2f8a7706d
              • Instruction Fuzzy Hash: 54E06DB22446087BD614EE59EC82E9B33ACEFC9714F004059FA08A7246C770B91087B4
              Function 0042CDC3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 51 42cdc3-42cdff call 404763 call 42dc43 ExitProcess
              APIs
              Memory Dump Source
              • Source File: 00000002.00000002.2285440540.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID: ExitProcess
              • String ID:
              • API String ID: 621844428-0
              • Opcode ID: 15b8e013fc28ce108bf74ebb3313fa97417124a3a10b273b09febd295f54fc9d
              • Instruction ID: ae960c3bf3c146b0d9b3ec5661477fe66a0b163b4490dba330e59e1ad3883490
              • Opcode Fuzzy Hash: 15b8e013fc28ce108bf74ebb3313fa97417124a3a10b273b09febd295f54fc9d
              • Instruction Fuzzy Hash: 6BE04F316406147BD210BA5ADC41F9B779CDBC5754F00401AFA08A7282C674790187F5
              Function 03872C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 56 3872c0a-3872c0f 57 3872c11-3872c18 56->57 58 3872c1f-3872c26 LdrInitializeThunk 56->58
              APIs
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 45287dbc22a10da2507a01c76850d9daf97477662aa3273d635014b6db924b69
              • Instruction ID: cb0054b3d92d88ebb062ce99be82bf843719ec901fd717cdd5a117496de06d25
              • Opcode Fuzzy Hash: 45287dbc22a10da2507a01c76850d9daf97477662aa3273d635014b6db924b69
              • Instruction Fuzzy Hash: 57B09B719015C5C9DA11F7A04608717790567D0701F69C4E1D3034645E4739C1D5E176

              Non-executed Functions

              Function 038B2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2160512332
              • Opcode ID: d180ebb643bebe04622c3f9d976e3d5dd8a0b4cfc664d30308ea4b2a56b59414
              • Instruction ID: c9fb79fe6cac786a2b8e5783199a299aff21857ba4ab7521bd2c30f6bc4a6dce
              • Opcode Fuzzy Hash: d180ebb643bebe04622c3f9d976e3d5dd8a0b4cfc664d30308ea4b2a56b59414
              • Instruction Fuzzy Hash: AF928B75608746ABD720DEA4C880BABB7F8BB84754F084D9DFA94DB350D770E844CB92
              Function 038268B8 Relevance: 19.0, Strings: 15, Instructions: 249COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim engine DLL$LdrpGetShimEngineInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_InitializeEngine$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$apphelp.dll$minkernel\ntdll\ldrinit.c
              • API String ID: 0-3089669407
              • Opcode ID: db5aecff6e16c53aec62dd5c72315dc931da0f385a515893bcac37371ae770ee
              • Instruction ID: d46d88955cb22c59b8cec6b6214370edf8e4cef51fc505de2bcd91e23727e6d7
              • Opcode Fuzzy Hash: db5aecff6e16c53aec62dd5c72315dc931da0f385a515893bcac37371ae770ee
              • Instruction Fuzzy Hash: 8381FFB3D066187F8B51FBE8EDC4EEEB7BDAB15610B154462B910EB114E720ED048BA1
              Function 03860F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
              • API String ID: 0-360209818
              • Opcode ID: 2437f184256164f7cd689ac3e0489ad6349e48f68e1a7347c6f364fd0e5c37a9
              • Instruction ID: 4389a3ad4f0ab7b2f7920238784d3c6f4729bd01812e0be29f574b20cb3adaa2
              • Opcode Fuzzy Hash: 2437f184256164f7cd689ac3e0489ad6349e48f68e1a7347c6f364fd0e5c37a9
              • Instruction Fuzzy Hash: 3162B0B5E006298FEB24CF98C8457A9B7B6BF85324F5882DAD449EB240D7325AD1CF40
              Function 038E12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
              • API String ID: 0-3591852110
              • Opcode ID: 55e912153af230f52bf92d2693c1106344e0f727ce4e86a99135a9ca4a8bc292
              • Instruction ID: 9b605f4a8fa7d8b59a2eeaedf8a4f1308038c465da60f3647eb44ea7fa3d5e22
              • Opcode Fuzzy Hash: 55e912153af230f52bf92d2693c1106344e0f727ce4e86a99135a9ca4a8bc292
              • Instruction Fuzzy Hash: A012BC74604655EFC725CFA8C449BBABBE5FF0A704F1884D9E496CB681E738E881CB50
              Function 0384AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
              • API String ID: 0-3197712848
              • Opcode ID: 2b4c216d7e067104d7a8cbc190a366e52d929ee678031ef877fedae8d3c85bb8
              • Instruction ID: 3ecefee2b232ba6a6bb530903f08bd6f1562d6c77d4a220bdcbd28c1974bf1ec
              • Opcode Fuzzy Hash: 2b4c216d7e067104d7a8cbc190a366e52d929ee678031ef877fedae8d3c85bb8
              • Instruction Fuzzy Hash: 6512E475A083498FD724DFA8C440BAAB7E4BF85704F08099EF985DF681E778D944CB52
              Function 0382D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
              • API String ID: 0-3532704233
              • Opcode ID: 1af99b6ba4e4d7a1a36ae7ff7518ab936584d6f8338201cea88cc394d9314913
              • Instruction ID: 599b139e1f6914bea06726ce2afabe72f6164afde32a367a0bf8934d952f2ba3
              • Opcode Fuzzy Hash: 1af99b6ba4e4d7a1a36ae7ff7518ab936584d6f8338201cea88cc394d9314913
              • Instruction Fuzzy Hash: 91B1CE715083659FC711DFA8C880A6BBFE8BF84704F0549AEF8A9D7240D774D989CB92
              Function 038E0CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
              • API String ID: 0-1357697941
              • Opcode ID: 141df5b510321a04c1db1eb5978af163fbc0b431437964f656c1bbcbe0ef6ddd
              • Instruction ID: addd9cc1935541c04c73e98842692ae88e0f4231c4cc4fe60fe073c66b31fcc5
              • Opcode Fuzzy Hash: 141df5b510321a04c1db1eb5978af163fbc0b431437964f656c1bbcbe0ef6ddd
              • Instruction Fuzzy Hash: 62F1F075A04295EFCB25CFAAC440BAAFBF5FF0A304F0844D9E481DB282D774A985CB51
              Function 038C9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
              • API String ID: 0-3063724069
              • Opcode ID: c9f1564c925f9fce90b5bf7082112715277ddbdd8c0cca94a4ae39ca245b1824
              • Instruction ID: aac8c23a1b95a431bc2d1788e6f9834bff80ac7dae3e261a99a7adc821c4cc95
              • Opcode Fuzzy Hash: c9f1564c925f9fce90b5bf7082112715277ddbdd8c0cca94a4ae39ca245b1824
              • Instruction Fuzzy Hash: F0D1C072814395AFD721DAE8C840FABB7ECAF84714F0449EDFA94DB250E774C9448B92
              Function 038E0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
              • API String ID: 0-1700792311
              • Opcode ID: 10020bd03cbb14eda7a54ba2dae5cec391beae3da0655dea59acfb178b6494c4
              • Instruction ID: f3972ab6122a555f2feedc17d37bdf20521cacc1b90ce15658914ca8e45b6795
              • Opcode Fuzzy Hash: 10020bd03cbb14eda7a54ba2dae5cec391beae3da0655dea59acfb178b6494c4
              • Instruction Fuzzy Hash: 47D1CCB5504785EFCB22DFEAC440AADBBF1FF4A604F088889E455EB252D7B49981CB11
              Function 0382D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
              Download Yara Rule
              Strings
              • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0382D0CF
              • @, xrefs: 0382D2AF
              • @, xrefs: 0382D0FD
              • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0382D262
              • Control Panel\Desktop\LanguageConfiguration, xrefs: 0382D196
              • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0382D146
              • @, xrefs: 0382D313
              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0382D2C3
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
              • API String ID: 0-1356375266
              • Opcode ID: 2aed5addc68bd37fd294646e8087038a9a4dbca997706114ccd789d24a7bb2bb
              • Instruction ID: 4d98739f4f027daedb79b0a89a7f65b70ba117ff6fdb191219e4ee39d379a7fe
              • Opcode Fuzzy Hash: 2aed5addc68bd37fd294646e8087038a9a4dbca997706114ccd789d24a7bb2bb
              • Instruction Fuzzy Hash: 5FA18A719083559FD321DFA4C484B5BFBE8BB84715F004DAEE5A8D6280E778D948CB93
              Function 03849EB0 Relevance: 9.2, Strings: 7, Instructions: 499COMMON
              Download Yara Rule
              Strings
              • Internal error check failed, xrefs: 03897718, 038978A9
              • sxsisol_SearchActCtxForDllName, xrefs: 038976DD
              • Status != STATUS_NOT_FOUND, xrefs: 0389789A
              • !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT), xrefs: 03897709
              • [%x.%x] SXS: %s - Relative redirection plus env var expansion., xrefs: 038976EE
              • @, xrefs: 03849EE7
              • minkernel\ntdll\sxsisol.cpp, xrefs: 03897713, 038978A4
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)$@$Internal error check failed$Status != STATUS_NOT_FOUND$[%x.%x] SXS: %s - Relative redirection plus env var expansion.$minkernel\ntdll\sxsisol.cpp$sxsisol_SearchActCtxForDllName
              • API String ID: 0-761764676
              • Opcode ID: a855913dab3de5cb1ff70043f979c8308ccbda9f2552a58a16d6e16f8ffde13a
              • Instruction ID: 7476e6fbc6530adba34835495c41ccf5f14115a0d8123132f444b23b3e31d1ff
              • Opcode Fuzzy Hash: a855913dab3de5cb1ff70043f979c8308ccbda9f2552a58a16d6e16f8ffde13a
              • Instruction Fuzzy Hash: 24127D74900219DFDF24CFE8C881AAEB7B4FF48714F1880EAE849EB641E7349851CB65
              Function 0383EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
              • API String ID: 0-1109411897
              • Opcode ID: e5cf79e90fbedc6817790a6420623f06961e0c9d55053eeb8975d5d1c30788a2
              • Instruction ID: df14005db39f2b8e34578df596907b4aedf6cc38400e450254ef343800341737
              • Opcode Fuzzy Hash: e5cf79e90fbedc6817790a6420623f06961e0c9d55053eeb8975d5d1c30788a2
              • Instruction Fuzzy Hash: 6CA22775E056698BEF64CF99C8887ADB7B5AF45304F1842EAD809E7350DB349E81CF80
              Function 0382F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-523794902
              • Opcode ID: cde719cf0df9a404107fc279bb45bb8d651a2912684d66f56a119d393bede752
              • Instruction ID: 45c601125b1fa07ce6d997f46f7f3db30cdc3a0317b7434775ff1570931b17f7
              • Opcode Fuzzy Hash: cde719cf0df9a404107fc279bb45bb8d651a2912684d66f56a119d393bede752
              • Instruction Fuzzy Hash: 4942FD752083859FC715EFA8C884A2AFBE5FF85208F0849EDE595CB381D734E985CB52
              Function 0383ADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
              • API String ID: 0-4098886588
              • Opcode ID: 1ada03528f3a1f4971977e76ce9538a2172a98fe772a36efc373fe835d62a2a1
              • Instruction ID: a2061e148f64e89edecf73cc3e287c2f358b341bd750820fca347cf2b2ca3227
              • Opcode Fuzzy Hash: 1ada03528f3a1f4971977e76ce9538a2172a98fe772a36efc373fe835d62a2a1
              • Instruction Fuzzy Hash: DC32D1B49042698BEF22CB94CC94BEEB7B9AF46344F1841E6E449E7350D7759E80CF80
              Function 0384B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
              • API String ID: 0-122214566
              • Opcode ID: 0989240330d2a2e1ae20f7427a941ea35e34209c04385bacb3654b9efd32f6c5
              • Instruction ID: 300141ed59f016e043bd6a0ec2ccc6de703499d8a2f47aa16fcbb449c78f9a34
              • Opcode Fuzzy Hash: 0989240330d2a2e1ae20f7427a941ea35e34209c04385bacb3654b9efd32f6c5
              • Instruction Fuzzy Hash: 52C10831A0025DABDF25CBF9C88077EB7A5AF85314F1840E9E885DFA81E7B4D944C391
              Function 038663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
              • API String ID: 0-792281065
              • Opcode ID: 7c64e910dbadfdf58c3f5c6891263bbf695d4ebcc070223b6bf1e037a4a444a6
              • Instruction ID: 6311854383b9c96117011b5153a5246d3501a1668c3649e5bb617a90724edfb3
              • Opcode Fuzzy Hash: 7c64e910dbadfdf58c3f5c6891263bbf695d4ebcc070223b6bf1e037a4a444a6
              • Instruction Fuzzy Hash: 84913731A04B549BEB34EFEDD844BAEB7A4EB41714F1805E8D410EF781E7B49801C791
              Function 0386C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrinit.c, xrefs: 0386C6C3
              • Unable to build import redirection Table, Status = 0x%x, xrefs: 038A81E5
              • LdrpInitializeProcess, xrefs: 0386C6C4
              • minkernel\ntdll\ldrredirect.c, xrefs: 038A8181, 038A81F5
              • LdrpInitializeImportRedirection, xrefs: 038A8177, 038A81EB
              • Loading import redirection DLL: '%wZ', xrefs: 038A8170
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
              • API String ID: 0-475462383
              • Opcode ID: 59fc3d724a3fb39214bfadacfbd043ee47e76999de6191e7ebed9d861d9e0e6b
              • Instruction ID: 601233e065b678449226910a02a548893fb43ddd7dd1964cfef1d7250b2d4d18
              • Opcode Fuzzy Hash: 59fc3d724a3fb39214bfadacfbd043ee47e76999de6191e7ebed9d861d9e0e6b
              • Instruction Fuzzy Hash: A831E4756487459FD220EFACDD45E2AB7A4AF84B10F0409D8F885EF391EA64ED04C7A3
              Function 038B9C32 Relevance: 6.8, Strings: 5, Instructions: 542COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$AVRF: Verifier .dlls must not have thread locals$KnownDllPath$L$\KnownDlls32
              • API String ID: 0-3127649145
              • Opcode ID: a81be2431561402631e6e4ee1f7b36c0c87512f9345a5eaa877c5072531886ef
              • Instruction ID: 86d5b25da16ab8bfd1e52600a495e8a9efdf128df0801599ec3ed647a0f45a00
              • Opcode Fuzzy Hash: a81be2431561402631e6e4ee1f7b36c0c87512f9345a5eaa877c5072531886ef
              • Instruction Fuzzy Hash: AC324975A0171A9BDB61DFA5CC88B9AB7F8FF48304F1041EAD509EB250DB74AA84CF50
              Function 03849950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
              • API String ID: 0-3393094623
              • Opcode ID: 76e8018a9e5825eb17dd7b4c31fbca2a4b2aca62f8faea7833106a25ba46b3cb
              • Instruction ID: 28a52e8947e945dd87aaa0c2ef151714c23dd11c969c4c935794800c5b9a000d
              • Opcode Fuzzy Hash: 76e8018a9e5825eb17dd7b4c31fbca2a4b2aca62f8faea7833106a25ba46b3cb
              • Instruction Fuzzy Hash: AE024871508359CBDB30CFA8C084B6BF7E5AF89714F48899EE899CB650E774D844CB92
              Function 038551EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
              Download Yara Rule
              Strings
              • Kernel-MUI-Language-Allowed, xrefs: 0385527B
              • WindowsExcludedProcs, xrefs: 0385522A
              • Kernel-MUI-Language-Disallowed, xrefs: 03855352
              • Kernel-MUI-Language-SKU, xrefs: 0385542B
              • Kernel-MUI-Number-Allowed, xrefs: 03855247
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
              • API String ID: 0-258546922
              • Opcode ID: be7ce3016851651fe63c1eef4913f679d60932aed7faaed9657a312a3a6a69ee
              • Instruction ID: c8881468731236dab3c0f7c878631efc9c9966eac8436dcd325f7ad1b4be30a4
              • Opcode Fuzzy Hash: be7ce3016851651fe63c1eef4913f679d60932aed7faaed9657a312a3a6a69ee
              • Instruction Fuzzy Hash: 87F13C76D00218EFCF15DFE8C980AEEBBB9EF49650F15409AE905EB250D7749E01CBA0
              Function 038B4F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
              • API String ID: 0-2518169356
              • Opcode ID: d4790f6d02816c16458d396e9399f7267df27980041092c2c8718057717f994c
              • Instruction ID: 6feca330fb00c298aa3f9279d2bb7cb95110034bdd43bedbb6945aa02311f766
              • Opcode Fuzzy Hash: d4790f6d02816c16458d396e9399f7267df27980041092c2c8718057717f994c
              • Instruction Fuzzy Hash: 9391CE76D0061A9BCB21CFA9C881AFEB7B5FF4A310F5941A9E810EB350D775DA01CB91
              Function 0385D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1975516107
              • Opcode ID: 3ed076a424539625d5a9f014418438c1ed4b9f24f84d16645ae1d83e39fcea10
              • Instruction ID: c1fb34290ba8be63d16ad3ec2f68057befe603d2b51c2f046e858c68c58cafc7
              • Opcode Fuzzy Hash: 3ed076a424539625d5a9f014418438c1ed4b9f24f84d16645ae1d83e39fcea10
              • Instruction Fuzzy Hash: 7F51DD75A04749DFDB24EFE8C48479DBBB1BB48318F284499EC01EF291D774A889CB81
              Function 038276B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
              • API String ID: 0-3061284088
              • Opcode ID: 441b0d4c85508fb5292f2ce44ae9de78cc13341e3c9fb6ba946518a3218f904f
              • Instruction ID: feb434a2fa0ad692a4868e8ab6c0e3bc10f80b983e505a7e4291f8910a28ba1f
              • Opcode Fuzzy Hash: 441b0d4c85508fb5292f2ce44ae9de78cc13341e3c9fb6ba946518a3218f904f
              • Instruction Fuzzy Hash: CE012D36149660EED227F3DDD809F56BBD4DF42A70F1840C9F010CB692DA9858C1C521
              Function 038470C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
              • API String ID: 0-3178619729
              • Opcode ID: a3c1bf1d9491be15770d7301c83e21add7a24d1d6bb7949d586c3405b032416e
              • Instruction ID: 8b815e310aeae3f98791fa2a65f158279ea05b7e4830fb72ddc1d593a91d7a9c
              • Opcode Fuzzy Hash: a3c1bf1d9491be15770d7301c83e21add7a24d1d6bb7949d586c3405b032416e
              • Instruction Fuzzy Hash: FB139C70A00659DFDB25CFA8C4807A9FBF1BF49304F1881E9E859EBB81D735A945CB90
              Function 03841070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
              • API String ID: 0-3570731704
              • Opcode ID: 679a7e841c85b9ed7493aff6c818fd6c9cc3243eb8ed80deafcaf810dbf53a1f
              • Instruction ID: c80a15babd73741442a89e34e84de45f38a01be09ed50ebd0d4d585bcba70acc
              • Opcode Fuzzy Hash: 679a7e841c85b9ed7493aff6c818fd6c9cc3243eb8ed80deafcaf810dbf53a1f
              • Instruction Fuzzy Hash: 7E924975A0022CCFEB25CFA8C844BA9B7B5BF45314F1981EAD949EB640D7349E80CF51
              Function 0384A840 Relevance: 5.4, Strings: 4, Instructions: 358COMMON
              Download Yara Rule
              Strings
              • RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 03897D03
              • SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 03897D56
              • SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 03897D39
              • SsHd, xrefs: 0384A885
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
              • API String ID: 0-2905229100
              • Opcode ID: b812f4ecbb00f3b6b1e2e30fbc604d70db3ad4eb3eccc09e600b825806b7c060
              • Instruction ID: 7ef23d96d2289585696f8433f11b6594b2f6518792fd41a77bc1acf28e8de7c0
              • Opcode Fuzzy Hash: b812f4ecbb00f3b6b1e2e30fbc604d70db3ad4eb3eccc09e600b825806b7c060
              • Instruction Fuzzy Hash: 96D18A35A402199BDF28CFE8C880AADFBB5BF58314F1940AAE855EF745D335D880CB91
              Function 03843D40 Relevance: 5.4, Strings: 3, Instructions: 1603COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
              • API String ID: 0-3178619729
              • Opcode ID: 8cca78843c7bec172617b4e1b62fd5ad467b097863f39206cf403ace8f9ba30e
              • Instruction ID: 45297b46ab601e970cb0b2b8087f8f0886e08631cd40b2bec102a7753f54683e
              • Opcode Fuzzy Hash: 8cca78843c7bec172617b4e1b62fd5ad467b097863f39206cf403ace8f9ba30e
              • Instruction Fuzzy Hash: E7E2AE74A006199FDB24CFA9C490BA9FBF1FF49304F1881E9D849EBB85D774A845CB90
              Function 0383A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
              • API String ID: 0-379654539
              • Opcode ID: fd742d8be400844574c48b281356b5a7da3296c4d82b6989a5d490905d4ebaa2
              • Instruction ID: 7c3eaf74c240a45e1a305e0bd1cac37b988ba894ecbec2a4ab80284584cd7aee
              • Opcode Fuzzy Hash: fd742d8be400844574c48b281356b5a7da3296c4d82b6989a5d490905d4ebaa2
              • Instruction Fuzzy Hash: 62C16D7410838A9FD719DF98C044B6AB7E4BF85708F0849AAF8D5CB350E739CA45CB92
              Function 03840C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
              Download Yara Rule
              Strings
              • HEAP: , xrefs: 038954E0, 038955A1
              • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 038955AE
              • HEAP[%wZ]: , xrefs: 038954D1, 03895592
              • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 038954ED
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
              • API String ID: 0-1657114761
              • Opcode ID: 213cb4b7e00f93c8ff68ccc10dd97a8c8019bfacd29b11208904aeaabf77eeba
              • Instruction ID: e81ac858e2f237d177c9a41fcd7ce8e9e149b54b85b9545da924b2d492b5186b
              • Opcode Fuzzy Hash: 213cb4b7e00f93c8ff68ccc10dd97a8c8019bfacd29b11208904aeaabf77eeba
              • Instruction Fuzzy Hash: 73A1F2B460460DDFDB25DFA8C840B7BFBA5AF45304F1885EAD596CBB82D334A844CB91
              Function 0386273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
              Download Yara Rule
              Strings
              • SXS: %s() passed the empty activation context, xrefs: 038A21DE
              • .Local, xrefs: 038628D8
              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 038A21D9, 038A22B1
              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 038A22B6
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
              • API String ID: 0-1239276146
              • Opcode ID: d7c76e5ffb0a1253f655a20c641c3ba784523250f7adfe0df332812eea00f034
              • Instruction ID: 9555f081bbeb4ba50c58fbdaec59745f9c0fdf8a960afbcac083ff1233bcc234
              • Opcode Fuzzy Hash: d7c76e5ffb0a1253f655a20c641c3ba784523250f7adfe0df332812eea00f034
              • Instruction Fuzzy Hash: 58A18F3590122D9BDB34DFA8DC84BA9B3B5BF58314F1949E9D848EB251D7309E80CF91
              Function 0382F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
              • API String ID: 0-2586055223
              • Opcode ID: eae6d72b24ce9fd1440a0ea6518436aa30dff28f520726e25dbaa71c5cba1f72
              • Instruction ID: 0e243d983299ecd937ff39f2b95be348e0c83e1afa284048358d514d6b1ab869
              • Opcode Fuzzy Hash: eae6d72b24ce9fd1440a0ea6518436aa30dff28f520726e25dbaa71c5cba1f72
              • Instruction Fuzzy Hash: 5E610576205784AFD721EBA8C844F67BBE9EF80714F0804E8FA55CB291D734E941CB62
              Function 038E11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
              • API String ID: 0-336120773
              • Opcode ID: 0b1f6ba465f111d8639401fbdfc92f87f67bc7a86dc7653bb7d816ce3c033529
              • Instruction ID: 95e4e9b07188df4c79b6148d4d11971e06b4c70455c610505b289876ffd5cd80
              • Opcode Fuzzy Hash: 0b1f6ba465f111d8639401fbdfc92f87f67bc7a86dc7653bb7d816ce3c033529
              • Instruction Fuzzy Hash: 4D310176200214EFC752DBE8CC89F6AB7E8EF06664F1800D5F451CB291E670EC80CA66
              Function 03829148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
              • API String ID: 0-1391187441
              • Opcode ID: ad046706bdbe24c422725c1f016655107b9b8d4633238d333211eda03610238a
              • Instruction ID: bbec31347abfab640ce93706d2b09145f0dfee5472da1e61b69f1d324131d037
              • Opcode Fuzzy Hash: ad046706bdbe24c422725c1f016655107b9b8d4633238d333211eda03610238a
              • Instruction Fuzzy Hash: F0318336601214EFCB12EBDACC85F9EBBB9EF45620F1440D5E814EB291D774ED80CA61
              Function 038429A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
              Download Yara Rule
              Strings
              • HEAP: , xrefs: 03843264
              • HEAP[%wZ]: , xrefs: 03843255
              • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0384327D
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
              • API String ID: 0-617086771
              • Opcode ID: 62fe9d3f17b8b43d60d5b09812868eb40db4c4d1d9bfef89df42b079faae27ad
              • Instruction ID: 39e5fe470fe2166a9c8e0e3556d5a8ec7ac7ba442173dd916bc58c1629b14f84
              • Opcode Fuzzy Hash: 62fe9d3f17b8b43d60d5b09812868eb40db4c4d1d9bfef89df42b079faae27ad
              • Instruction Fuzzy Hash: 9292BC75A082489FDB25CFA8C4407AEBBF1FF48304F188499E899EBB91D775A941CF50
              Function 03841F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
              • API String ID: 0-3178619729
              • Opcode ID: 9c519680aedaa51727ab4cf1cddddcc49c31cc0ab9f4a4abcbc9c439b729478a
              • Instruction ID: 20d262d0a2de1bcae4313f25955e66c514704d06b844a9cf1089d7813fa4913f
              • Opcode Fuzzy Hash: 9c519680aedaa51727ab4cf1cddddcc49c31cc0ab9f4a4abcbc9c439b729478a
              • Instruction Fuzzy Hash: 1E22EC70604609AFEB16CFA8C494B7AFBB5EF06704F1C84DAE455CB682E735E881CB50
              Function 03840770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-4253913091
              • Opcode ID: a9b73e12afc4c0cdf04bac7613d829e779b942037b8c8a775a45824d30230032
              • Instruction ID: 094290c66ee96f336c73f4345e7f0b84c3e9cf96ad44849931d19766103addf5
              • Opcode Fuzzy Hash: a9b73e12afc4c0cdf04bac7613d829e779b942037b8c8a775a45824d30230032
              • Instruction Fuzzy Hash: F0F1A9B4A00609DFEB25CFA8C980B6AF7B5FB45304F1881E9E516DB781D734E981CB91
              Function 03831460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
              Download Yara Rule
              Strings
              • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 03831728
              • HEAP: , xrefs: 03831596
              • HEAP[%wZ]: , xrefs: 03831712
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
              • API String ID: 0-3178619729
              • Opcode ID: 08cedbb933e15c9d7e6e62cd7b11981a1960cd18c730ae2a4cac557fa655ebb6
              • Instruction ID: a0aaff67d8b881d2474c73062b2ad1c70d70707873dba96b11743af2eb890f3f
              • Opcode Fuzzy Hash: 08cedbb933e15c9d7e6e62cd7b11981a1960cd18c730ae2a4cac557fa655ebb6
              • Instruction Fuzzy Hash: 11E12130A046459FDB29EFA8C484B7ABBF5AF46704F1884DDE596CB345E734E940CB90
              Function 0383B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
              • API String ID: 0-1145731471
              • Opcode ID: 459611d205bcd51f582ad16bc246fb5ff3e60d9cc25e9653526f29a308520dba
              • Instruction ID: 37da8818d30b8f64c5be0a237ed9c04d53c0a73bfa101802e6d58a1d44851c11
              • Opcode Fuzzy Hash: 459611d205bcd51f582ad16bc246fb5ff3e60d9cc25e9653526f29a308520dba
              • Instruction Fuzzy Hash: 0FB18EB9A056489BDF26CFD9C880BADB7B6EF45714F1845EAE851EB380D770E840CB50
              Function 038B368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$DelegatedNtdll$\SystemRoot\system32\
              • API String ID: 0-2391371766
              • Opcode ID: 357af5b51f4f2da2fa2968be1468ccca23aa58ff2bd157aa4c6ed6d3c9031868
              • Instruction ID: 03576fd522a7bf0387759c70085241aad515bf99e3d95cd337e1bf12585ea679
              • Opcode Fuzzy Hash: 357af5b51f4f2da2fa2968be1468ccca23aa58ff2bd157aa4c6ed6d3c9031868
              • Instruction Fuzzy Hash: CEB18079604746EFD321DE98C880BABB7F8EB45714F1549A9FA50DB350D7B0E804CB92
              Function 03856962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $@
              • API String ID: 0-1077428164
              • Opcode ID: d6643d697b0a85757377b0ae2d99f79bb8137a8a6e94d50d1842e14666c0be35
              • Instruction ID: ceb596b82dfe4678df5dc4ad1325d281ca723a578f655ed19b7a6f8b986d8867
              • Opcode Fuzzy Hash: d6643d697b0a85757377b0ae2d99f79bb8137a8a6e94d50d1842e14666c0be35
              • Instruction Fuzzy Hash: FAC283716083459FEB25CFA8C840BABB7E5AF88754F0889ADFD89D7240E735D805CB52
              Function 0382A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: FilterFullPath$UseFilter$\??\
              • API String ID: 0-2779062949
              • Opcode ID: dd37300c7ec4c5c3c06d49c07e4e24424c2295d25b905aa5cde727cf6668d4bb
              • Instruction ID: 7ba8e65e027325a223891a186ec80d599dbff85d2649cfe744fb19d6bf7c83cb
              • Opcode Fuzzy Hash: dd37300c7ec4c5c3c06d49c07e4e24424c2295d25b905aa5cde727cf6668d4bb
              • Instruction Fuzzy Hash: 9BA15B759116299BDB21EFA4CC88BAAF7B8EF44700F1401EAE909EB250D7359EC5CF50
              Function 038C36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
              • API String ID: 0-318774311
              • Opcode ID: 76fe4e6979f6ae6eecf0ebe049461b5005daf417d73111f2e19988f564e5cc60
              • Instruction ID: c6236d9524e21318caa80846c6a1316e1a32d180a92b71a9f77da63a0a2c9d32
              • Opcode Fuzzy Hash: 76fe4e6979f6ae6eecf0ebe049461b5005daf417d73111f2e19988f564e5cc60
              • Instruction Fuzzy Hash: 0881CE79618384AFD311DB98C844B6AB7E8FF85754F0889ADF980DB390D7B8D805CB52
              Function 0386909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: %$&$@
              • API String ID: 0-1537733988
              • Opcode ID: ca3c3cb16a9cdd38054cf8734fb0918ae1fa79843b3c2af08b9ef35a9a9ea47c
              • Instruction ID: fff45813672bb968ea57cd1d64587496fe12ff61f9441b6f4fcc5906ddb5da98
              • Opcode Fuzzy Hash: ca3c3cb16a9cdd38054cf8734fb0918ae1fa79843b3c2af08b9ef35a9a9ea47c
              • Instruction Fuzzy Hash: FD71C0745087059FD710DFA8C580A2BFBE9BFC5618F24499DE4AACB291D730D905CB93
              Function 0390B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
              Download Yara Rule
              Strings
              • TargetNtPath, xrefs: 0390B82F
              • GlobalizationUserSettings, xrefs: 0390B834
              • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 0390B82A
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
              • API String ID: 0-505981995
              • Opcode ID: d41c1d594560a0ce3fa472646079bd13315512ea8a4816f84350ef0cacdf5b2c
              • Instruction ID: 09f02f7c220ba3a51d1b90cc0a2c7739d01074c575b4f613c7b5557bc2c2094c
              • Opcode Fuzzy Hash: d41c1d594560a0ce3fa472646079bd13315512ea8a4816f84350ef0cacdf5b2c
              • Instruction Fuzzy Hash: 2461707694162DAFDB21DF98DC88B99B7B8AF04754F0101E5A518AB290D774DE80CF90
              Function 0382F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
              Download Yara Rule
              Strings
              • HEAP: , xrefs: 0388E6B3
              • HEAP[%wZ]: , xrefs: 0388E6A6
              • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0388E6C6
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
              • API String ID: 0-1340214556
              • Opcode ID: eabf41d5016dba4903c17f01cb6e2ad622e280915a1ed3d041b1428c4531c093
              • Instruction ID: 2cfd87f890987b1ffd98440ea9f76d05b89efea49445ccce6fbe6d03000fb375
              • Opcode Fuzzy Hash: eabf41d5016dba4903c17f01cb6e2ad622e280915a1ed3d041b1428c4531c093
              • Instruction Fuzzy Hash: 0D51C335604758EFD722EBE8C844B6AFBF8AF05304F0800E4EA51DB692D774E950CB11
              Function 038DDAAC Relevance: 3.9, Strings: 3, Instructions: 163COMMON
              Download Yara Rule
              Strings
              • HEAP: , xrefs: 038DDC1F
              • Heap block at %p modified at %p past requested size of %Ix, xrefs: 038DDC32
              • HEAP[%wZ]: , xrefs: 038DDC12
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
              • API String ID: 0-3815128232
              • Opcode ID: 79bef607b50651a88ebc5860edb1b89eecbbd7f8eec870db8b94d79d920ca822
              • Instruction ID: d3a0c7c8a52ef383e9567c58493275a11f3379d6f080950b97ac0fcdb862f4af
              • Opcode Fuzzy Hash: 79bef607b50651a88ebc5860edb1b89eecbbd7f8eec870db8b94d79d920ca822
              • Instruction Fuzzy Hash: C15134351046548EE374DAAEC844772B7E1DF4534CF1888CAE4D2CB685D275E84BDB21
              Function 0386C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrinit.c, xrefs: 038A82E8
              • Failed to reallocate the system dirs string !, xrefs: 038A82D7
              • LdrpInitializePerUserWindowsDirectory, xrefs: 038A82DE
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1783798831
              • Opcode ID: 2212191fba16c1a1c3000560023ec88427e2fe08eb666f6eb5c54bb6fb54e9f0
              • Instruction ID: 56f32d61cc0dce209f32c743f3cc941e9beb3ee93a8f42756b8fa1af5aa9bd72
              • Opcode Fuzzy Hash: 2212191fba16c1a1c3000560023ec88427e2fe08eb666f6eb5c54bb6fb54e9f0
              • Instruction Fuzzy Hash: 9041D3B5549704ABCB20FBACD844B5B77E8EB44650F0449AAF988DB254EB74D810CB92
              Function 038616CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
              Download Yara Rule
              Strings
              • LdrpAllocateTls, xrefs: 038A1B40
              • minkernel\ntdll\ldrtls.c, xrefs: 038A1B4A
              • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 038A1B39
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
              • API String ID: 0-4274184382
              • Opcode ID: 9008a81027206fbc1bc024e552949f65fb275a6649e2e84e521b1ef6eedf6b26
              • Instruction ID: f284fe81ad36f11da3b4ef3ec5cd75637463ae1c6de73bfad4d85124ac76d175
              • Opcode Fuzzy Hash: 9008a81027206fbc1bc024e552949f65fb275a6649e2e84e521b1ef6eedf6b26
              • Instruction Fuzzy Hash: EE4168B9A00A08AFDB15DFE8C845BAEFBF5FF49714F148199E405EB255D774A800CB90
              Function 038EC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
              Download Yara Rule
              Strings
              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 038EC1C5
              • PreferredUILanguages, xrefs: 038EC212
              • @, xrefs: 038EC1F1
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
              • API String ID: 0-2968386058
              • Opcode ID: 915143f233f72c364882597d4938db3b1afcc91e2ed9487ed61a7e6d3b8eebb5
              • Instruction ID: ab3b941811eed4007a2a3b55c844c779ab68e1c44d87d69921d2c224a31cd37b
              • Opcode Fuzzy Hash: 915143f233f72c364882597d4938db3b1afcc91e2ed9487ed61a7e6d3b8eebb5
              • Instruction Fuzzy Hash: EC418076E00209EFDF11DAE8C881FEEBBBDAB05704F1440AAE915F7290D7749A44CB91
              Function 038C4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
              • API String ID: 0-1373925480
              • Opcode ID: 14cb81a6fd1b53581f2436cce73ba082136523ff2bb3ae48de0c803ec77b9ab7
              • Instruction ID: 45b8a968ef6840c617b8e779d57ab69def026b59df24218279c6adad6e342058
              • Opcode Fuzzy Hash: 14cb81a6fd1b53581f2436cce73ba082136523ff2bb3ae48de0c803ec77b9ab7
              • Instruction Fuzzy Hash: 3641D0759103888BEB22DBEAC850BADB7B8EF55344F1804DED941EF781DA75C941CB11
              Function 038B4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              Strings
              • LdrpCheckRedirection, xrefs: 038B488F
              • minkernel\ntdll\ldrredirect.c, xrefs: 038B4899
              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 038B4888
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
              • API String ID: 0-3154609507
              • Opcode ID: 52c1e1714b64694b33e52ea91e0553581e96f91e5b70664caedbff34aae44054
              • Instruction ID: 4409735566f96cdbbc0c091f13fdc2c6d8bbf968a95b97a8c1240470e5d97983
              • Opcode Fuzzy Hash: 52c1e1714b64694b33e52ea91e0553581e96f91e5b70664caedbff34aae44054
              • Instruction Fuzzy Hash: 2A41D632A047569FCB21DEAAD842AA6B7F8AF49650F0905D9FC58DB353D731E800CB91
              Function 038633A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
              Download Yara Rule
              Strings
              • RtlCreateActivationContext, xrefs: 038A29F9
              • Actx , xrefs: 038633AC
              • SXS: %s() passed the empty activation context data, xrefs: 038A29FE
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
              • API String ID: 0-859632880
              • Opcode ID: a0c396724d976abdd7d06099f75ed0dbcb23bbf54f2260fb43b7311b58e9ace1
              • Instruction ID: b1c0e2ab712122ac0b7498834d98fbab40289ac221d53eb43c60685334179a20
              • Opcode Fuzzy Hash: a0c396724d976abdd7d06099f75ed0dbcb23bbf54f2260fb43b7311b58e9ace1
              • Instruction Fuzzy Hash: CA3126362007059FEB26DED8C880F96B7A4BB44710F1944A9ED05DF291C7B0E941C790
              Function 03861607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
              Download Yara Rule
              Strings
              • LdrpInitializeTls, xrefs: 038A1A47
              • DLL "%wZ" has TLS information at %p, xrefs: 038A1A40
              • minkernel\ntdll\ldrtls.c, xrefs: 038A1A51
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
              • API String ID: 0-931879808
              • Opcode ID: d8826f2be15dffa99ab799d88bc542d9356f18bb05cc99a6c5a4115ffb56b423
              • Instruction ID: 24f74c64442d2b9fb59c2f854af507fb8dd2cf349bd210a34a55e16a1bd340d2
              • Opcode Fuzzy Hash: d8826f2be15dffa99ab799d88bc542d9356f18bb05cc99a6c5a4115ffb56b423
              • Instruction Fuzzy Hash: 14312836A04704ABEB20DBD8CC8DF7AB7ACEB52754F0500D9E505EB185E7B0AD048791
              Function 03871270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
              Download Yara Rule
              Strings
              • BuildLabEx, xrefs: 0387130F
              • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0387127B
              • @, xrefs: 038712A5
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
              • API String ID: 0-3051831665
              • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
              • Instruction ID: 4635ca6531ac7e08b8900ba23c51f3a2025f30fc1f2abe20ebcc425b6ea0a284
              • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
              • Instruction Fuzzy Hash: 6231AF7690061CABDB11EFE9CC48EAEBBBEEB85710F0044A5E914EB560D734DA05CB61
              Function 038B20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
              Download Yara Rule
              Strings
              • Process initialization failed with status 0x%08lx, xrefs: 038B20F3
              • minkernel\ntdll\ldrinit.c, xrefs: 038B2104
              • LdrpInitializationFailure, xrefs: 038B20FA
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2986994758
              • Opcode ID: fe5e8c9292fe8e60b91f3c5554723a1a0d8a52f79b48a25dca693cb524d99ce5
              • Instruction ID: c0e0ff6b640596ca071a6e31100b739d2060ad1d58aa65ab677bcf461b06411c
              • Opcode Fuzzy Hash: fe5e8c9292fe8e60b91f3c5554723a1a0d8a52f79b48a25dca693cb524d99ce5
              • Instruction Fuzzy Hash: 75F0FF74640708ABEA20E68C8C42F9A776CEB40A04F1408D4F600EB386D2A4B9108A91
              Function 038403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: #%u
              • API String ID: 48624451-232158463
              • Opcode ID: d4e27bf87f0dc59c4d1155fa447bb575e49033d29f2f344769eacb4db14f395a
              • Instruction ID: 8314ba0e6bb7f8b0a8d37bb8876a8c3b8fb16f967e1b51cb8753c3514fbc80f7
              • Opcode Fuzzy Hash: d4e27bf87f0dc59c4d1155fa447bb575e49033d29f2f344769eacb4db14f395a
              • Instruction Fuzzy Hash: 09713CB5A0024A9FDB05DFD9D990BAEB7F8EF08704F1940A5E905EB251E734EE01CB61
              Function 038D705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID: DebugPrintTimes
              • String ID: kLsE
              • API String ID: 3446177414-3058123920
              • Opcode ID: 796a15376236dae0e5da734a92adbc46b34f58103cd26a33acb4c95b070c163d
              • Instruction ID: 1a95bbd630c66898933d9992ca6023a15d7f92e631721005091e8b30522b6f12
              • Opcode Fuzzy Hash: 796a15376236dae0e5da734a92adbc46b34f58103cd26a33acb4c95b070c163d
              • Instruction Fuzzy Hash: AE418936509B504AE731FFE9E884B697B94AB51724F180298FC60CF1C9CBB44885C792
              Function 038452A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @$@
              • API String ID: 0-149943524
              • Opcode ID: da531006d767e694d1c114e6b32df3299d9b31bf96c5e4403ad8826cf7f631ac
              • Instruction ID: 8882e674f703a811e7dd5a92fb50e3291589e51cf8f4455b793f54fe480b272f
              • Opcode Fuzzy Hash: da531006d767e694d1c114e6b32df3299d9b31bf96c5e4403ad8826cf7f631ac
              • Instruction Fuzzy Hash: D332BB745083198BDB24CF98C480B3EB7E1EF86754F1849AEF885DBA90E734D944CB52
              Function 038FA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: `$`
              • API String ID: 0-197956300
              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction ID: 2d59ca1ad93ee3e0910cc56d7a4bbaf1edec67c4855c9e7b8cfb1a9e05eca2f2
              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction Fuzzy Hash: AEC1B0312043459FD728CFA8C841B6BFBE5AF84328F184AADF699CA290D779D505CF52
              Function 03830CF2 Relevance: 2.8, Strings: 2, Instructions: 317COMMON
              Download Yara Rule
              Strings
              • Failed to retrieve service checksum., xrefs: 0388EE56
              • ResIdCount less than 2., xrefs: 0388EEC9
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Failed to retrieve service checksum.$ResIdCount less than 2.
              • API String ID: 0-863616075
              • Opcode ID: 5993de1333a4350e1f068a5508b96d847c5afaa8e58bcbe8f89e53432afb7dc4
              • Instruction ID: c9c7ae3b2302dd6556f9dc3f657bfac4b1ad992d59b14f556b4b2a9074a5efbe
              • Opcode Fuzzy Hash: 5993de1333a4350e1f068a5508b96d847c5afaa8e58bcbe8f89e53432afb7dc4
              • Instruction Fuzzy Hash: 95E1F3B59087849FE364CF55C480BABBBE4BB88314F408A6EE599CB340DB709549CF96
              Function 00402750 Relevance: 2.7, Strings: 2, Instructions: 238COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285440540.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: VUUU$gfff
              • API String ID: 0-2662692612
              • Opcode ID: 69b26ba78d24ab6b8e9714e85fa87761602e9d190b350e59215d9f5f646a4fcf
              • Instruction ID: 6b67196cf28f1ef6d3ac014523c7bdca602c243eae3cbeb3c78acf590c9b7b76
              • Opcode Fuzzy Hash: 69b26ba78d24ab6b8e9714e85fa87761602e9d190b350e59215d9f5f646a4fcf
              • Instruction Fuzzy Hash: EA71DF76B001064BDF1CC959CEA867EB666EBE4304F58813ED906EF3C1E6B89D018784
              Function 00402B66 Relevance: 2.7, Strings: 2, Instructions: 183COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285440540.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: VUUU$gfff
              • API String ID: 0-2662692612
              • Opcode ID: 1b264ccb5b51f6f40987096ad3a68093c98237755e3e8d0efbb800848af205ab
              • Instruction ID: 7d8ee9887b253d9c44c59fb2632620a80cfd97ddb8da0e7797d02b44000acb44
              • Opcode Fuzzy Hash: 1b264ccb5b51f6f40987096ad3a68093c98237755e3e8d0efbb800848af205ab
              • Instruction Fuzzy Hash: E4519A32B0450A4BDB188D6DCE882DDB7A6EBD8304F18417BCD45EB3D1E5B8AA068784
              Function 038AE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: Legacy$UEFI
              • API String ID: 2994545307-634100481
              • Opcode ID: 350405288fc17bafe841a8a74a56f512f32f10d4e6a27801d6a1cb492089a8f2
              • Instruction ID: 1494424f75b0ee79e6077fea37eba6b324b4c7a0c0012080f2bdd7448025a0ac
              • Opcode Fuzzy Hash: 350405288fc17bafe841a8a74a56f512f32f10d4e6a27801d6a1cb492089a8f2
              • Instruction Fuzzy Hash: 7E612A71E00B189FEB24DFECC980BAEBBB9FB44704F1444A9E659EB251D731A940CB51
              Function 0384F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $$$
              • API String ID: 0-233714265
              • Opcode ID: 3dd9d8787c70f1f9b915c41110b207c71cd83aaa0b85feef09de99fbe00f944a
              • Instruction ID: 69277a3cbe569c86f9e7b693abee1800f4404f2cd661c1c48386a31a762caf41
              • Opcode Fuzzy Hash: 3dd9d8787c70f1f9b915c41110b207c71cd83aaa0b85feef09de99fbe00f944a
              • Instruction Fuzzy Hash: A2618975A0074EDFDB20DFE8C580BADB7B1BB44704F1840ADD615AFA80DB74A945CB91
              Function 00402B70 Relevance: 2.6, Strings: 2, Instructions: 135COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285440540.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: VUUU$gfff
              • API String ID: 0-2662692612
              • Opcode ID: dfa1cd395cc645ff7590599029b361e7a83f4a40508c1dba8d3897a8b66ed0f2
              • Instruction ID: 9a9b0de2442dcb83e64fe82f74c91fa492f25a63fb623c384764aabbfab15b71
              • Opcode Fuzzy Hash: dfa1cd395cc645ff7590599029b361e7a83f4a40508c1dba8d3897a8b66ed0f2
              • Instruction Fuzzy Hash: E1418B32B0454A0BEB098D6DCD882DD7B96EBD8314F19417ACC59EB3D1D4BCAA068794
              Function 0383A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
              Download Yara Rule
              Strings
              • RtlpResUltimateFallbackInfo Enter, xrefs: 0383A2FB
              • RtlpResUltimateFallbackInfo Exit, xrefs: 0383A309
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
              • API String ID: 0-2876891731
              • Opcode ID: a90906843236830fac01592007f416709af6b63a54920cb65e924a83fcd4ba45
              • Instruction ID: f58a7da913ced0b53f3222e12ead07d42e8552baa03ea3fd63c91ab1a1154fc0
              • Opcode Fuzzy Hash: a90906843236830fac01592007f416709af6b63a54920cb65e924a83fcd4ba45
              • Instruction Fuzzy Hash: 34419D35A04649DBDB15CFA9C840B69B7F4FF86704F1844E6EC44DB391E679D900CB92
              Function 0386329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: .Local\$@
              • API String ID: 0-380025441
              • Opcode ID: ad63a33d2748cb377513435df05dac07908b9d970b8ee19bdf4f4f71ea2e0dab
              • Instruction ID: ad91328e7b9cc7fbe526a92f0442a0746b91124e58c075facfeea6e9b808123f
              • Opcode Fuzzy Hash: ad63a33d2748cb377513435df05dac07908b9d970b8ee19bdf4f4f71ea2e0dab
              • Instruction Fuzzy Hash: 9931A17A5087089FC321DF68D980A5BBBE8EBC5654F4809AEF595C7260DA70DD04CB93
              Function 0383C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: MUI
              • API String ID: 0-1339004836
              • Opcode ID: f9c43cf8a3e378db077bf83529d27d1a195e8d1868ff72013323bc5a4d93f57a
              • Instruction ID: 4d3de6d75c5cb163c21434795bac5585ba81708245d893d4ba7a36c5175babc3
              • Opcode Fuzzy Hash: f9c43cf8a3e378db077bf83529d27d1a195e8d1868ff72013323bc5a4d93f57a
              • Instruction Fuzzy Hash: 38823975E002189BDB24CFE9C880BEDF7B5BF4A714F1881A9E859EB350D770A945CB90
              Function 03882F28 Relevance: 2.0, Strings: 1, Instructions: 762COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: P`vRbv
              • API String ID: 0-2392986850
              • Opcode ID: 20e8788bda6498bf5b4805cc8a093840838c68544368ff350fb6a0c55d6e1a56
              • Instruction ID: cdbd0b216a002babcaccfd5eefd2618ccbcb99292b4fb8e0efb041789f310702
              • Opcode Fuzzy Hash: 20e8788bda6498bf5b4805cc8a093840838c68544368ff350fb6a0c55d6e1a56
              • Instruction Fuzzy Hash: 0742C27DD04259AADF29FFE8D8446BDFBB5AF04B14F1880DAE451EB280D7B48A41CB50
              Function 03837370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 37f6005300e440ff76106b56a7911663b72d6b724d5779d8cff2aa2cf5d54b46
              • Instruction ID: d198f4a254f28ee961ea63a92eed4db949d7343174e26e9554470e637b4c5567
              • Opcode Fuzzy Hash: 37f6005300e440ff76106b56a7911663b72d6b724d5779d8cff2aa2cf5d54b46
              • Instruction Fuzzy Hash: 0CA18EB5608346CFD724DFA8C480A2ABBE5BF89304F1449AEF585DB350E770E945CB92
              Function 03852E90 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: 0
              • API String ID: 0-4108050209
              • Opcode ID: f333d206cbb58494764b2232ed549b94d5659e4b0a633c6e7593320f3707441d
              • Instruction ID: eab9b56ac1649865f8dc1296307519a265d1b2d84f0be4cc09a54b7cc8c5cf54
              • Opcode Fuzzy Hash: f333d206cbb58494764b2232ed549b94d5659e4b0a633c6e7593320f3707441d
              • Instruction Fuzzy Hash: 45F1AE796087458FDB25CFA8C080B6ABBE5AF88654F0948EDFC89CB240DB74D945CB52
              Function 00416B13 Relevance: 1.7, Strings: 1, Instructions: 423COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285440540.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: (
              • API String ID: 0-3887548279
              • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
              • Instruction ID: 55830e32febec7d8a72ccba30daac32bbab443394bce03d2eb609ce44a323b6e
              • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
              • Instruction Fuzzy Hash: AB021E76E006189FDB14CF9AD4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80
              Function 00416B0E Relevance: 1.7, Strings: 1, Instructions: 421COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285440540.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: (
              • API String ID: 0-3887548279
              • Opcode ID: 466246502ed207124b9dba0630461ba3c23bf80d588789ee3a807a11fa71ebb2
              • Instruction ID: b082f4392ee012e85a510aca100820216c96f346af0f5445facd4fbe9dd97ca7
              • Opcode Fuzzy Hash: 466246502ed207124b9dba0630461ba3c23bf80d588789ee3a807a11fa71ebb2
              • Instruction Fuzzy Hash: 86021DB6E006189FDB14CF9AC4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80
              Function 03832FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: PATH
              • API String ID: 0-1036084923
              • Opcode ID: dc3558bbf8a71a7c1e360a92358fc3239efd924ba7907885293a0f8d1f0fe6ce
              • Instruction ID: 7e236ce8bd873732c6f4ede0ea86b6e24725879b7f6df0e9f04dda01ffe3dc9f
              • Opcode Fuzzy Hash: dc3558bbf8a71a7c1e360a92358fc3239efd924ba7907885293a0f8d1f0fe6ce
              • Instruction Fuzzy Hash: 4EF1BF79D00618DBCB25DFE8D880ABEB7B1FF89700F4980A9E440EB354D7B49941CB91
              Function 0386F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8cacc195bb9861903f326124709e603ba084b3d12c79ca2051334f0fa9b25ccb
              • Instruction ID: 328778a033f5851815a5444346e4faf7b524bfaeb710f99459542ab6a3390dcc
              • Opcode Fuzzy Hash: 8cacc195bb9861903f326124709e603ba084b3d12c79ca2051334f0fa9b25ccb
              • Instruction Fuzzy Hash: 9F412AB4900688AFDB20DFA9D480AAEFBF4FB48740F5441AED959EB215D7319944CB60
              Function 03830100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: 4ba840308ce41e0b5ca5387d3d851c8e099f34bc61018765d13cbd9b0d54ed79
              • Instruction ID: 7b9113fc3f1c7b032f8781f41e914f7765061de0b0aa76bd3f27a1bf3299c929
              • Opcode Fuzzy Hash: 4ba840308ce41e0b5ca5387d3d851c8e099f34bc61018765d13cbd9b0d54ed79
              • Instruction Fuzzy Hash: 0FA10BB1A0436C5BDF25DBE98840BFEA7A95F46708F0840D9ED87EB381C6749940C7D1
              Function 0383973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @
              • API String ID: 0-2766056989
              • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
              • Instruction ID: bdb99a53b5222b16699e850050c81db1a627cf5e8866cda88cc1fdead77586a7
              • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
              • Instruction Fuzzy Hash: C4614A75D0121DABDF21DFE9C840BAEFBB8EF85714F1845AAE810E7290D7B49901CB90
              Function 0040274A Relevance: 1.4, Strings: 1, Instructions: 177COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285440540.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: gfff
              • API String ID: 0-1553575800
              • Opcode ID: 3a59fb0ea28a9854a508a3bcca7edc27cf79f8675b44b2768a56829309a3a8e1
              • Instruction ID: b803d3924d50ca01ec9b830d523945d7ea665dcf9de1be11e3fe2a764ac422e9
              • Opcode Fuzzy Hash: 3a59fb0ea28a9854a508a3bcca7edc27cf79f8675b44b2768a56829309a3a8e1
              • Instruction Fuzzy Hash: 1151B475F001068BDF5CDE59CAA867E7766EBE4304F64813ED905AF3C1E6B89D018B84
              Function 038BF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: @
              • API String ID: 0-2766056989
              • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
              • Instruction ID: 1202c43be675574f2297d8c648883b681b436c41f59a3412064a2f97572cbd5e
              • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
              • Instruction Fuzzy Hash: F1518B72604346AFD721DF98CC40FAAB7F8FB84754F0409A9BA44DB290D7B4E914CB92
              Function 0384E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: EXT-
              • API String ID: 0-1948896318
              • Opcode ID: 4f30e31ae2cf67dc2e929d0f365a377c048b27313fa4a02895faab7ceef722c1
              • Instruction ID: 5ef76bf52d71484206bc3b19961245450ebf003ed444e76add0343de5115c8c1
              • Opcode Fuzzy Hash: 4f30e31ae2cf67dc2e929d0f365a377c048b27313fa4a02895faab7ceef722c1
              • Instruction Fuzzy Hash: 92418E765083099BD710DAE8C980B6BB7E8BF88728F0409ADF984DB580E774E904C797
              Function 038EB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: PreferredUILanguages
              • API String ID: 0-1884656846
              • Opcode ID: 3bf0a8592b6430dcd3999ce1e5361edf957c9e9ec5571a5ea59e2712210a4d41
              • Instruction ID: c31f204f060c12ef70908ad20e3f2bdd155095dfe2c2b13f63c65b4bb5a538b4
              • Opcode Fuzzy Hash: 3bf0a8592b6430dcd3999ce1e5361edf957c9e9ec5571a5ea59e2712210a4d41
              • Instruction Fuzzy Hash: B441D336D04219ABCF12DAD8C841BEEF7F9EF86710F0501A6E911EB254D6B0DE40C7A1
              Function 038AC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: BinaryHash
              • API String ID: 0-2202222882
              • Opcode ID: 3c2ac4f9261753d1c487aa9a4059661a4d0d63ed5dd162580d4e3f4d4594d9b3
              • Instruction ID: f25d06479258dbce000a7b4fa0e11850c8082a681ab721d65a44e4cd36e5a804
              • Opcode Fuzzy Hash: 3c2ac4f9261753d1c487aa9a4059661a4d0d63ed5dd162580d4e3f4d4594d9b3
              • Instruction Fuzzy Hash: 454175B5D0062CABEB21DB98CC84FDEB77DAB44714F0045E5E608EB140DB709E898FA5
              Function 038B97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: verifier.dll
              • API String ID: 0-3265496382
              • Opcode ID: 1ab3608add30777c5a45592005008081e29df3501a9e120a4da427506f9aa99e
              • Instruction ID: 19a686add2578541b91526678bd9dd3457a244541128c086a32a984e2c9cb122
              • Opcode Fuzzy Hash: 1ab3608add30777c5a45592005008081e29df3501a9e120a4da427506f9aa99e
              • Instruction Fuzzy Hash: CB3172756007029FDB34DFA99860AB6B7F9EB49710F5980BAE609DF385E7318C80C790
              Function 038636EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Flst
              • API String ID: 0-2374792617
              • Opcode ID: 655134dc43ca4e9fa93bdd6fc595ba115f1aff106c7f64549ae59dbbfa64668d
              • Instruction ID: fbf20f5d49f13619383b296b19e27934d299f4c1e3fcec207b9783b5af83dd04
              • Opcode Fuzzy Hash: 655134dc43ca4e9fa93bdd6fc595ba115f1aff106c7f64549ae59dbbfa64668d
              • Instruction Fuzzy Hash: 38419AB5605301DFD724CF98C480A16FBE4EF89714F1885AEE45ACF291EBB1D942CB92
              Function 03835096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: Actx
              • API String ID: 0-89312691
              • Opcode ID: 51d263b4fba2d3c4cbbe9f3ef5222b4131fee6e82a724165e241b424b3af8e11
              • Instruction ID: ad5ea18ba3d60a5cac6786c3e8c930a3cb3493328b11ab260206bd5d98fe87f0
              • Opcode Fuzzy Hash: 51d263b4fba2d3c4cbbe9f3ef5222b4131fee6e82a724165e241b424b3af8e11
              • Instruction Fuzzy Hash: B01166307055069BEB24C99D88706BAF2D5EB97268F3C85EAD451CB391D673D841C7C0
              Function 038B106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: LdrCreateEnclave
              • API String ID: 0-3262589265
              • Opcode ID: f1082082465d339d4f0ee24b84682f2bcf6549dc0fd4ea4e385600dfd7ab54e3
              • Instruction ID: 3a6374ac63806a0e481f37e064a535d120b16b2de9873d900957f31d5d73d2e2
              • Opcode Fuzzy Hash: f1082082465d339d4f0ee24b84682f2bcf6549dc0fd4ea4e385600dfd7ab54e3
              • Instruction Fuzzy Hash: A32137B15083449FC320DF5AC848A9BFBE8EBD5B00F000A5EB5A0CB350D7B4D504CB92
              Function 0386E8F0 Relevance: 1.0, Instructions: 985COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 78a9ab27dcbfcdcd996124af381945476d315b8d2a13cd561bab9926a6798b42
              • Instruction ID: 87fe999867461f78662a2d85d35c6f4af9138e7415ab125b085f18e23fde75b7
              • Opcode Fuzzy Hash: 78a9ab27dcbfcdcd996124af381945476d315b8d2a13cd561bab9926a6798b42
              • Instruction Fuzzy Hash: AF822472F102188BCB58CFADDC916DDB7F2EF88314B19812DE41AEB345DA34AC568B45
              Function 0387516C Relevance: .8, Instructions: 785COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7536581ac886f6258109ca6a1ebcc6eb836c47a49a0c9cd950ad04bdb5ea8da6
              • Instruction ID: 6957cf7cdc4f6c810abc6c48f36b5d4419b22900812336bde28674ea3c936825
              • Opcode Fuzzy Hash: 7536581ac886f6258109ca6a1ebcc6eb836c47a49a0c9cd950ad04bdb5ea8da6
              • Instruction Fuzzy Hash: 21628F7280464AAFCF24CF98D4905AEFB63BE56318B49C5DCC89AA7604D331FA44CBD1
              Function 0388739A Relevance: .7, Instructions: 705COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2849b10a6e3a94615ca30e6dec950b065fa078a9a598eca4179c5d0a4beebbec
              • Instruction ID: 66081592878967289cb17bef4cb7fd59b03426401a47a773212a1732bc3fe53d
              • Opcode Fuzzy Hash: 2849b10a6e3a94615ca30e6dec950b065fa078a9a598eca4179c5d0a4beebbec
              • Instruction Fuzzy Hash: F542A275A006168FDB14EF99C4806BEF7B6FF88314B2885ADE552EB340D734E942CB90
              Function 03885AA0 Relevance: .7, Instructions: 652COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
              • Instruction ID: eb35deafee5a148e98e8bfd7d17763f272ec6adeb0cd97324e3dbf259a8d3c2a
              • Opcode Fuzzy Hash: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
              • Instruction Fuzzy Hash: 89128273B716180BC344CD7DCC852C27293ABD452875FCA3CAD68CB706F66AED1A6684
              Function 0385B2C0 Relevance: .6, Instructions: 629COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d71061b58c6c017f9ab68c66ba7676c77b084861489f3d6b15e0a867c76d5f2b
              • Instruction ID: 511e5ddbac62605e2d6b2e763ea02d92fc4e57c1675cae135ce58a5863c27cae
              • Opcode Fuzzy Hash: d71061b58c6c017f9ab68c66ba7676c77b084861489f3d6b15e0a867c76d5f2b
              • Instruction Fuzzy Hash: F5329F76E01219DBCF25DFA8C880BAEBBB1FF54714F1800A9E805EB391E7759901CB91
              Function 038C8158 Relevance: .6, Instructions: 617COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0804b12e01c8547edbead1bafc2a0e2215e05e769c2a3cbbcfe397337573f224
              • Instruction ID: b3b9f9a37ae5ddb09cdbf73287d4997ed28a4fded27058eb555a1d6cc493c1e7
              • Opcode Fuzzy Hash: 0804b12e01c8547edbead1bafc2a0e2215e05e769c2a3cbbcfe397337573f224
              • Instruction Fuzzy Hash: 8E422775A502599FDB24CFA9C881BADF7B5BF88300F1881DAE849EB241D734D985CF60
              Function 03842840 Relevance: .6, Instructions: 605COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2550766fe5e0ede0c4329856ec056e502045a5cdec5e77bd9b5beb19ae9e328f
              • Instruction ID: 018f420ec91ad796c419bef4217b0bd7c779912c65eafca5812634f2ffe88610
              • Opcode Fuzzy Hash: 2550766fe5e0ede0c4329856ec056e502045a5cdec5e77bd9b5beb19ae9e328f
              • Instruction Fuzzy Hash: 6532DE74A047598BEF24CFE9C844BBEFBF6AF84314F18459AE446DB684E735A801CB50
              Function 038DA118 Relevance: .6, Instructions: 591COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b01c246dcab430f93bc5d2ff31ac216f89da2f9bc6a9a355fdb81d8628eda965
              • Instruction ID: 642437de51cc6828594a16173d23e8aa310725ac4b4f251059a550c771de396c
              • Opcode Fuzzy Hash: b01c246dcab430f93bc5d2ff31ac216f89da2f9bc6a9a355fdb81d8628eda965
              • Instruction Fuzzy Hash: EC22CE742046558BDB2CCFA9C090772B7F1AF45304F2888DAE896CF685E73DE552CB61
              Function 038F16CC Relevance: .6, Instructions: 571COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 92a302aeb1d09d4125af89b9727eb5db3f163d79028725fb62c42610e150b7dc
              • Instruction ID: de4ad45acee6ae718aba9a5b74883ad0dccd48867ec4b8aadbe0ca96cea26766
              • Opcode Fuzzy Hash: 92a302aeb1d09d4125af89b9727eb5db3f163d79028725fb62c42610e150b7dc
              • Instruction Fuzzy Hash: 1F22A235B00216CFCB19CF99C494AAAF7B6BF88314B2845EDDA56DB344DB34E941CB90
              Function 0385FB80 Relevance: .6, Instructions: 559COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c31742a2e71d6d0aa0cab71d0f64eb1a9358925147c02c863d72ed465e82f61
              • Instruction ID: c917796972f24de1d9d801d9efc5bd3eace19343c09b7a94145d9e9e0580f8a6
              • Opcode Fuzzy Hash: 9c31742a2e71d6d0aa0cab71d0f64eb1a9358925147c02c863d72ed465e82f61
              • Instruction Fuzzy Hash: 28229FB5904609AFEB10DFE8C880BAEB7B5FF44310F1885E9E914DB245E734DA45CB91
              Function 038F1D5A Relevance: .6, Instructions: 559COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 311b3a927d5d071fb90de4965e3297761dd0187e2778f23e97454ca18eb703f3
              • Instruction ID: 3a404073f6e5a0c39946d5371e0160b94aff16374c96bb3db50e3c4b8b8e7cfa
              • Opcode Fuzzy Hash: 311b3a927d5d071fb90de4965e3297761dd0187e2778f23e97454ca18eb703f3
              • Instruction Fuzzy Hash: 552282796047128FC719CF68C490A2AF3E5FF89314B184AADE696CB355D730E846CB91
              Function 03858DBF Relevance: .6, Instructions: 554COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 25c57a7067559efb765e19abc0694a481e80e8b53dcf49f8470053a631b5134b
              • Instruction ID: 4f2a92de54de89a9b328f9cf6e834f35a1f3ad636c6e9f717f88d1f4a7d23d65
              • Opcode Fuzzy Hash: 25c57a7067559efb765e19abc0694a481e80e8b53dcf49f8470053a631b5134b
              • Instruction Fuzzy Hash: 55221A75E0021ADBDF15CFA5C4809BEFBF6AF48304B5880DAE845EB241E734EA41DB65
              Function 038F2446 Relevance: .5, Instructions: 485COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7335603a07ee1fe6c162509e06ab1239cbb0976b0ea55dabcecf885a1b3865d1
              • Instruction ID: 97416e1b80f47dec81f4750f8ad923be7fee1c3ee06b4ff9d67b73681ef9c502
              • Opcode Fuzzy Hash: 7335603a07ee1fe6c162509e06ab1239cbb0976b0ea55dabcecf885a1b3865d1
              • Instruction Fuzzy Hash: D602E2386046558FDB64CFAAC450275FBF1BF89304B1889DADAD6CF281D738E942DB60
              Function 0390B16B Relevance: .4, Instructions: 450COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9529bef6dbea272469cde8f3c0e3ac5897c8109444f047ca9f327d63f8872eb3
              • Instruction ID: b92536f5507473935848248b8e82035bc6752ca2915ba2c84789ce3e54e7d12f
              • Opcode Fuzzy Hash: 9529bef6dbea272469cde8f3c0e3ac5897c8109444f047ca9f327d63f8872eb3
              • Instruction Fuzzy Hash: 53F1F772E006158FCB18DFA9C9A067EFBF9AF9821071D41ADD456DB3C0D634EA41CB90
              Function 00410383 Relevance: .4, Instructions: 435COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285440540.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
              • Instruction ID: 2d1dfe8b02edf6a60c3af1b0cfe2d06f16127bba83e88f6c9a7bb5f8bc13bf48
              • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
              • Instruction Fuzzy Hash: 1A026E73E547164FE720CE4ACDC4765B3A3EFC8301F5B81B8CA142B613CA79BA525A90
              Function 0390A9A6 Relevance: .4, Instructions: 425COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 02b6f0f8159c5735c157bc18fc2d7aa507cdae01bcd8df56da0a27c97f03994f
              • Instruction ID: 5d2bcebc62c37249d19c676fc1a26f07f56c07f63d9ca1c69f69fb1f458f4b71
              • Opcode Fuzzy Hash: 02b6f0f8159c5735c157bc18fc2d7aa507cdae01bcd8df56da0a27c97f03994f
              • Instruction Fuzzy Hash: A5F1A173E006269FCB18CEA8C5A05BDFBB9AF55250B1A4269D856EB3C0D734DE41CBD0
              Function 0385FDC0 Relevance: .4, Instructions: 390COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7e8061553976793203fbb31939b27c9c3405319ddd8ffe7a8f717968df3ec1f3
              • Instruction ID: 3d9e876f4106cf5d1235281af5364a1890918135cda81afd4d6d03e2d18309d4
              • Opcode Fuzzy Hash: 7e8061553976793203fbb31939b27c9c3405319ddd8ffe7a8f717968df3ec1f3
              • Instruction Fuzzy Hash: 82F17FB4904609DFEB14DFE8C480AAEB7B5FF44304F2885E9E905EB245E734DA45CB91
              Function 03828397 Relevance: .4, Instructions: 380COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4b2af77116f3c1bf93e598d488f862817ba1ea702508c2ffdba4c1ab0c8aed00
              • Instruction ID: 82278b8e526b7730966da59012e6d1f026d8a441a25e0b210bff73cbcc3142ed
              • Opcode Fuzzy Hash: 4b2af77116f3c1bf93e598d488f862817ba1ea702508c2ffdba4c1ab0c8aed00
              • Instruction Fuzzy Hash: 98D1D775A0072A9FCF15DFE8C890ABABBE5FF84304F0846A9E915DB280E734D985C751
              Function 0385C6E0 Relevance: .4, Instructions: 367COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ac59fa7582bcf1addb33df05481a1b058f35b13554563536cd0c33b88eca7bf1
              • Instruction ID: ea07419b5598a95126bce041ae8e162d5f78b5697939e4056f41fdd94dd2c53b
              • Opcode Fuzzy Hash: ac59fa7582bcf1addb33df05481a1b058f35b13554563536cd0c33b88eca7bf1
              • Instruction Fuzzy Hash: AAD14875E043198BEF29CED8C5843BDBBB5EB44344F2880AAE842EB694D7749941CF45
              Function 038438E0 Relevance: .3, Instructions: 349COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8e59ab2943030ae5c3e4dd9172af91fc28ea7159899cd7bccaa4c4bacb48187c
              • Instruction ID: f60e84ee84e70a7e2f4641ba85be693c34e75c6ec3133a7a7376958af72ad9b4
              • Opcode Fuzzy Hash: 8e59ab2943030ae5c3e4dd9172af91fc28ea7159899cd7bccaa4c4bacb48187c
              • Instruction Fuzzy Hash: AAE17F75A00609DFDB18CF98C880BAAB7F5FF58310F288199E455EB791D770E951CB90
              Function 0384CFE0 Relevance: .3, Instructions: 345COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: af4353f60f8520346b0400bc822466f48e6969c4ccd8c989f9c8d21230a95374
              • Instruction ID: 9d29dc2ee2f2ea34d0974604a61a2c4d8eaadf363a20fb6fe5dafd42e03879df
              • Opcode Fuzzy Hash: af4353f60f8520346b0400bc822466f48e6969c4ccd8c989f9c8d21230a95374
              • Instruction Fuzzy Hash: 57D1B731A0031D8FDB34DBA9C854BAAF7B5BB45304F0840E9D909DBA42D774AE89CF51
              Function 0383D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 56e53d3043fe92c8a85c33ad2c6bb12012a05256b341928424f8f086b491ba92
              • Instruction ID: 7ba34e310e10ca132784bddbea13d3082229cbdce25be8986c581844f82fd36d
              • Opcode Fuzzy Hash: 56e53d3043fe92c8a85c33ad2c6bb12012a05256b341928424f8f086b491ba92
              • Instruction Fuzzy Hash: E1C18071E006159BEF28CF9AC840BAEF7B5EB55314F1882E9D815EB394D770A946CBC0
              Function 038B8243 Relevance: .3, Instructions: 322COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
              • Instruction ID: 66b54ba0fa1c4425a889e46a79ceea575742d3d0aff9778c98b19516f1c78bdf
              • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
              • Instruction Fuzzy Hash: 3BB14174A0064AAFDB24DFE5C940EEBB7BDFF84304F1444A9A942DB790DA74E905CB10
              Function 03840535 Relevance: .3, Instructions: 300COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction ID: 020dd6d072ef9ddef2ee32beab63e0d97a6e0491f3895f2077e45797c1f51dba
              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction Fuzzy Hash: 97B1E1B5600649AFDF21DBE8C850BBFFBB6AF45204F1901D9D642EB681D730E941CB51
              Function 038590DB Relevance: .3, Instructions: 287COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: aecee80bb438e39a2df936cfee00da10808d64e11e0b0d31d240d419ecdb7834
              • Instruction ID: d0a0eca2f77328449ad80f7aa043ccb1084af97fcfb100bf1f31e92df36ad8bc
              • Opcode Fuzzy Hash: aecee80bb438e39a2df936cfee00da10808d64e11e0b0d31d240d419ecdb7834
              • Instruction Fuzzy Hash: 55A12A75900619AFEF12EFA8CC41BAE77B9AF45750F054094F900EF2A0D775D850CBA5
              Function 038383C0 Relevance: .3, Instructions: 281COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4b67fdb555a8438c05355ba54c7dd92854d8d82d980a2779344b97231be7ca05
              • Instruction ID: d649dcf5e03270558441df4bc9d31d0f8cfdae0becf62cb7b730b612ce7979a3
              • Opcode Fuzzy Hash: 4b67fdb555a8438c05355ba54c7dd92854d8d82d980a2779344b97231be7ca05
              • Instruction Fuzzy Hash: 57C139741083418FDB64CF59C484BAAB7E5BF88304F48499EE989CB391D774EA48CF92
              Function 03870185 Relevance: .3, Instructions: 276COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 24211a1de2c32bcc1d522c06c680589c7fb1200a07a7e15e5e6487054865ba10
              • Instruction ID: 6606d7aa4be9f0ac9a663b6badfdba813e760d3a4d11d8ee83691ff704a0aa54
              • Opcode Fuzzy Hash: 24211a1de2c32bcc1d522c06c680589c7fb1200a07a7e15e5e6487054865ba10
              • Instruction Fuzzy Hash: 76A1B2B1B00B19DBDB24DFA9C990BAAB7F6FF44318F0441A9EA45DB281DB34E901C750
              Function 038B60E0 Relevance: .3, Instructions: 264COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1aa5ce2256f5fb16bc62e82c0bdda7750fc8967b0a702df4703a6f8f4f7fc100
              • Instruction ID: f29a5ffdf4dfdbe9593ce38b0394b766f10c12751ec8f78f9726f5fd5b77f78c
              • Opcode Fuzzy Hash: 1aa5ce2256f5fb16bc62e82c0bdda7750fc8967b0a702df4703a6f8f4f7fc100
              • Instruction Fuzzy Hash: DF91B475E0021AAFDF15CFE8D884BEEBBB5AF48700F1541A9E551EB351E734E9008BA0
              Function 0384E3F0 Relevance: .3, Instructions: 261COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 89c9f2023601be0be4df687337cb67f582485190ad2c23987f1bf26c2daafa8c
              • Instruction ID: 8d092074881fa7e700910a4aa206f408b194ff25c634230d803ca3e0df2bbf29
              • Opcode Fuzzy Hash: 89c9f2023601be0be4df687337cb67f582485190ad2c23987f1bf26c2daafa8c
              • Instruction Fuzzy Hash: AA91E435A00A198BEB24EBE8D844B7DB7A5FF84714F1A40EAE805DFA44E734E941C791
              Function 03831131 Relevance: .3, Instructions: 259COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 30379322fc5a45e68479245bd427eb0d906724220b5c2ac25176bc4c57a0370e
              • Instruction ID: c54a17d5f1253f3fffd3da88d457ad1790035b12b5c162fd3c15065c0516f622
              • Opcode Fuzzy Hash: 30379322fc5a45e68479245bd427eb0d906724220b5c2ac25176bc4c57a0370e
              • Instruction Fuzzy Hash: 6CB111756093408FD364DF68C480A5AFBE1BF89704F1849AEF999CB352D370E945CB82
              Function 03864750 Relevance: .3, Instructions: 251COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
              • Instruction ID: 162eebfde494effe35bdd96fe832657ab16553d600c370a0f570885d08caba34
              • Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
              • Instruction Fuzzy Hash: EA814A35E0479A8FEB21CEEDC8C026DBB55EF52204F2C46FAD842DB241C7A5D986C791
              Function 0387DBF9 Relevance: .2, Instructions: 244COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
              • Instruction ID: 5d596072803277935d333cc3778ff72e36ebd5ce100c2e9a7c3ccac785b45dee
              • Opcode Fuzzy Hash: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
              • Instruction Fuzzy Hash: 55916272620A06CFD725CF6DC885662FBE1FF55328B188A98D4EADB6A0C375E515CB00
              Function 038FF7B0 Relevance: .2, Instructions: 242COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ba7bea706c96426b7be7da253c9a8bf3edd7f7d3b2c69e7eccab8572f4a26ce1
              • Instruction ID: 8ce95f83024242f57dc8465c2dbebff5b1ac7d2b46931f88e628efa993e8bb74
              • Opcode Fuzzy Hash: ba7bea706c96426b7be7da253c9a8bf3edd7f7d3b2c69e7eccab8572f4a26ce1
              • Instruction Fuzzy Hash: 3B910672A1020AAFDB10CFA8C88076AB7E5EF44314F1885F8EB55DB381E774E911CB90
              Function 038FF43F Relevance: .2, Instructions: 241COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1620a04e5cf98f33eba807b08927e32d6c5b4523d5e32d75ad15fda7acf2526e
              • Instruction ID: 935f421e80bdf24b018a206a2a882b2cdf39eab8442112eebb6f01ccf3c1a004
              • Opcode Fuzzy Hash: 1620a04e5cf98f33eba807b08927e32d6c5b4523d5e32d75ad15fda7acf2526e
              • Instruction Fuzzy Hash: 1A91D272A005198FCB18CFA9C8906BEBBF1FF88310F1986A9D955DB395D634DA01CB50
              Function 038F81CC Relevance: .2, Instructions: 232COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3c4cc46459a1c0d57e19bb74885f54cea9cede1541bc4110fd90b355918d1703
              • Instruction ID: 58197d0b4b458f115272a0087b45b6e95c815865b953e9b787d6df40349d6520
              • Opcode Fuzzy Hash: 3c4cc46459a1c0d57e19bb74885f54cea9cede1541bc4110fd90b355918d1703
              • Instruction Fuzzy Hash: 8C819572E005199FCB14CFF9C8805AEB7F5FF88214B1842AAD925E7294D774E951CB90
              Function 03840E59 Relevance: .2, Instructions: 231COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9cd065a2f2bfc1e03a51f9c5a96f36dab0dd90abb8e0d5267d68f0a3083070f1
              • Instruction ID: 1630db2ca99528ed375757eb80c4734e9e27aab3c157cf61a07b901d07317e9d
              • Opcode Fuzzy Hash: 9cd065a2f2bfc1e03a51f9c5a96f36dab0dd90abb8e0d5267d68f0a3083070f1
              • Instruction Fuzzy Hash: B0819071A0061D9FDF14CFA9C8849AFFBB2FF85214B2882E5E954DB745D630E941CB90
              Function 038EE4F6 Relevance: .2, Instructions: 224COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d6c5947892498fb1df639e17f6c7e2804e64eb00d312e0796a28348bdc42b852
              • Instruction ID: 15d6e7d615e1bc79195d20538a37b02ead69cbff3231dfe850efa6825033e3dd
              • Opcode Fuzzy Hash: d6c5947892498fb1df639e17f6c7e2804e64eb00d312e0796a28348bdc42b852
              • Instruction Fuzzy Hash: 42816076E006159BCB28CF99C5906ADFBF1EF89310F1981A9D816EF385D734AD41CB90
              Function 038FAB40 Relevance: .2, Instructions: 222COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
              • Instruction ID: ad235db8e8bd09c2795515e72301e3c1a0c2b5e2b94814031143dd363caaf317
              • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
              • Instruction Fuzzy Hash: DA816F35A102099FCF18DF98C890AAEB7B6AF84324F1881A9D91ADB344D778E901CF50
              Function 0385D090 Relevance: .2, Instructions: 217COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
              • Instruction ID: 25068366e0c397f6f81a6f80546ac01c4b79f729b346a68d8c630d22cc5b2bd4
              • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
              • Instruction Fuzzy Hash: 33814B76E001198BEF14DE9CC9807ADFBB2FB84244F1D81AADC16EB344D635AA44CB91
              Function 0386E284 Relevance: .2, Instructions: 212COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0dc5b5954caeffdceee693550875a876566246c340eec715a460943e597562b5
              • Instruction ID: ce1875aa831ebe4e39a6a11676ba3a279601b2653b2b609a6bd24e843c2a02a1
              • Opcode Fuzzy Hash: 0dc5b5954caeffdceee693550875a876566246c340eec715a460943e597562b5
              • Instruction Fuzzy Hash: 0A817E75A00709AFDB21CFE8C980AEEF7BAFB88354F144469E555E7250DB30AC05CB60
              Function 0385B950 Relevance: .2, Instructions: 209COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 992b41f71980abcd1771bb649c11863b213b8b512bce209dd1fda1894d671f78
              • Instruction ID: c6782c14ed93af491dfacffedab586895f781050f124917fcd93fea2274b96d2
              • Opcode Fuzzy Hash: 992b41f71980abcd1771bb649c11863b213b8b512bce209dd1fda1894d671f78
              • Instruction Fuzzy Hash: 5271E7342056548EEB26CEAAC940736BBE1AB95708F2885DEFC96CB1C4D735E806C761
              Function 038EDAC6 Relevance: .2, Instructions: 202COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 26467bd0267feeda977a1ebbe6c602632bb6013bc478fd8599ea1e88efe0415f
              • Instruction ID: c98a8743baaf1901b6235f4af01fb3880f7f24474e5df0f9efd4c1e8c819db4e
              • Opcode Fuzzy Hash: 26467bd0267feeda977a1ebbe6c602632bb6013bc478fd8599ea1e88efe0415f
              • Instruction Fuzzy Hash: 90818A70D006A59FDB24CFAAC440AAABBF0EF8A740F048499E895EB385D374D949DF50
              Function 038F70E9 Relevance: .2, Instructions: 201COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 32e13d1b4d38eaab4dbbcbde329f1abb32930df0f61e8b02784aa2a3a589e9f6
              • Instruction ID: 01745447d673ec588e724df738ec85b2535e8503f58b7829bbf0f39d03782b83
              • Opcode Fuzzy Hash: 32e13d1b4d38eaab4dbbcbde329f1abb32930df0f61e8b02784aa2a3a589e9f6
              • Instruction Fuzzy Hash: F761C575E0031A9FEB10EEF9C8809BFB769AF44254F1445B9FA12EB240EB70D945CB91
              Function 038EF0CC Relevance: .2, Instructions: 199COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e7d06382d8593de5ef58a23eb60464e20ec731f29d8409ac26fd70ea0aae5f01
              • Instruction ID: 30102beee1a148781089547db5c345ea0facb383225025caeaec739770258073
              • Opcode Fuzzy Hash: e7d06382d8593de5ef58a23eb60464e20ec731f29d8409ac26fd70ea0aae5f01
              • Instruction Fuzzy Hash: 4B719F7DA05626DBCB25CFAAC08017AF3F1FF46705B6A84AEDA52D7240D374E940CB90
              Function 038B035C Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction ID: 7c7a8946825c25e9def464743e222479a367bb2891a095689037dbad8d359588
              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction Fuzzy Hash: 5C715EB5A0061AEFCB10DFE9C984ADEBBB9FF48700F1445A9E505EB650DB34EA01CB50
              Function 038C62A0 Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 996c6d588f9e078e6f8a4242326751a86649d7aeb6feb35ed0186c6c1815fd5f
              • Instruction ID: 0669acd9cf2523f8f45234d2f00cd14020bfb650fa6f77780d2f1ed0c91aaf0e
              • Opcode Fuzzy Hash: 996c6d588f9e078e6f8a4242326751a86649d7aeb6feb35ed0186c6c1815fd5f
              • Instruction Fuzzy Hash: 7871F236210B45EFDB31DFA8C844F6AB7A6EF84724F1848ACE155CB6A0E774E944CB50
              Function 038F7A46 Relevance: .2, Instructions: 193COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 296c77c80f35948b53e7e1890173835cd97fd1caecc5ad7ad8524c25a60152e8
              • Instruction ID: d409071a3bb02fd0d2cb3daf3b8a3ad448391074a6e6aa020c39248891d451e6
              • Opcode Fuzzy Hash: 296c77c80f35948b53e7e1890173835cd97fd1caecc5ad7ad8524c25a60152e8
              • Instruction Fuzzy Hash: 34512E75A002295FDB14DFE9C8809BAB7E6EF84350B1941E9FE55DB384DA34C942C7A0
              Function 038F132D Relevance: .2, Instructions: 188COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c80cb6c654f3a78efef1338952cfddabee062ad737b2c2a0f24e03971c1df182
              • Instruction ID: dfc74398d2c5e772e7eab1011212bdb97b356979cf88c9b8df3556edea05e8b4
              • Opcode Fuzzy Hash: c80cb6c654f3a78efef1338952cfddabee062ad737b2c2a0f24e03971c1df182
              • Instruction Fuzzy Hash: FF819075A00609DFCB09CFA8C494AAEB7F1FF88300F1981A9D859EB341D734EA41CB90
              Function 038F903E Relevance: .2, Instructions: 186COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3250cf024880870faa9c5ad1c26047e068f1f29bab5294ff4f285e687626646f
              • Instruction ID: 2273140ae4edc3b4749dafbc22235ce0d01fe021dca60118836202fe99fed868
              • Opcode Fuzzy Hash: 3250cf024880870faa9c5ad1c26047e068f1f29bab5294ff4f285e687626646f
              • Instruction Fuzzy Hash: C461FF75600715AFD715DFA8C884FABBBA9FF88314F044699FA68CB240DB30E514CB92
              Function 038FFCF2 Relevance: .2, Instructions: 181COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 03c7bc177400e0dec292428483b1400752a56f4822118b71f90a012f6dce8f62
              • Instruction ID: c5751a62ee6e6681754c140f9dccd50604a9b70b39284fa5bde0307e13e7066e
              • Opcode Fuzzy Hash: 03c7bc177400e0dec292428483b1400752a56f4822118b71f90a012f6dce8f62
              • Instruction Fuzzy Hash: A661B031A0020A9FCB14DFA8C880ABEB7F5FF48314F2485A9E715EB284E730A955CB50
              Function 03837703 Relevance: .2, Instructions: 179COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c0072cb5f47e79b433399a98b39a485b23e894e978a5426eb17627063efc843
              • Instruction ID: 974476aac17894f85ff5d4f4f3bf17d3496ff9aaf0a204f5a26706dfd1664bb5
              • Opcode Fuzzy Hash: 6c0072cb5f47e79b433399a98b39a485b23e894e978a5426eb17627063efc843
              • Instruction Fuzzy Hash: 526146B5A04605DFDB18DFB8C480AADFBB5FF49204F1885AAE519E7340DB30A941CBD5
              Function 038F92A6 Relevance: .2, Instructions: 174COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 452edfbfcf0e94ae9579f2424e653f9f0e782d4fcd20f6cafa21f2e1fa618322
              • Instruction ID: 6406965f086ba6e9c82f1113a33b4eba4c353da444db4f8b0277176e79e13ef5
              • Opcode Fuzzy Hash: 452edfbfcf0e94ae9579f2424e653f9f0e782d4fcd20f6cafa21f2e1fa618322
              • Instruction Fuzzy Hash: 1761D2356047428FD311CFE8C494B6AB7E0BF90718F1844EDEA95CB291DB75E806CB92
              Function 038FCE93 Relevance: .2, Instructions: 172COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
              • Instruction ID: ba0a3bbf2e31ab8815f0f0ada3089fca3684e8bd6fb97d98af30cd48bb3004f8
              • Opcode Fuzzy Hash: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
              • Instruction Fuzzy Hash: 1C51273260430A4FC714DEADC85076BF7E6EFC1250F1984EDEA55CB249DA70DA09C7A1
              Function 00410163 Relevance: .2, Instructions: 165COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285440540.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
              • Instruction ID: 035ed966bf0019ade101b5c0310ea80fec0aa187556e7d49e6c4e63ac4a5f1e3
              • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
              • Instruction Fuzzy Hash: 9A5182B3E14A214BD3188E09CC40635B792EFC8312B5F81BADD199B357CA74E9529A90
              Function 0382B2D3 Relevance: .2, Instructions: 161COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 261628b4c0ce8484c6031211770c0ce0fbb28df667791e2b91efc709e5564ff0
              • Instruction ID: 79918b16966348f003755fa3e4d4aa25a61bfede3ae6371f7e18e2b77f42e50c
              • Opcode Fuzzy Hash: 261628b4c0ce8484c6031211770c0ce0fbb28df667791e2b91efc709e5564ff0
              • Instruction Fuzzy Hash: 52412375601B14AFCB26EFA9D880B2ABBA9EF40720F1544E9E549CF250DB70DC80CB90
              Function 038F7D73 Relevance: .2, Instructions: 160COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0d4c2f23153c0f050869ee9c44789e14721915e3afdf32270ef548deb90245de
              • Instruction ID: d30810fafd4122f796602ccc4d9387015b95d5248c6080fd4915fac75d0d38a0
              • Opcode Fuzzy Hash: 0d4c2f23153c0f050869ee9c44789e14721915e3afdf32270ef548deb90245de
              • Instruction Fuzzy Hash: A051C636A101498FCB08CFB8C4806AEB7F5EF98354F1982BAD915DB355E734DA15CB90
              Function 03843740 Relevance: .2, Instructions: 159COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3bcf57f870f05f0b9520364247f16bce0fbad61d52b0008344c88bed5568ad42
              • Instruction ID: 9d7e0845faac2c7a366e6ae1356b80b899da8e1d1d202aec2f2f41697ea92cf2
              • Opcode Fuzzy Hash: 3bcf57f870f05f0b9520364247f16bce0fbad61d52b0008344c88bed5568ad42
              • Instruction Fuzzy Hash: F151EF79A0061EAFC711CFA8C4806A9F7B0FF54710B0982E5E895DBB40E774E9A1CBC0
              Function 03837152 Relevance: .2, Instructions: 158COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 509a2c55ce54a41229e56678be0c357681a649a505367bd8187faa01e4e3560c
              • Instruction ID: 1edf9a8dddd538e4372f83734b54718913ec847087b5d73e36828a5c80bed974
              • Opcode Fuzzy Hash: 509a2c55ce54a41229e56678be0c357681a649a505367bd8187faa01e4e3560c
              • Instruction Fuzzy Hash: 2F51DD76A0460AAFEB15DBA8C848BADB7B4BF45314F1840EAE402E7390DB749901CB81
              Function 038B3A6C Relevance: .2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e35dc6df433bbc23aa1037a218c2b193e902cb60ec7878117738c9de64b9a32a
              • Instruction ID: fe6831343a0dd974b171251d7fa6090e3a9228aa5c84e5f7c23910be501e923d
              • Opcode Fuzzy Hash: e35dc6df433bbc23aa1037a218c2b193e902cb60ec7878117738c9de64b9a32a
              • Instruction Fuzzy Hash: 0E518F36E4052E4BEF24CA98D461BEFB3F3EB44310F480859E855BB3C4C6B66956D650
              Function 038AD800 Relevance: .2, Instructions: 155COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a019e2bdd095e92c4f1b911f00d898aeec97230776cc1cd0c043051c14f15c9e
              • Instruction ID: 82dfc4f5314b6283eadddb1ca963c894f7975946fca5c9bc6c265ad2f71fee20
              • Opcode Fuzzy Hash: a019e2bdd095e92c4f1b911f00d898aeec97230776cc1cd0c043051c14f15c9e
              • Instruction Fuzzy Hash: 7951DF74A00A15ABEB14DFADC4A0ABEB7F4FF45704B0841E9ED81DBA90E734D854CB91
              Function 038FD26B Relevance: .2, Instructions: 153COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
              • Instruction ID: 3f5e18785c6a06264d425c3460866a9dd0d2d228bb65cc75348d814591c353db
              • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
              • Instruction Fuzzy Hash: BC516C766087469FC311CFA8C884B5ABBE5FBC8344F04896DFA94DB244D734E949CB92
              Function 038F7571 Relevance: .2, Instructions: 153COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a64994f0260d9b7c2d7ab7d5cf5366db0e8714c77eb2edde3f18efadbe3684f4
              • Instruction ID: 39b82dc1bef0bf62bb781630d89e4c25692caaf2f10ec27776d309b117247abd
              • Opcode Fuzzy Hash: a64994f0260d9b7c2d7ab7d5cf5366db0e8714c77eb2edde3f18efadbe3684f4
              • Instruction Fuzzy Hash: 1C51E631A04119AFEB14DFE9D844A7EFBB9FF48394F0841A9EA01DB254DB74AD11CB80
              Function 038351ED Relevance: .1, Instructions: 149COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4094c6502c39d1d731f1cf305bb035faa1a88a7ae08f7a0eb0dc3de2060effa8
              • Instruction ID: b005fbed5598a6996e000ff30227f9765ceb6e596d24eb2849d13a6cb084054b
              • Opcode Fuzzy Hash: 4094c6502c39d1d731f1cf305bb035faa1a88a7ae08f7a0eb0dc3de2060effa8
              • Instruction Fuzzy Hash: EE517A75A05319DFEF21DAE9C840BADB3B8BB4B718F1804D9E811EB350D7B59940CB92
              Function 038B5BF0 Relevance: .1, Instructions: 145COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9bd3866e740aab33a9e719bd104675d53b781cb36047d360993b6c42d4291753
              • Instruction ID: cd31cf92e20acde694dbdee45fd5e350e261a00fd0b51af6d1e20f7c5b80ff30
              • Opcode Fuzzy Hash: 9bd3866e740aab33a9e719bd104675d53b781cb36047d360993b6c42d4291753
              • Instruction Fuzzy Hash: 7E414935B44B579FCB25FFFC98126EEBAB09F46610B0505FAE801EF345DA7489048792
              Function 0386F71F Relevance: .1, Instructions: 143COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 95ecd57946e0a5a64177b81d924df4bde54ae60dd99d3c72d8131c662fc79554
              • Instruction ID: 00be488476703ac0e5ba5f90800f459ac019ccf5e41cd7e544bed92cb8157dc9
              • Opcode Fuzzy Hash: 95ecd57946e0a5a64177b81d924df4bde54ae60dd99d3c72d8131c662fc79554
              • Instruction Fuzzy Hash: 61417476D04269ABDF11DBE8D844AAFB6BCAF05654F0901E6E901FB600DA34DE01C7E5
              Function 038601F8 Relevance: .1, Instructions: 138COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8f45adb53c8f08393f1d1b25220cc8f94eb6accd3328aa103b40358d9b1839f4
              • Instruction ID: 4e62361e391e788de25f8af4534774a0c8b5de5a1556b23bae1e1b3bb7bf28d4
              • Opcode Fuzzy Hash: 8f45adb53c8f08393f1d1b25220cc8f94eb6accd3328aa103b40358d9b1839f4
              • Instruction Fuzzy Hash: B941B0B69042189BCB15DFE8C440AEDF7B4BF88714F18819AE816FB340D7349D41CBA9
              Function 03872750 Relevance: .1, Instructions: 137COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
              • Instruction ID: 2115050ae33e37bbf985f1322b53dd63ba96682ed1ac158466c9db919e26533e
              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
              • Instruction Fuzzy Hash: 83515975A01619CFDB18CF98C480AAEF7B6FF84710F2881A9D815E7750D738AE41CB90
              Function 038AD1C0 Relevance: .1, Instructions: 135COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
              • Instruction ID: dd10ec4756a55ea49ec61822341dc628d057288e0fc62628e37ea593b60e4853
              • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
              • Instruction Fuzzy Hash: 4C512775A00605DFDB18CFA8C4916A9FBF1FF48314B1881AED819D7745E734EA94CB90
              Function 03836154 Relevance: .1, Instructions: 133COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dca7b6243bff59e9ef1a4165e2370ab8c3a4188e538f443528fe59cb8f2c20f3
              • Instruction ID: 6ee9fffaca05a82db7059ddc4e214bc7603421db4cef9e5c50eab4745dc922f4
              • Opcode Fuzzy Hash: dca7b6243bff59e9ef1a4165e2370ab8c3a4188e538f443528fe59cb8f2c20f3
              • Instruction Fuzzy Hash: 8551077090461AEBDB25DBACCC44BA8BBB5EF02318F1942E5D425DB7C0E7789981CF81
              Function 0382B136 Relevance: .1, Instructions: 131COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ab4a37587c3a749f685c783aae75f6446d564923da48f9f10bcd2d7fb23c3ecb
              • Instruction ID: 20c9c9c0068b13b4805291dd1c5cc4f3da263d8f4c47b1310159a51dfd60ae80
              • Opcode Fuzzy Hash: ab4a37587c3a749f685c783aae75f6446d564923da48f9f10bcd2d7fb23c3ecb
              • Instruction Fuzzy Hash: EA4168B5641715AFDB22EFE8C880B2ABBF8EF40794F0484E9E511DB650D774D880CBA1
              Function 038FF0E0 Relevance: .1, Instructions: 129COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 21f588cca653bf6bf7ff777667e4e67bbca5924003cf57bdd5681a7104b4773a
              • Instruction ID: fb2943e0861d58f953c2916a6b21fc42c7274becc80bd8b37b19af74eddab107
              • Opcode Fuzzy Hash: 21f588cca653bf6bf7ff777667e4e67bbca5924003cf57bdd5681a7104b4773a
              • Instruction Fuzzy Hash: 8E41CF712083418FC745CF69D8A487ABBE1EB84615F088A9EF9D58B282C730D909CB61
              Function 038DD5B0 Relevance: .1, Instructions: 128COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: baa0485de5dd7dc0c990a55128a2c5541222e3bdb6689f1808ffcb88d6f11d7f
              • Instruction ID: 714b260aa47bbee0f8bd6764ce8576f1af851fc93a1ffc1b47becbfa2d2c7089
              • Opcode Fuzzy Hash: baa0485de5dd7dc0c990a55128a2c5541222e3bdb6689f1808ffcb88d6f11d7f
              • Instruction Fuzzy Hash: 6E41FF30A08294AFCB14DFA9D491ABAFBF1AF49304F0984C9E4C5CB245C734A45ADBE0
              Function 0385D6E0 Relevance: .1, Instructions: 126COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 18d22ca55913c12a9ab931d0b3e4ff0e32b1865b063cb828ba14c8b073b04705
              • Instruction ID: ae08384151e91b84e9fbb2f03aa0c1bc645d5f7f105efb4f5f78d0cac3388fab
              • Opcode Fuzzy Hash: 18d22ca55913c12a9ab931d0b3e4ff0e32b1865b063cb828ba14c8b073b04705
              • Instruction Fuzzy Hash: 2441CF795087009BD724FFA9C890B2BB7A9EB95321F0405AEFD15CF291DB30E845CB92
              Function 0382A020 Relevance: .1, Instructions: 122COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction ID: 09c726aa4c3b650cebf03845b6edebce30ca4a73f8e20a6b8b93337b10bdfc6a
              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction Fuzzy Hash: 26412B31A00225DBDB29EFD984507BAFB62EFD0754F1980EAE945DB240DA399DC0CB91
              Function 03860710 Relevance: .1, Instructions: 121COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
              • Instruction ID: 6d5559716921e31d85c6eb997522498f319fbd89f4da3c3261faae45ee80a02f
              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
              • Instruction Fuzzy Hash: FB4117B5A04709EFCB24CF98C980AAAB7F9FF08704B1049ADE556DB650D730EA44CF94
              Function 038FFFB1 Relevance: .1, Instructions: 117COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1c348dc658c2e1fb301cc7eaaf1681c523b74cc4ad9df3d57e6a4a8196a65ae3
              • Instruction ID: 50d3d387ffbfc471d24381124b5f48d8a13db0f76fce455a3d50bdc9f129498d
              • Opcode Fuzzy Hash: 1c348dc658c2e1fb301cc7eaaf1681c523b74cc4ad9df3d57e6a4a8196a65ae3
              • Instruction Fuzzy Hash: 72413A71A042955FC741CB2685A06BABFF5AF85245F0CC1E6D8C19B382D639C606C770
              Function 038B07C3 Relevance: .1, Instructions: 114COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 26baee6549687c57ea252be480a5ab37a867bc4bba612fc03b409d6bdb786f49
              • Instruction ID: 5821c5960b6a4621b2340b8ff8f6075534942e46c86544b42d48eece2e59de44
              • Opcode Fuzzy Hash: 26baee6549687c57ea252be480a5ab37a867bc4bba612fc03b409d6bdb786f49
              • Instruction Fuzzy Hash: AE418CB25083059FD320DFA9C844B9BFBE8FF88624F004A6AF598CB251D770D904CB92
              Function 038FFA49 Relevance: .1, Instructions: 113COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 914af107d80367d253d6af555e02a1d58fd3458d914878971577211b32489b9d
              • Instruction ID: 6147ec195506c4562dc140b35db2463f797f21ae1224941a72739dea1735f196
              • Opcode Fuzzy Hash: 914af107d80367d253d6af555e02a1d58fd3458d914878971577211b32489b9d
              • Instruction Fuzzy Hash: 943159367041069FC718CFA9CC44AA3BB99EF84758F1886F4EB18CB284E774D945C394
              Function 038FEEDB Relevance: .1, Instructions: 113COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b6ed79133dd421bf6bfae6d1f72ab93b91eab02efd89f59883e3c4dca23ddb7b
              • Instruction ID: a67bc3c4935838b24140ead6e94aa81ca3003eceda9add549fac193be402ba47
              • Opcode Fuzzy Hash: b6ed79133dd421bf6bfae6d1f72ab93b91eab02efd89f59883e3c4dca23ddb7b
              • Instruction Fuzzy Hash: 84416E33A0452A8FCB18DFA8D49197AB3B5EB8824476642F9D905EB294DB34BD05CB90
              Function 038FFB76 Relevance: .1, Instructions: 109COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7ceee27cb152c56fbf7c60a44fbf26c66ef7e4402f2d7c207d8a61c6e6ba5a2d
              • Instruction ID: cda8687b7732d563ea3f9a2b3e7a3d582f1b53733662aa61dedc2e75b110c6f9
              • Opcode Fuzzy Hash: 7ceee27cb152c56fbf7c60a44fbf26c66ef7e4402f2d7c207d8a61c6e6ba5a2d
              • Instruction Fuzzy Hash: A3310636614129AFD710DFA9CC44AABBBE5FF88350F4585A8FB08CF240D634E901C790
              Function 0040E383 Relevance: .1, Instructions: 108COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285440540.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
              • Instruction ID: bfa7e0d4285610b779df697992491e26cdb0aa78fbb2a7e30dff82718ad2cf66
              • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
              • Instruction Fuzzy Hash: A93192116586F14ED30E836E08BD675AEC18E9720174EC2FEDADA6F2F3C0988418D3A5
              Function 038402E1 Relevance: .1, Instructions: 106COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction ID: 055eadf0f94ae92eb2e8e29caaf7dbd2826d3da80a9317cafe60220edb9738c0
              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction Fuzzy Hash: 59312572A04248AFDB21CBE8CC40B9AFFE8FF44314F0885E6E815DB352D2749840CBA1
              Function 03859274 Relevance: .1, Instructions: 105COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f0813a145ccf423da9a7c8d969538231cd095f7f5a95ac91cefa7edbc0d6251f
              • Instruction ID: 7e4c7b6a464aa88728281d36fcbc2b2945c5569025f31025b2779f0d0dd686dd
              • Opcode Fuzzy Hash: f0813a145ccf423da9a7c8d969538231cd095f7f5a95ac91cefa7edbc0d6251f
              • Instruction Fuzzy Hash: 99316275A00728EFDB21DBA8CC40B9AB7B5AF85714F5501D9F94CEB280DB309E44CB51
              Function 03835702 Relevance: .1, Instructions: 104COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ee2e5bcfb20a284fe6bf49fefd1fe8757831656e92299489986fe31603b6fd69
              • Instruction ID: 41163c08b0669238ac938ef880d8fb6164a1da937febc8604a264be2e5aa2ff8
              • Opcode Fuzzy Hash: ee2e5bcfb20a284fe6bf49fefd1fe8757831656e92299489986fe31603b6fd69
              • Instruction Fuzzy Hash: 2831AE75201A06EFDB51DBA4CA80A9AF7A9BF46354F0450E5E941DBB50DB70E820CBD1
              Function 03834260 Relevance: .1, Instructions: 102COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 571c296465a9198f3fe77c75ba525d6f7eb7c2fae537ca3c4012fb960fdfd9ab
              • Instruction ID: 93ae91733355cf3a179e2dee0593a005ff05e9958fa53004e562f97540b6d442
              • Opcode Fuzzy Hash: 571c296465a9198f3fe77c75ba525d6f7eb7c2fae537ca3c4012fb960fdfd9ab
              • Instruction Fuzzy Hash: E641BF75200B44DFDB22DFE9C880F9AB7E9AB46314F1844AAE599CF750C774E804CB91
              Function 038550E4 Relevance: .1, Instructions: 101COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
              • Instruction ID: 03de6c872d3493f9c874e7b0673d98c918236f1bcb0c860eca580d5b794453df
              • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
              • Instruction Fuzzy Hash: BA31F7317483459BDB22DAA8C800767FBD9AB86754F4C85EAFC86CB380D274D841C792
              Function 038F61C3 Relevance: .1, Instructions: 97COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d61f34d193c8c5b979c59623681da04c80f37aacd5b1572a80441f953fe78d9e
              • Instruction ID: a9218496486b83c0ffb917e23a4c0cfc19dda637a9d61e9f29ccf5c84141b119
              • Opcode Fuzzy Hash: d61f34d193c8c5b979c59623681da04c80f37aacd5b1572a80441f953fe78d9e
              • Instruction Fuzzy Hash: FF31A176A00259EFDB15DFE8C840BAEB7B5EB44B40F5942A9E500EB244E774ED00CB94
              Function 03829730 Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 453dfdd5992138d9fc97969af1ca5263a3e078c3fb61110b3c3fb504739cf1c9
              • Instruction ID: 78255ccdfaf69c9f258eaa0457817f35d81247d8f983c31560dc9b2899e7abf7
              • Opcode Fuzzy Hash: 453dfdd5992138d9fc97969af1ca5263a3e078c3fb61110b3c3fb504739cf1c9
              • Instruction Fuzzy Hash: 0821F57AA00B249FC322EF988400B1ABFB5FB84B54F1504A9E955DF740DB70EC50CB91
              Function 038F6BD7 Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: de2b9cc47a3096914712f2620e32b19b43b6be5eecb79eda814982431b15dab5
              • Instruction ID: b07a03a75fc5378efa18f582e7757c9218f374d4fb1a31fe2c0ba70da4ccc78a
              • Opcode Fuzzy Hash: de2b9cc47a3096914712f2620e32b19b43b6be5eecb79eda814982431b15dab5
              • Instruction Fuzzy Hash: 66318D316002049FCB24DF6AD9C5A5B7BF4FF89340F8585A9EA08DF249D370E945CBA5
              Function 038F60B8 Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8746f7629faecc1b16b53223d0140f3c2bd527c423c671ce4ad6b18062bfe303
              • Instruction ID: ea7b14710c9e6afd5636929323cbe60f31033111a4db6930c4ed26fb6fb8954d
              • Opcode Fuzzy Hash: 8746f7629faecc1b16b53223d0140f3c2bd527c423c671ce4ad6b18062bfe303
              • Instruction Fuzzy Hash: F331E235700719AFDB12EFE9C840B6EBBB9AF84754F1402E9E641EB341EA30DC408B91
              Function 038307AF Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7dff0c9ddd77fdeb848cb078552c977c431ab8c284d56ed0699988f351321c3e
              • Instruction ID: 5773cb1e9140d3c95eb90500c52b1ef5040df5a4cef0d9bd98a6e6da1983940e
              • Opcode Fuzzy Hash: 7dff0c9ddd77fdeb848cb078552c977c431ab8c284d56ed0699988f351321c3e
              • Instruction Fuzzy Hash: 313105B6A04755DBC711EEA88C80A6BBBA9EF86650F0545A8FC56DB310DA30DC00C7D2
              Function 0382D6AA Relevance: .1, Instructions: 93COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
              • Instruction ID: 5535f58a53ac537f5b481017de1f51839e05683a951896022c4af5a490dac7e2
              • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
              • Instruction Fuzzy Hash: E331E836601614AFDB21DED8C880B2ABFB9DB80710F1D84E9ED25DB251D338DD88CB51
              Function 0042F083 Relevance: .1, Instructions: 93COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285440540.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e28ed42c86b9300389be8d147813b10c3162c43c935757e51119e5154820241e
              • Instruction ID: c4e82800e19705a4bfd7a1762549bc2358cdd80938b83a84e362d0557397074d
              • Opcode Fuzzy Hash: e28ed42c86b9300389be8d147813b10c3162c43c935757e51119e5154820241e
              • Instruction Fuzzy Hash: B231E372B106265BD354CE3AD880656F3E5FB88310B94863AC918C3B41E774F966CBD4
              Function 038357C0 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: df31f734553a4d12538ab081850cba39e1c385816811222066560da505adeebf
              • Instruction ID: 80d2ce4d7792c50c1a33237109431a0a911d2dc0a7e81afd444f65b64ff36041
              • Opcode Fuzzy Hash: df31f734553a4d12538ab081850cba39e1c385816811222066560da505adeebf
              • Instruction Fuzzy Hash: 4B318D79715A09FFDB51DBA4CE40AAABBA6FF85204F4850A5E901DBB50D734E830CBC1
              Function 0386A6C7 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
              • Instruction ID: 95dca3422ec3207fbf3084b5c54089a123732682ed453308638196beb0ae56c6
              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
              • Instruction Fuzzy Hash: 27313CB2B00B00AFD764CFA9DD41B57B7F8BB08B50F0849ADA59AD3650F634E900CB64
              Function 00403050 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285440540.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3c647b45fc50f2da9be4cc134010b18fb8cbd428367d3043ed67d6262b74eef7
              • Instruction ID: ab22aa5e8b4e5576ae336f16e7f22304a861c02b025118bef810837520964c06
              • Opcode Fuzzy Hash: 3c647b45fc50f2da9be4cc134010b18fb8cbd428367d3043ed67d6262b74eef7
              • Instruction Fuzzy Hash: 2331C072A00A144FD368CE6ED845203B7E5EB88350B418A7EE99AD3B94D678FD01CBC4
              Function 0385438F Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 50ad277244ab3abeeda72f1eed2f8ffa6471019efd451a7b2378d2e4a8f9d00f
              • Instruction ID: 9b33c8d7b8ac9d787015f19de6ac1e2a52cbd5d2a2014a49b1a2db1b7680a06f
              • Opcode Fuzzy Hash: 50ad277244ab3abeeda72f1eed2f8ffa6471019efd451a7b2378d2e4a8f9d00f
              • Instruction Fuzzy Hash: A631F631B017459FDB20EFE9C880A6FB7F9AB80305F0484AAE805D7650D730EA85CB51
              Function 038392C5 Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
              • Instruction ID: 7e509502f056cc668e9d135a8702137a736344bc35e12d6dc9103265794d919e
              • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
              • Instruction Fuzzy Hash: 913170B56083499FCB01DF98D840A5ABBE9EF89354F0409AAF855DB391D734DC14CBA2
              Function 03887190 Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
              • Instruction ID: 5b6f55650d48e3ca192e17b479ed2f3aed7e6741e317f66e48229969399b35cf
              • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
              • Instruction Fuzzy Hash: D9312279604206CFC710CF68C480956BBF5FF89354B2986A9F958DB325EB30E906CB91
              Function 038EC3CD Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction ID: 2ccfe20c068392f76520d31c51592472c70c1647861316535ec8b84dead6b1a5
              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction Fuzzy Hash: 97212D3FA0075566CB14EBE98800ABAFBB5EF41714F40809AFD66CB551E635DA50C361
              Function 0382C156 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fc7ddfa47a38822fcd2135bc1b8970aa8a3656dfeaa90e9066c379a4bcf90afd
              • Instruction ID: a6cfa9db7885eae8d14fe2bcdc97436abadd67cde802dfffac75aa417d4eee44
              • Opcode Fuzzy Hash: fc7ddfa47a38822fcd2135bc1b8970aa8a3656dfeaa90e9066c379a4bcf90afd
              • Instruction Fuzzy Hash: 1631E5B65003148BCB30FFA8CC41BA9B7B8AF41314F5881E9D845DF7C1DA74998ACBA1
              Function 0382E388 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction ID: c359836e5e463cdf6e2675f191a6f76194a24882a6e5dd294faa36daf367ebaa
              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction Fuzzy Hash: 7D31A931600618EFD721CBA8C884F6ABBF8EF85318F1444A8E502CB290E730EA42CB51
              Function 039003E6 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 17011323497f9d6b0cdcfd4fc76a2376dfc5ca84269e4c5565a1695acfb195df
              • Instruction ID: d84688435d53d0c142f0bafe73d66da32e254699e7b4ca3fdf81d16634017d7a
              • Opcode Fuzzy Hash: 17011323497f9d6b0cdcfd4fc76a2376dfc5ca84269e4c5565a1695acfb195df
              • Instruction Fuzzy Hash: 6C317171B04519AFCB18DFA5D994FAFBBB9FF88244F414169E905E7240DB30AE04CBA4
              Function 038AE609 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6b4fba28e1e3003f3689bf9e24f2f5b1825e5e3b59e4fe0d5797b39ff1255dfd
              • Instruction ID: f44f3a7aa067db8e0bac3415180c4341d6f91ef780b4f6bf55de319172ac7394
              • Opcode Fuzzy Hash: 6b4fba28e1e3003f3689bf9e24f2f5b1825e5e3b59e4fe0d5797b39ff1255dfd
              • Instruction Fuzzy Hash: 86317C75A00609DFDB14DF5CC8849AEB7B6EF84304B154999E809DB390E771FA41CB91
              Function 03833616 Relevance: .1, Instructions: 84COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2eabf68a3b7625716125928c8273570fc115003f0e439429358b4c9490d0264b
              • Instruction ID: 5b761cb2e51f247fdce957f585d7bedbff434ae647c354f7670d1133111b03c1
              • Opcode Fuzzy Hash: 2eabf68a3b7625716125928c8273570fc115003f0e439429358b4c9490d0264b
              • Instruction Fuzzy Hash: A121F9392457549FCB61EF88C944B2ABBA4FF82B10F0904E9E8418BB55D7F0E844CBC2
              Function 03900591 Relevance: .1, Instructions: 84COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 716caffa7656c610c95c965f7a67ffcf4b39a330a35a2b26978a6fdce6a4e21b
              • Instruction ID: 43dd20883bcba6471af2566b26405c13c22b9d9b60fc7fe73e84cebc4ec3d0f2
              • Opcode Fuzzy Hash: 716caffa7656c610c95c965f7a67ffcf4b39a330a35a2b26978a6fdce6a4e21b
              • Instruction Fuzzy Hash: 2F21F3326142058FD728CE2AC880BBAB7AAEFD4340F594978E905CB3C5D730F845C750
              Function 0385F32A Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
              • Instruction ID: 225988bd87aaf18a1bb820528ffa3631f6b843b5119840e1df644c3435427829
              • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
              • Instruction Fuzzy Hash: 4821C272200304DFD719DF55C441B66BBE9EF95365F1541ADE606CB290EB70E801CB94
              Function 038B06F1 Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 07c9ec5c6134193872ff402967aff433b8e41298b041783b5f5e7450965edeaa
              • Instruction ID: f6a025f053dae11ef47d9425ff6ac494486ae0cdddd3a7e76d933562d8faa506
              • Opcode Fuzzy Hash: 07c9ec5c6134193872ff402967aff433b8e41298b041783b5f5e7450965edeaa
              • Instruction Fuzzy Hash: 6421A0759006299BCF10DF99C881ABEF7F8FF48740B5400A9E441EB340D778AD41CBA5
              Function 038B019F Relevance: .1, Instructions: 78COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a471e550afbaca24e97daea720f2096a1ea26e3d9654dd136ad952be21bc7f6e
              • Instruction ID: 38e3b39b82c0447a8d3b38f9c3d38477de6a646c92a53f2e953cfe948e9b8b70
              • Opcode Fuzzy Hash: a471e550afbaca24e97daea720f2096a1ea26e3d9654dd136ad952be21bc7f6e
              • Instruction Fuzzy Hash: B8218BB5600649ABC715DBACC840B6AB7B8FF48740F1800A9F944DB7A1D778ED50CBA9
              Function 0040E4D3 Relevance: .1, Instructions: 76COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285440540.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4fda4ae2fc141fb144425107e49576b641bd6148b332f24f7fe169162e4e5314
              • Instruction ID: 31495f8d625b123c763d75ff8afa6e7083a156be8de1130dfe51e83a53e0eb3f
              • Opcode Fuzzy Hash: 4fda4ae2fc141fb144425107e49576b641bd6148b332f24f7fe169162e4e5314
              • Instruction Fuzzy Hash: 0421E231A043445BC714DFABD881AABBBF1BF88308F418C6FD856AB381D675E9118B54
              Function 038B0283 Relevance: .1, Instructions: 74COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a8622e56908f8726de967cb285ad30ec1eeb5fa031882ae5f01e7eafd605776c
              • Instruction ID: 0be58a93d0fef08f57551ea2dce257293a173f2916876ae11b775730057e6379
              • Opcode Fuzzy Hash: a8622e56908f8726de967cb285ad30ec1eeb5fa031882ae5f01e7eafd605776c
              • Instruction Fuzzy Hash: 34219DB290434A9BC711EBE9C848B9BB7ECBF85244F0844D6BC80CB761D774D948C6A2
              Function 038D71F9 Relevance: .1, Instructions: 74COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 91295652aa4027da2b0f9444b00888edbca15ae3da4bd94428a8f477dec7c9ff
              • Instruction ID: 87869688b29ab01b425582e26a5e3d11fc7e5a1dfd029e4377ef64ebc047f551
              • Opcode Fuzzy Hash: 91295652aa4027da2b0f9444b00888edbca15ae3da4bd94428a8f477dec7c9ff
              • Instruction Fuzzy Hash: 2921F531A047948FC320EFB98840B2BB7E9EFC5324F1449ADF8A7D7150DB70A9858792
              Function 0040E4D1 Relevance: .1, Instructions: 74COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285440540.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 666c2f54724efd6259bebc72b5105284b53a13fd3d42a37401d99cb7c01a3c6c
              • Instruction ID: af75fb061fe8932b424fe6ec08e4116510d5ac165445d97622ce5092242bd418
              • Opcode Fuzzy Hash: 666c2f54724efd6259bebc72b5105284b53a13fd3d42a37401d99cb7c01a3c6c
              • Instruction Fuzzy Hash: 3E21F431A003445BC714CFAAD881AABB7F2BFC8308F558C6FD856AB381D675E9118B14
              Function 038AD0C0 Relevance: .1, Instructions: 73COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
              • Instruction ID: 7ac1a96713f9e8ac1b49306e3e38f6d380abd40916c30d398c0ef7f635834522
              • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
              • Instruction Fuzzy Hash: 4221D072644B04ABE311DE5C8C51B5ABBA5EB88720F04016AF944DB7A0D330D805C7AA
              Function 039001AA Relevance: .1, Instructions: 71COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6f1b5859b5f09a01a983ee29e0666142531b6872cfd926aca39dff470fbf4d4c
              • Instruction ID: a8aa173a8025a87d1de75d3ee66e19afb349130afb3d1a7c6f93ead17272745f
              • Opcode Fuzzy Hash: 6f1b5859b5f09a01a983ee29e0666142531b6872cfd926aca39dff470fbf4d4c
              • Instruction Fuzzy Hash: 0E21E4A13042904FD786CB1A88B44B6BFE5EFC6125B0982E6D8C4CB342C134DA07C7A0
              Function 0386A30B Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3670cae0ef8712e89ebfa8472fa7684e67be1dd4d126933d72f7ca35937ab158
              • Instruction ID: 78d57cd42159fb73be0fade60ec16d081f7dd9f9f223bac33403b581777550b3
              • Opcode Fuzzy Hash: 3670cae0ef8712e89ebfa8472fa7684e67be1dd4d126933d72f7ca35937ab158
              • Instruction Fuzzy Hash: B321AF79200B109FC728DF69C900B46B7F5AF88704F1884A8A509CBB51E335E842CB94
              Function 038C80A8 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
              • Instruction ID: 3e4f9bb142f1501059cec1cdd7b5868618a2a27e5c4afefc55499880b64af08b
              • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
              • Instruction Fuzzy Hash: 74215876A40249EFDF12DF98CC40BAEBBB9EB88310F20449AF900E7250D674D9508B50
              Function 0382B765 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 3ee92da3801c78c3afdd4c00bb9f8feb7b190d546858100dd7314ca6b988dafd
              • Instruction ID: 6dc16d460004a6ba57d1ab995524a02f4bd7e61a856fbeba6b31768f3a6044d7
              • Opcode Fuzzy Hash: 3ee92da3801c78c3afdd4c00bb9f8feb7b190d546858100dd7314ca6b988dafd
              • Instruction Fuzzy Hash: B2215576101B10DFC722EFA8C940B19BBB5FF18748F1849A8E01ADBAA1C774E854CB45
              Function 038FEE26 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 451ff1c7b33034b69f2d9920ca7aa0ac7a63052fdb4467ee6b8f7e37eb3be22d
              • Instruction ID: 4464df6e7d3bedc0a6332c0e5f460fc1fe1bb1a84083dd83bcf1fddb466b533f
              • Opcode Fuzzy Hash: 451ff1c7b33034b69f2d9920ca7aa0ac7a63052fdb4467ee6b8f7e37eb3be22d
              • Instruction Fuzzy Hash: 7C21A233A108119F9B18CF7DD804466F7E6EFDC35436A427AD512DB268D670BD118A84
              Function 03860124 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction ID: d842d2839ce2c911f0b889ca27e37e9e6014b8e92d7522d07c8a5aff07d95743
              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction Fuzzy Hash: C411DDB6600708AFD722DAC8C841FAABBB8EB80754F1400A9E600CF180D675EE44CB69
              Function 03838770 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 55dcad08bd70dea74a10c768f44a6d6a67aa841b3f0201a5eedeec63854b698a
              • Instruction ID: 98037ba6f223d980253e7987b2387d53082ebc542956c15b347f7182e5b374ff
              • Opcode Fuzzy Hash: 55dcad08bd70dea74a10c768f44a6d6a67aa841b3f0201a5eedeec63854b698a
              • Instruction Fuzzy Hash: BB119D356006249BCB11CF99C480A6AB7EAEF8B750B1880A9FD08DF305D6B2E905C7D0
              Function 03833720 Relevance: .1, Instructions: 67COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c71a47eea9f7a8e07c2335db5fbf2bd992d0203ee0c8498e86f30fef86af8b09
              • Instruction ID: 8a862257eb3cf7c86c4185517aac9ccc98afa8998c301c4e08ad46548b8d11da
              • Opcode Fuzzy Hash: c71a47eea9f7a8e07c2335db5fbf2bd992d0203ee0c8498e86f30fef86af8b09
              • Instruction Fuzzy Hash: 3921DA799007098BE725DF9DD0447EDB7A4FB89318F2D8068D8119B3D0CBF89945CB95
              Function 038380E9 Relevance: .1, Instructions: 66COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 72a756b15f809604534df994d08c8b6419c01da83ed65c087d09d7abbce2b353
              • Instruction ID: 31febe2a348dc7c71d9a18b5aa8c1c74fb999f209cdc916ec66c423fd81b8770
              • Opcode Fuzzy Hash: 72a756b15f809604534df994d08c8b6419c01da83ed65c087d09d7abbce2b353
              • Instruction Fuzzy Hash: C2216D75A00209DFCB14CF98C581AAEBBB5FB89718F2441ADE105AB310CB71AD0ACBD0
              Function 0386674D Relevance: .1, Instructions: 65COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cefc2bdcb1d75b0c2b03bf462903599b97fb97400b0d655210d3765c4b26ac0d
              • Instruction ID: b8a0459c22f881d06cc0e8049624f1a8f4863bd93ed7706aee8728f92cd27237
              • Opcode Fuzzy Hash: cefc2bdcb1d75b0c2b03bf462903599b97fb97400b0d655210d3765c4b26ac0d
              • Instruction Fuzzy Hash: DF218E75610B44EFC720DFA9C841F66B3E8FF44250F44896DE49AC7650EA70AC50CBA1
              Function 03829240 Relevance: .1, Instructions: 64COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1dddef751bc580b5bfc764d47fbae14a9ec067067031c16aa69471d7a39e4aaa
              • Instruction ID: b6bcc9264ec5a7df5f4793a8720d1c923db8c270c8468f7d5765f1129862231f
              • Opcode Fuzzy Hash: 1dddef751bc580b5bfc764d47fbae14a9ec067067031c16aa69471d7a39e4aaa
              • Instruction Fuzzy Hash: 5A11E23E015A44EAD731FFAAD841A627BA8EBA4A80F144065E804DFA58E378DD01CB65
              Function 038666B0 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b79065bd2c332b76931b6bfdbb246734595b27698e6dd013f70b54b37c5d079d
              • Instruction ID: 43c1f044f0cd47215f9602886517ade0ef1d01f1bb721ce3b88963122357f394
              • Opcode Fuzzy Hash: b79065bd2c332b76931b6bfdbb246734595b27698e6dd013f70b54b37c5d079d
              • Instruction Fuzzy Hash: 1511BF76A017899BCB24DF99D580A5ABBE8AF94610F0981B9E805DB310E670DD00CB90
              Function 038FFF09 Relevance: .1, Instructions: 60COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c1a858578b7ce2d25117a4147a3fa84328d090e58f9c4c35582adfcdf6769aa
              • Instruction ID: b536ec2bfd82949586cad78c6da9c945170beefbe3434137f3681a7f1e217a1f
              • Opcode Fuzzy Hash: 6c1a858578b7ce2d25117a4147a3fa84328d090e58f9c4c35582adfcdf6769aa
              • Instruction Fuzzy Hash: 042183B1A142059FD754DF2AE980B42BBE5FB4C250B8585BAE90CCF24AE770D844CF90
              Function 038527ED Relevance: .1, Instructions: 58COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 66f4811d3000e578467c1cff5cb2d9017e93e5a17e7fbcfdfcb850d15257fb77
              • Instruction ID: 5cefb8427af4d20012cfed908c011079010a7922d467b89ab65adb526cfe2aa7
              • Opcode Fuzzy Hash: 66f4811d3000e578467c1cff5cb2d9017e93e5a17e7fbcfdfcb850d15257fb77
              • Instruction Fuzzy Hash: 6301C475605648ABE72AE2ED9C84F67A69CEF81399F1D04E5F801DB650DA58DC00C2A2
              Function 0385B052 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e2c59494ea2de9f7254737f3227616e402913c3f0a19b9f35358fed10b11c4e3
              • Instruction ID: f23ab60dcb2e7cab59762d402f156db1bdedac1e44977b19fce0b1ab010bc97a
              • Opcode Fuzzy Hash: e2c59494ea2de9f7254737f3227616e402913c3f0a19b9f35358fed10b11c4e3
              • Instruction Fuzzy Hash: 0C01D676B04744ABD712EBED9C81F6BBAE9DF94214F0400A9FA05C7141EA70ED00C622
              Function 03834690 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a9a753c7dd910599cd5c110f8cfbb9081ba51bbb58243914409420ca2c2cb411
              • Instruction ID: 11d0721a9b9a25ab95890a2723cb394414b9a49ced3d3e1896a828519a50a89e
              • Opcode Fuzzy Hash: a9a753c7dd910599cd5c110f8cfbb9081ba51bbb58243914409420ca2c2cb411
              • Instruction Fuzzy Hash: CF11AC3A240748AFDB25CFDAD944B56B7A8EB87B64F084599F815CB791C374E800CFA0
              Function 038ED6F0 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
              • Instruction ID: fb456582f461045b6e4f2c841643b088f448629b4ea6e76b5c00707cfe601eaf
              • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
              • Instruction Fuzzy Hash: 38016575700249EF9B04DBEACD44DAFBBBDEF85A44F050099A925D7100E730EE49D761
              Function 03866620 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0f1bcf5cea76aa23c8839e6b7893b6cbbfe7a55d02331ce2a46926e7ba4ad96c
              • Instruction ID: 6c50a2e5a8b6f9dda6a0cfa84aa61c996c3c77e7873d17dc04f1bcea06dbf836
              • Opcode Fuzzy Hash: 0f1bcf5cea76aa23c8839e6b7893b6cbbfe7a55d02331ce2a46926e7ba4ad96c
              • Instruction Fuzzy Hash: 2811E17AA00755EBCB22EFDDE980B5EF7B8EF84750F540098D901EB200E770AD018BA1
              Function 03827330 Relevance: .1, Instructions: 55COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4a202816e7df9526ea31abc278bb0b67cfe27cf60dffb628e66fcb1e713c464d
              • Instruction ID: b00e25f57fa23a47eebac1989bf80a485d63acf886e9fd760957ef46912f979b
              • Opcode Fuzzy Hash: 4a202816e7df9526ea31abc278bb0b67cfe27cf60dffb628e66fcb1e713c464d
              • Instruction Fuzzy Hash: EF119E716007249FD721CFAAC845F6B7BE8EB84304F0544A9FE85CB211D735E840CBA1
              Function 0385F2D0 Relevance: .1, Instructions: 54COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fe46cc35aa5f9ae521c33f103d0534ea7d97d2b8f9674c427fa131d3814b4a6b
              • Instruction ID: 18d6f80857b4e326c4fbc263694733868e512f4cbc7dc1ae7a95cb0ff6fed1f9
              • Opcode Fuzzy Hash: fe46cc35aa5f9ae521c33f103d0534ea7d97d2b8f9674c427fa131d3814b4a6b
              • Instruction Fuzzy Hash: 7811C275600B48DBD720DFA9C844BAEB7A8FF94700F1804E6E905EB641D679D901C751
              Function 038C72A0 Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
              • Instruction ID: 1a358945969e191f34c0d988028a0e330ede91b3b142eb89a0ea08b391528a45
              • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
              • Instruction Fuzzy Hash: 8F01D27A240609BFD711EFAACC80E62F76EFF84390F444969F10486560C731ECA0CAA5
              Function 0382A250 Relevance: .1, Instructions: 52COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction ID: 64a6e1f30e7a97baf427f9ad5e69d7cb551f830ccfdaf572e08e68c8144dfb6a
              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction Fuzzy Hash: E70126714047259BCB34CFA5D840A36BFAAEF45B6070489ADFC95CB680CB39D460CB60
              Function 03836259 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3dd1d0fa1a9aa5d4caf740b235fd92e1ac292850a2b8bd13adcd6202bd349b7a
              • Instruction ID: 3d584899706372b78f1cd7dce37d288f8929740d9f58c10f1012ae60c9b9689b
              • Opcode Fuzzy Hash: 3dd1d0fa1a9aa5d4caf740b235fd92e1ac292850a2b8bd13adcd6202bd349b7a
              • Instruction Fuzzy Hash: 3A11A074501318ABDB25EBA8CC41FE8B379EF04710F5045D4A314EA1E0DB709E81CF85
              Function 038AE1D0 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0d7b1225ee433489396c2ed130aca087e6c849333bd72a8f88db2069b554d661
              • Instruction ID: 0e01c081f6280c4418efc3fb3e5bd8dbaeaa2551d9cf85d7d80b495691431009
              • Opcode Fuzzy Hash: 0d7b1225ee433489396c2ed130aca087e6c849333bd72a8f88db2069b554d661
              • Instruction Fuzzy Hash: B4117936241740EFDB16EF98C980F16BBB8FF48B44F2404A5F905DB6A1D635ED01CA90
              Function 0383208A Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction ID: f9453fb072149e3a298bafbca47da7bb45e410eecb5ce9a7dfe5a52fcd04f3f8
              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction Fuzzy Hash: 0F0124322002108BDF10EBA9D890BA6B76ABFC5700F1949E5EE01CF345EAB1CC85C7D0
              Function 038B6050 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2e5be4a34006cd49895e67795ec01bb294a15d450f22bf16e2828223f10a2687
              • Instruction ID: 47a9223176b6e7107b48b43e124c153e0b5059b1d5b454bf907c5d4ec74d7f64
              • Opcode Fuzzy Hash: 2e5be4a34006cd49895e67795ec01bb294a15d450f22bf16e2828223f10a2687
              • Instruction Fuzzy Hash: C5111B7790011DABCB11DBD5CC84DDFB77CEF48254F044166A506E7210EA34EA15CBA1
              Function 038720F0 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 417386d30ee7ba53f11408b79ab5936ca2772f78bad4fd5e3564a5787498bae9
              • Instruction ID: 75edad73738d6990c1dc227ca6bfed774ad67aefdfc7a05a5f5b6091ec7fadf1
              • Opcode Fuzzy Hash: 417386d30ee7ba53f11408b79ab5936ca2772f78bad4fd5e3564a5787498bae9
              • Instruction Fuzzy Hash: 19116D35A0120CEBDB05EFA8C850FAE7BBAFB44244F004099E906DB250D635EE11CB91
              Function 0382C020 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction ID: 52e62174f243e457d77d5723e4d44d336e54c8b9dde83c3d4ab1e2c61265efb5
              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction Fuzzy Hash: 1901B5361007489FDB22E7AAD800ABBB7E9FFC4654F08449AA946CB580DA74E446CB51
              Function 03829353 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
              • Instruction ID: 898ad8ed6d692b53b56d4591d75fc13cd162a04a797f9ac61fdd2d4d820d1758
              • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
              • Instruction Fuzzy Hash: 77118E32500B11DFD721DF95C884F22B7E4BF80766F1988ACD4898A5A5C374E890CB10
              Function 038533A5 Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
              • Instruction ID: 2d227677e4a949bcba2bd9fdcb52a4c67d376185897dfa21281a015fe0699022
              • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
              • Instruction Fuzzy Hash: D001863A700205A7CB12DADEDD00F9FBA6C9F94681B1544A9BD15DB160EA70DA01C760
              Function 0386D1D0 Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
              • Instruction ID: e8bb8f9f6b291edd4a5b00685aac97dfb23511d40e7dc433045e46a61223be4c
              • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
              • Instruction Fuzzy Hash: 3901D47AB01648DBD711DAE8E801F65B3A9ABC4624F1481D5FA26CF380DB74E905C791
              Function 0382826B Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7fb149136edb9a52abf22e35c5f271194a583892036c5671aa6f312ccac4ef1c
              • Instruction ID: 7263a73830dae6f78a2582caa3b365e12c3ee045163282bda2bd1702c0fe42df
              • Opcode Fuzzy Hash: 7fb149136edb9a52abf22e35c5f271194a583892036c5671aa6f312ccac4ef1c
              • Instruction Fuzzy Hash: 0201F735700A18DFCB14EBF9DC149AEBBB9EF84210F1940E99902EF640EE30DD41C6A1
              Function 0384E016 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction ID: 11027540bb10607d3669843c2b857c968a7747b24058b5db3437c855e9fcc3d7
              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction Fuzzy Hash: 1F015A722006889FD322D79DC948F36B7ECFB85754F0D04E2E815CBA91D768EC40C621
              Function 038EF367 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e337124a151b08cfea9fe81adcf17bd34289af846ab48b817b6d001b1f841f89
              • Instruction ID: 257dd4f4d73b4d2bc410d53b9cd10f01199d16b70803c343e5fc5d096f426eb6
              • Opcode Fuzzy Hash: e337124a151b08cfea9fe81adcf17bd34289af846ab48b817b6d001b1f841f89
              • Instruction Fuzzy Hash: 7C017C75A10358ABDB10EBE9D805FAEBBB8EF84700F0440A6A500EB280D6B4D900C7A5
              Function 038F972B Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
              • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
              • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
              • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
              Function 03905636 Relevance: .0, Instructions: 44COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c1bbed04bbb84a1ddaf117942a8a538d7bfc2e6232f30667ed9f109f28d9b914
              • Instruction ID: a7e5e9c3d6330e8d4c56dfffac5a353d1197ee5dc3d8deee61ba3945fc6a3111
              • Opcode Fuzzy Hash: c1bbed04bbb84a1ddaf117942a8a538d7bfc2e6232f30667ed9f109f28d9b914
              • Instruction Fuzzy Hash: D3116D78D10249EFCB04EFA9D440A9EB7B8EF18304F14849AA814EB380E674DA02CB95
              Function 0382C310 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction ID: 0b1f3a4e174359e6db7e511f77e6f2ee85ff3bd97ef0a874183762ea906ab57e
              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction Fuzzy Hash: 62F04C372447329BC732D6DD4884F7FADB58FC5AA4F1900B5E109DF200CA648C4192D1
              Function 03905152 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 246a773f1db98ba280226daadf85c7268bce2af37866d501b109f9653f06a9ee
              • Instruction ID: 5e23e773f760dc0ceaae73d371b3d36cdce053de3685ec2c2dafa59e0dacebd0
              • Opcode Fuzzy Hash: 246a773f1db98ba280226daadf85c7268bce2af37866d501b109f9653f06a9ee
              • Instruction Fuzzy Hash: 3F012C75A1020DAFDB00DFA9D941AEEBBF8FF49300F14405AE904FB380D674EA018BA1
              Function 039050D9 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 155f7a2ce994a8b40b68515c562834df5be29127a0037f2b351973bd89d24084
              • Instruction ID: b8dac4dd90754a9b01353871c46b71a4373d09b311690226ddca7e6285a90ec3
              • Opcode Fuzzy Hash: 155f7a2ce994a8b40b68515c562834df5be29127a0037f2b351973bd89d24084
              • Instruction Fuzzy Hash: 9E011AB5A00209AFDB00DFA9D941AAEB7B8EF49344F54405AE504FB280D674E9018BA1
              Function 03905060 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 33be8875524c6ed0dff03e556365f18b43421474942bc77df7f47db9fdb07b41
              • Instruction ID: bfaf13eb2ebfadf28984fa2d73ccb74490f52bd4b2b3fba54c434aa23b8f61fa
              • Opcode Fuzzy Hash: 33be8875524c6ed0dff03e556365f18b43421474942bc77df7f47db9fdb07b41
              • Instruction Fuzzy Hash: 4E015A75A00209AFCB00EFA9D941AAEB7B8EF48300F10405AE904EB381D674EA018BA1
              Function 0385C073 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction ID: c6cb39affcd8a52afe491d59e4b0df5159c1b9148d300b37978d95ba03245b83
              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction Fuzzy Hash: 9CF0C2B3600614ABD324CF8DDC40E57FBFADBC0A80F088168E905CB220EA31DD04CB90
              Function 03865734 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
              • Instruction ID: 3423cd3b4ff26849d71edb093773f1c78421f477a55fe09a6a0354dae4d0cd8b
              • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
              • Instruction Fuzzy Hash: 70F0FF72A01214AFE719CF9CC840F6AF7EDEB46650F0940B9D500DF230E671DE04CA94
              Function 038EF78A Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d788facf7bf7f9fc3fb240d136ad1b0d161697bdc3f534dc3a8e6d6ad1b74213
              • Instruction ID: adc10705f3392c4cbb523ad08529d9e0e8761c95af5390a976b5ac8a9cba885c
              • Opcode Fuzzy Hash: d788facf7bf7f9fc3fb240d136ad1b0d161697bdc3f534dc3a8e6d6ad1b74213
              • Instruction Fuzzy Hash: F4010CB5E0074DAFCB04DFE9D545AAEBBF4EF48304F1080AAA955EB341E674DA00DB91
              Function 038B63C0 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
              • Instruction ID: d33fde9acd94cc0ad6ac745b7e1138514ed039bb373534f2aa282c76a5e2fbb1
              • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
              • Instruction Fuzzy Hash: 4EF0F97620011DBFEF019F98DD80DAFBB7DEB49298B104165BA11A6160E631DE21ABA0
              Function 038EF2F8 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a13ad8f3cc0a448f260e25fd485991483baa44de075567051e844a5659dc9d68
              • Instruction ID: a0b8e872d4dee0b8baf5d719cf44393ceb215648917a5e201eedf3b1e18a22fe
              • Opcode Fuzzy Hash: a13ad8f3cc0a448f260e25fd485991483baa44de075567051e844a5659dc9d68
              • Instruction Fuzzy Hash: CBF0C876B10348ABDB04DFFDC805AEEB7B8EF44710F008096E501FB280DAB4D9018792
              Function 039061E5 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c498d5d1fa49c9820167b68c11864f668dd4e776be9d8d5a4d1c42e172b267ec
              • Instruction ID: b17ad0ee4a4d1713b018de4e20155c2d12bea5f02d7c52d068076c90ce0dea34
              • Opcode Fuzzy Hash: c498d5d1fa49c9820167b68c11864f668dd4e776be9d8d5a4d1c42e172b267ec
              • Instruction Fuzzy Hash: D6018F71A00258DFCB00DFA9D841AEEB7F8EF48310F14005AE500EB280D778EA01CB95
              Function 0386724D Relevance: .0, Instructions: 40COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
              • Instruction ID: e5d1f09012d66fa4313cf92b08ec2fdf5c90daa5caa490627033a17b6026e4e4
              • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
              • Instruction Fuzzy Hash: 98F06275A11359ABEB14D7FA8940FABBBA99F84618F0885E5B903DB344DA30E940C7D0
              Function 039053FC Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8f57e03f9554dedaa5501d65449fb223a6708ae859e504a278bdbac206c9548d
              • Instruction ID: 8be5c78b239890a80854597e1f7b18bbdc3a361c01ffdf0308051dc7b24675dc
              • Opcode Fuzzy Hash: 8f57e03f9554dedaa5501d65449fb223a6708ae859e504a278bdbac206c9548d
              • Instruction Fuzzy Hash: 02011AB4A00209DFDB04DFA9D545B9EF7F4FF08300F1482A9A519EB381EA74DA408B91
              Function 0382C0F0 Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 423b2fb61ea17f914a6f12181432686f1614bbde9fc3dcdc753582dc4d1a0560
              • Instruction ID: a4009ef82eb35b03f96767027d7ea5ebd7d77acfe32c9b2e7e486fcc6f295dff
              • Opcode Fuzzy Hash: 423b2fb61ea17f914a6f12181432686f1614bbde9fc3dcdc753582dc4d1a0560
              • Instruction Fuzzy Hash: 44F024712043245BF760D6D99C02B763AAAEBC0750F2980EAEB05CF2C0FA70EC81C395
              Function 03903749 Relevance: .0, Instructions: 38COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
              • Instruction ID: 794c41c93d8acfb2c94113d0677bc6ed69e7c92c0fcec770fc435a836b613374
              • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
              • Instruction Fuzzy Hash: CFF0447A540304BFE711DBA8CD41FDA77BCDB04710F100565A555DA1D0E670EA44CB91
              Function 038D437C Relevance: .0, Instructions: 37COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction ID: d887b10f1b2b6fa9c979053d0fc331dfcfcd96bcc4e643872593e0268f20c85a
              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction Fuzzy Hash: 37F05435341A1247DB7EFAEF9810E2FE3559FC0A50B4905AC9455CBE40DF70D8018791
              Function 038EF3E6 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 609f11c4b721b3c11ec2cb299175920e264ac7cc1e26405d47101fab62807d3f
              • Instruction ID: ca695dbb5a8e13d28bbd6fe42c0ab44116540cb035cb986b2af8780b64ffc6d9
              • Opcode Fuzzy Hash: 609f11c4b721b3c11ec2cb299175920e264ac7cc1e26405d47101fab62807d3f
              • Instruction Fuzzy Hash: 4AF03775A0124CEFCB04EFE9D545A9EB7F4EF48304F4080A9B945EB381E674EA01CB56
              Function 038292FF Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c68d662f37bdd7fc91e1c0b28293c28cc9f51470427eaeb3dbe26f398943ffe4
              • Instruction ID: 1ac8ab2c786f6bde5c93fb023f66ef8d84cfc15166e85a7ad9be4f2759058aef
              • Opcode Fuzzy Hash: c68d662f37bdd7fc91e1c0b28293c28cc9f51470427eaeb3dbe26f398943ffe4
              • Instruction Fuzzy Hash: DAF0FA32200744ABC731EB89DC08F9BBBEDEFC4B00F0801A9E942C3090C7A0A948C660
              Function 038347FB Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 58e071acea204730354d6dec50616f1bfd73a2dd490423b39f75fc31ba085ebd
              • Instruction ID: 6d6a7fb148cec79891673765d69b0f70a638e70f9a326a26c4688df6790687f2
              • Opcode Fuzzy Hash: 58e071acea204730354d6dec50616f1bfd73a2dd490423b39f75fc31ba085ebd
              • Instruction Fuzzy Hash: A1F090399127D49EDB21CBDAC448B21B7D8DB0A664F0C89EAD589C7741C724D881CA91
              Function 038EF6C7 Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bba9a462ac7c5dc9dea83968bd082fcf734e97d112c4afaef4fd4e1c91dbe82d
              • Instruction ID: d355cc69b48d65df15e0527f5c6d2d4d582b6ae904a597416c9c90b57135178d
              • Opcode Fuzzy Hash: bba9a462ac7c5dc9dea83968bd082fcf734e97d112c4afaef4fd4e1c91dbe82d
              • Instruction Fuzzy Hash: 4BF06D79A10388EBDB04EFE9D805EAEB7F4AF48304F0440A9E505EB281E674D900DB55
              Function 038F0115 Relevance: .0, Instructions: 32COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e9b6f623079c9d7cebec46118b841e7e63f16eec37d4519a78d1f96d57c11395
              • Instruction ID: 5092f83974b846c82fe702aa16cae338330e8b776bb3447f30180f112e6c044f
              • Opcode Fuzzy Hash: e9b6f623079c9d7cebec46118b841e7e63f16eec37d4519a78d1f96d57c11395
              • Instruction Fuzzy Hash: DFF0A7BE41EBD44ECF32FBA86490291AF599757150F1D14C5C6A1DF607C9B488C3C725
              Function 0390539D Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 37117793c08c0434ea8c8fe1d2753ae3e2c09f8a076ab731209bc069471afa16
              • Instruction ID: f7d37a81ecd1a2d6bb42870b64de9fdec2245712d13025ce378b37cd2565dce0
              • Opcode Fuzzy Hash: 37117793c08c0434ea8c8fe1d2753ae3e2c09f8a076ab731209bc069471afa16
              • Instruction Fuzzy Hash: 8EF0B474A1434CDFDB04EBB9D441F5DB7B4EF04300F108094E501EB280DAB4D901CB25
              Function 03905283 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 655be8409b93bd4b333a4f5b98acfe89a8865a5520c88d99c9e52a9cdb923fb9
              • Instruction ID: bd1298365fa938635cff3dc2e85bfcda3522feeee2576f970e336addee986f81
              • Opcode Fuzzy Hash: 655be8409b93bd4b333a4f5b98acfe89a8865a5520c88d99c9e52a9cdb923fb9
              • Instruction Fuzzy Hash: 7FF0BE78A14308EFDB04EBA9D901EAEB7F8BF04300F044498A441EB2C1EA74D9008B52
              Function 039052E2 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f8df9835616f900361fd307f8253f4b9c0a8139d5beaad27eb12038f15bb37f3
              • Instruction ID: 34aa2c24b242121dab6ebbb2683f0e7fee4112d6493c7397facc138765e2c59a
              • Opcode Fuzzy Hash: f8df9835616f900361fd307f8253f4b9c0a8139d5beaad27eb12038f15bb37f3
              • Instruction Fuzzy Hash: B3F0BE74A14348EFDB04EFB9E901E6EB3B8AF14300F044498A401EB2C0EAB4D900CB56
              Function 03872619 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
              • Instruction ID: 2b196d2574d0054ff66c72aa8ce1ecf064b8e1169ef6af31fd71a990113e842b
              • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
              • Instruction Fuzzy Hash: B9E092723006002BD721DE9DCC80F47776EAF82B10F0404BAB5049E251CAE2DC0982A5
              Function 03905341 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 31e0839993288a57cac8383f53f03b8fd6a8f4406e577daa776e8e1afba568c8
              • Instruction ID: eb33f2b586155989a9b2eb6c022b79a4f429f232fbf620d46ace4b7bc60fe61f
              • Opcode Fuzzy Hash: 31e0839993288a57cac8383f53f03b8fd6a8f4406e577daa776e8e1afba568c8
              • Instruction Fuzzy Hash: 84F08274A0424CEFDB04EBB9D945E9EB7B8AF49244F540499A501EB2D0EA74D9008716
              Function 03867208 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: becc32b973f815557c600ffe94f2dc2c2c36c233b1ad4376d2db4dc7bb90470c
              • Instruction ID: af852c923492f18ace13c5bf36b6c3d6b958bb557a0766985fb4f539f2e2d757
              • Opcode Fuzzy Hash: becc32b973f815557c600ffe94f2dc2c2c36c233b1ad4376d2db4dc7bb90470c
              • Instruction Fuzzy Hash: 8DF08275911A949FEB21D7AEC584B11B7D9AF40674F0D85E1D405CB741CBA8D880C691
              Function 03905227 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 38c07d58bd1d4a349948ab022b833b5418a5d703a026c0e55ada82bf59bf12a4
              • Instruction ID: c72107c20caf633633d0d7020f782b4b5ccaeaf530709fbd803f86cbc9f2b949
              • Opcode Fuzzy Hash: 38c07d58bd1d4a349948ab022b833b5418a5d703a026c0e55ada82bf59bf12a4
              • Instruction Fuzzy Hash: 94F08274A14348AFDB14EBEDD905E6EB3B8AF44704F050498A901EF2C1EA74D9008756
              Function 039051CB Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 55af38e68440d590ea96d887f073219530ff4ba0359019f8feb860b5861f3e2e
              • Instruction ID: 8a707e462a568a5eff4fc079a8f600d90bc11caa508af1e79c98d0adf802d5cc
              • Opcode Fuzzy Hash: 55af38e68440d590ea96d887f073219530ff4ba0359019f8feb860b5861f3e2e
              • Instruction Fuzzy Hash: C6F08274A1524CEFDB04EBEDD905E6EB3B8EF04304F040499A901EF2C1EA74E900CB56
              Function 038AD070 Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
              • Instruction ID: 8793014b1322a47ae8f8d55b291f9f164c8a3f80408503e4d58c12b261459ae5
              • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
              • Instruction Fuzzy Hash: 06F0A03260461467C220AA4D8C05F5AFBACDBD5B70F10425ABA24DA1D0DA60A911D7D6
              Function 038EF72E Relevance: .0, Instructions: 30COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0cdbe303ad1e626011dd94724206e35de65040391b19d27b865699dd62ec7bb0
              • Instruction ID: b3cf750b30fdb00c66e9c01176e6a032961ca38a56973dbf8182fcaaa8bc0eca
              • Opcode Fuzzy Hash: 0cdbe303ad1e626011dd94724206e35de65040391b19d27b865699dd62ec7bb0
              • Instruction Fuzzy Hash: E3F08275A11348ABDB04EBE9D955E9E77B4EF08704F050094E641EF280E974D9019756
              Function 03830710 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
              • Instruction ID: 998db245e0b4ca0e7d8ec596638ecd8510a45fc559e1cc568f74fcd5639abe4c
              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
              • Instruction Fuzzy Hash: F1F0ED7E3043489BDB16DF99C040AA57BA8EB42360B0440D4E842CB300EB72E982CBC1
              Function 039037B6 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
              • Instruction ID: f05937ef5e747067ffac7c981f8dd09600cfc94ace041bb1866997ca3679e0a8
              • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
              • Instruction Fuzzy Hash: B2E06D76210204AFE764DB58CD45FA673ACEB40760F180258B115D74D0DAB0AE40CA60
              Function 038B4000 Relevance: .0, Instructions: 22COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
              • Instruction ID: 05ac9f38f272f3785a67f280ceb2b54b366fba09221d6d728d3b02b7fde71293
              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
              • Instruction Fuzzy Hash: 99E0C2343003068FD755CF5AC041BA6B7B6BFD5A10F28C0A8A8488F306EB32E843CB40
              Function 038EB3D0 Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
              • Instruction ID: bbe2c8b107f27e94284c0d29f3d73aeba8dd42dbb1bf50b23a4651f4d0619076
              • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
              • Instruction Fuzzy Hash: 21E0CD35244318B7DB23AA84CC00F797B55DB417D4F104071FA08DEA50C5B19D91D6D5
              Function 0382823B Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction ID: b25870bfe444b599086fdd8d512d4d6d98eb5999fa18ba7b863a6e29cdbbfa06
              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction Fuzzy Hash: C6E08C35101B24EEDB31EFA9DC04B527AA6FF84B10F1448E9E0818A4A487B0A8D1DA45
              Function 038B92BC Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 83bf41b91c3c3ea5ec8f0b22ec48070caeb9b6cdb87728886319179163633f75
              • Instruction ID: 84c13dc5e1c49a843ec369c64f504abb87daa158796be71e8dcdaa5d47706f7f
              • Opcode Fuzzy Hash: 83bf41b91c3c3ea5ec8f0b22ec48070caeb9b6cdb87728886319179163633f75
              • Instruction Fuzzy Hash: 79F0E534655B84CFE72ADF48C1E2B91B3B9FB99B44F510498D4468FBB1C73AA942CA40
              Function 03832050 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0ba3ac633ca1edae2769fc017677c1bea51e82d6c4f5c088f2c57ae7e47a933e
              • Instruction ID: f1f328b5338a2be32e7608f6baab5e55622000e0dec375486c370e2377e3e654
              • Opcode Fuzzy Hash: 0ba3ac633ca1edae2769fc017677c1bea51e82d6c4f5c088f2c57ae7e47a933e
              • Instruction Fuzzy Hash: 35E0C2332006546BC321FB9DDD00F4A739EEFA5360F004161F150CFAA0CA60AC00C7D5
              Function 0382A0E3 Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction ID: e6b1063d2d23711ac0d43cbc3afd2ae284f38cfe6b961503cde2a9b3389ba8ba
              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction Fuzzy Hash: 83D0223231213093CB2CE6D46800F63AD05AF80AA4F0A00AC380AD3800C8088C82C2E0
              Function 038402A0 Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
              • Instruction ID: ee96871a9807210c57909f3e0db125cc446681f7a4e7b44fe69db62fd855efb2
              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
              • Instruction Fuzzy Hash: 5BD09275216A84CFD61BCB99C5A4B16B3A8BB44A48F8904D0E501CBB61D668D940CA00
              Function 038B930B Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
              • Instruction ID: 02adc4d58c16dd82ba9f7b28e4e257c22cca9a0d2903e5ba261f8b78f55aa8ac
              • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
              • Instruction Fuzzy Hash: 68D05E35945AC4CFE727CB08C165B907BF8F749B40F8910D8E04287BA2C37C9984CB10
              Function 0386C700 Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
              • Instruction ID: eb9e033027a3891ee232e60f2b6b20ed9d11edaa50639e63211638c6a0f712c2
              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
              • Instruction Fuzzy Hash: 3FC0123A290748AFC712EA98CD01F027BA9EB98B40F004061F2048BA70C671E820EA84
              Function 03850310 Relevance: .0, Instructions: 11COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction ID: 267725e476671269c30ec3208ccc00b4b1b5956bd80acb6486e1b78b6004f5b2
              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction Fuzzy Hash: 60D01236100248EFCB01DF85C890DDA772AFBD8710F148019FD190B6108A31ED62DA50
              Function 03830750 Relevance: .0, Instructions: 9COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
              • Instruction ID: c3eef8131cf127b254d0101ffe2eb05d233165d32f9020e660c8c5afd580d32b
              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
              • Instruction Fuzzy Hash: B0C04879B11A458FCF15EBAAD294F4977E8FB44740F1908D0E805DBB21E668F811CA11
              Function 03874340 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c50324aba8d4f18421088d9a85102b1ea4a1cc003bed18f74713a350aa301588
              • Instruction ID: 6158b953938e4fa65184f0695d7a8c08037a1e0db5d092e0d4ebae9a81823019
              • Opcode Fuzzy Hash: c50324aba8d4f18421088d9a85102b1ea4a1cc003bed18f74713a350aa301588
              • Instruction Fuzzy Hash: 97900231605804169140B29848C4586400697E0301BA5C051E1428558C8B148A5A5362
              Function 03873090 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ef4ffc9438c59e4dc37354358044a92ac3edc74cc375faf691723a69ea16141c
              • Instruction ID: 3d1187d38bc563b7cbd4c17935b5997db336238ece7132160f66065a62b4beee
              • Opcode Fuzzy Hash: ef4ffc9438c59e4dc37354358044a92ac3edc74cc375faf691723a69ea16141c
              • Instruction Fuzzy Hash: 5490022124140C06D140B29884547470007C7D0701FA5C051A1028558D87168A6966B2
              Function 03873010 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e265b0bba5157aaca3da00da4293b1fc486099655846690ba24350ed6a0e77e8
              • Instruction ID: 9338f67405f70701324fd1e09126289f1dfe839e626e3a3f6d771e9e89661978
              • Opcode Fuzzy Hash: e265b0bba5157aaca3da00da4293b1fc486099655846690ba24350ed6a0e77e8
              • Instruction Fuzzy Hash: 0F90022120184846D140B3984844B4F410687E1302FE5C059A515A558CCA1589595722
              Function 03874650 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f7c8a36977247652879f550ddee12b9578b4832790836c7c2fd1bdc5a9dcb8e9
              • Instruction ID: e9d410e665175180e69b3e718fbebb68f90b96d91e671e58a0181feb56aaa57d
              • Opcode Fuzzy Hash: f7c8a36977247652879f550ddee12b9578b4832790836c7c2fd1bdc5a9dcb8e9
              • Instruction Fuzzy Hash: EF900261601504464140B2984844446600697E13013E5C155A1558564C87188959926A
              Function 03872B80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 55b8cc4d39919cffa69eeb947e823d1b546fe9cfdf904133498191e4425c6da4
              • Instruction ID: 462fb5687c83733fd99b6727755192341fd921f9fd980cd3e9d73034e817e194
              • Opcode Fuzzy Hash: 55b8cc4d39919cffa69eeb947e823d1b546fe9cfdf904133498191e4425c6da4
              • Instruction Fuzzy Hash: DC90023120140C06D104B29848446C6000687D0301FA5C051A7028659E976589957132
              Function 03872BA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 57be65422121b3aae99a6192b79085ea92937f43b2e358562ce0a413452fd5a2
              • Instruction ID: aeb0083f85f521cfc50d986b99ca2b242ee6568e5370659a94ca7e6c98eec3b6
              • Opcode Fuzzy Hash: 57be65422121b3aae99a6192b79085ea92937f43b2e358562ce0a413452fd5a2
              • Instruction Fuzzy Hash: 0290023160540C06D150B2984454786000687D0301FA5C051A1028658D87558B5976A2
              Function 03872BE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8c3ec4adfe2dfc28b3fad0a960952cc407efe6c96b6d11f4542b5d58d74b9ff7
              • Instruction ID: baadac6c69362db8b3e1590f477fbf9c087852d8c3ecd9f8a537a422a6342e97
              • Opcode Fuzzy Hash: 8c3ec4adfe2dfc28b3fad0a960952cc407efe6c96b6d11f4542b5d58d74b9ff7
              • Instruction Fuzzy Hash: A790023120544C46D140B2984444A86001687D0305FA5C051A1068698D97258E59B662
              Function 03872BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4c7312ddbb3afe5429c1155ced8956f1162fc0b6478b827c5c65c9913fb69af5
              • Instruction ID: 7eb52d04d60ca75482778d91298d49fd108de93608ceab9f92ba9fe99ba145e6
              • Opcode Fuzzy Hash: 4c7312ddbb3afe5429c1155ced8956f1162fc0b6478b827c5c65c9913fb69af5
              • Instruction Fuzzy Hash: FE90023120140C06D180B298444468A000687D1301FE5C055A1029658DCB158B5D77A2
              Function 03872AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8af71a0c041cae06db46504e0d89720cec618e9838dfc3b45fd3b2fd7f41c643
              • Instruction ID: 2da6c230eff87bb7dbb46147d38c8aa6476482e71ed983d6d198c57b59f2d529
              • Opcode Fuzzy Hash: 8af71a0c041cae06db46504e0d89720cec618e9838dfc3b45fd3b2fd7f41c643
              • Instruction Fuzzy Hash: 2E9002A1201544964500F3988444B4A450687E0301BA5C056E2058564CC62589559136
              Function 03872AD0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9ebf286e65d6254d4643b7ad5fc3dd27d83fd5ab9063691c3b63abd3fd38549a
              • Instruction ID: 3e612b026a88bdadf96c965caab8a10e5884b125d13caf99908ce47cebabe6c2
              • Opcode Fuzzy Hash: 9ebf286e65d6254d4643b7ad5fc3dd27d83fd5ab9063691c3b63abd3fd38549a
              • Instruction Fuzzy Hash: CF900225211404070105F6980744547004787D53513A5C061F2019554CD72189655122
              Function 03872AF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f3d26ac2590f53fb2e7b61db498c26019477f93d1602c4a3759645fc8133d5b5
              • Instruction ID: 2e005e8dfcbf40f37e06f926d40a31ea7daba89fbdb403189a3af244ea1b028d
              • Opcode Fuzzy Hash: f3d26ac2590f53fb2e7b61db498c26019477f93d1602c4a3759645fc8133d5b5
              • Instruction Fuzzy Hash: D8900225221404060145F698064454B044697D63513E5C055F241A594CC72189695322
              Function 038739B0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 289bf1ffe0f8496261df41d343851d4143937c361b939e582aff7989bb602607
              • Instruction ID: 7b53892a935c6c98fde2119ac745b18933cb459eba056d6fb0b0e582be190f68
              • Opcode Fuzzy Hash: 289bf1ffe0f8496261df41d343851d4143937c361b939e582aff7989bb602607
              • Instruction Fuzzy Hash: 2A90022124545506D150B29C44446564006A7E0301FA5C061A1818598D865589596222
              Function 03872F90 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 99224844d09609cda847ec77872c587c77fb1478a8190df281f21249b47d4a8f
              • Instruction ID: 71d17e0d2903fbab4afcaf945aa91b5834b15ebe84d9840b995263593ae47f91
              • Opcode Fuzzy Hash: 99224844d09609cda847ec77872c587c77fb1478a8190df281f21249b47d4a8f
              • Instruction Fuzzy Hash: DE90023120180806D100B298485474B000687D0302FA5C051A2168559D872589556572
              Function 03872FA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e6dfa647af551bed7951efa6bcec67c9c551ad7b537f6df5d1bf60dbe7f0bad2
              • Instruction ID: a03f96251961d09c6a4d26868f6cdf0795f94211d39882ecdb03f438e23a7d82
              • Opcode Fuzzy Hash: e6dfa647af551bed7951efa6bcec67c9c551ad7b537f6df5d1bf60dbe7f0bad2
              • Instruction Fuzzy Hash: 7290023120180806D100B2984848787000687D0302FA5C051A6168559E8765C9956532
              Function 03872FB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 072dc0de41f7c182bed604b821e4c6485131f31f0d2ee29dc696c32059f34826
              • Instruction ID: 1983b86864fdc9697310b1b4b75938a59cfe60ef6225062f04e6626637098400
              • Opcode Fuzzy Hash: 072dc0de41f7c182bed604b821e4c6485131f31f0d2ee29dc696c32059f34826
              • Instruction Fuzzy Hash: 34900221601404464140B2A888849464006ABE13117A5C161A199C554D865989695666
              Function 03872FE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d534d4c1d5ef82fc4430989d261844d9d939af3452edde1cec066700daabb25c
              • Instruction ID: 06a82161c8354bf48f8a640caecd29b186795f737c55a36de0b728ea611bfb51
              • Opcode Fuzzy Hash: d534d4c1d5ef82fc4430989d261844d9d939af3452edde1cec066700daabb25c
              • Instruction Fuzzy Hash: 8E900221211C0446D200B6A84C54B47000687D0303FA5C155A1158558CCA1589655522
              Function 03872F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5088da80c10d95947347ba15a4762e26c670219591d5999ed924af9f1e940cc5
              • Instruction ID: 244c40a51976ae1ed193d35ec2f1ca08503bd4a18e9eed2f49205e8685346ae7
              • Opcode Fuzzy Hash: 5088da80c10d95947347ba15a4762e26c670219591d5999ed924af9f1e940cc5
              • Instruction Fuzzy Hash: 1890026134140846D100B2984454B460006C7E1301FA5C055E2068558D8719CD566127
              Function 03872F60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: edaa62b715c4531957eabc6e806d00a7df2d21620885d71c5e231e6cd3191850
              • Instruction ID: 17b643377ac8447e4e10d033a87b562093b94c5ac6bcf516229e4434ad226185
              • Opcode Fuzzy Hash: edaa62b715c4531957eabc6e806d00a7df2d21620885d71c5e231e6cd3191850
              • Instruction Fuzzy Hash: 1D90026121140446D104B2984444746004687E1301FA5C052A3158558CC6298D655126
              Function 03872E80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 341add43e8630aea0561152d639781153617f2f76261bf314d9d75670fde8c04
              • Instruction ID: cfd5cf455fc320a9792499c68348bcdd9cc08754e4fae1bc4804885e1d4af621
              • Opcode Fuzzy Hash: 341add43e8630aea0561152d639781153617f2f76261bf314d9d75670fde8c04
              • Instruction Fuzzy Hash: 8790022160140906D101B2984444656000B87D0341FE5C062A2028559ECB258A96A132
              Function 03872EA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7c018e5b7222a37e91feaa5a7577432ea530415ac341188d51a1172e8ba561cb
              • Instruction ID: cd65a714a82f43856e199d71a65957981f1eadf78cd555ea4db75f261dd8fc35
              • Opcode Fuzzy Hash: 7c018e5b7222a37e91feaa5a7577432ea530415ac341188d51a1172e8ba561cb
              • Instruction Fuzzy Hash: A090027120140806D140B2984444786000687D0301FA5C051A6068558E87598ED96666
              Function 03872EE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e3034d6bd98fd5482aa43321f20d5a21cd531f9e7af677755f4087dca6fdcd91
              • Instruction ID: decebf6797983ac17ac24f5e4dfa95331608b2e8d65e5997eb654374ea22cd66
              • Opcode Fuzzy Hash: e3034d6bd98fd5482aa43321f20d5a21cd531f9e7af677755f4087dca6fdcd91
              • Instruction Fuzzy Hash: 1790026120180807D140B6984844647000687D0302FA5C051A3068559E8B298D556136
              Function 03872E30 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cccea602ceb8105dedf6717052dfa9c1f308b36ceb4b267ca4bfb56e00f34efe
              • Instruction ID: df764ec4dfde538a1753ef96c49f16bc7bf9980baedad5bc88cfb74e06050de9
              • Opcode Fuzzy Hash: cccea602ceb8105dedf6717052dfa9c1f308b36ceb4b267ca4bfb56e00f34efe
              • Instruction Fuzzy Hash: 8890022130140806D102B2984454646000AC7D1345FE5C052E2428559D87258A57A133
              Function 03872DB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dc7b05384b429aea0fa859edbfc775a93cfd94fb7a01b1f42d9346aed7b03df3
              • Instruction ID: efb2598950f4cf875b0281e5145e8cc7d9d90ce10ef4f7fd88b192cb912533ee
              • Opcode Fuzzy Hash: dc7b05384b429aea0fa859edbfc775a93cfd94fb7a01b1f42d9346aed7b03df3
              • Instruction Fuzzy Hash: 2690023124140806D141B2984444646000A97D0341FE5C052A1428558E87558B5AAA62
              Function 03872DD0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4b4fb39955c1cdec55061755ad517508a3f776cc56bf3a800a3dece65af5e88a
              • Instruction ID: de6efbafae872ce13a6d9fceaed45a35838300e8da87186796d146a0d8585e5b
              • Opcode Fuzzy Hash: 4b4fb39955c1cdec55061755ad517508a3f776cc56bf3a800a3dece65af5e88a
              • Instruction Fuzzy Hash: BD900221242445565545F2984444547400797E03417E5C052A2418954C8626995AD622
              Function 03872D00 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d1f69aa8cee3638f39afc50af1d73da150ddad837b3f5455b8decaa8afdfd049
              • Instruction ID: a9f65c2e18b59072fd97a359d022481033e396322d1a37704766ea5268fbe0c9
              • Opcode Fuzzy Hash: d1f69aa8cee3638f39afc50af1d73da150ddad837b3f5455b8decaa8afdfd049
              • Instruction Fuzzy Hash: A690022120544846D100B6985448A46000687D0305FA5D051A2068599DC7358955A132
              Function 03872D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9073a2541b3bdde796ef847ef00a211fb0574c3673f5675fa0731db2ba3decd9
              • Instruction ID: 5b39f8da44cc78659186dc51bff5a1cef7ef990bff7038e8476aaa2073fe378a
              • Opcode Fuzzy Hash: 9073a2541b3bdde796ef847ef00a211fb0574c3673f5675fa0731db2ba3decd9
              • Instruction Fuzzy Hash: 5E90022921340406D180B298544864A000687D1302FE5D455A101955CCCA15896D5322
              Function 03873D10 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c4b7f4c4649a153a3a8d7e54d0df9c8919ad6c755b7a1b2ef5960f338d5c790
              • Instruction ID: 751e154ed2ac53d8c516efdf2fddacf554d569638f1d754a92eacaa0a911c218
              • Opcode Fuzzy Hash: 9c4b7f4c4649a153a3a8d7e54d0df9c8919ad6c755b7a1b2ef5960f338d5c790
              • Instruction Fuzzy Hash: 15900231202405469540B3985844A8E410687E1302BE5D455A1019558CCA1489655222
              Function 03872D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cdc3f98bee13ad6f7ed8df3fe0d495180cb3c2b38d0d8e31f45b4d4f27838f56
              • Instruction ID: be3e35b29f021ff316d4fa2fbd53553878e98f524441bca3279f131d092092b3
              • Opcode Fuzzy Hash: cdc3f98bee13ad6f7ed8df3fe0d495180cb3c2b38d0d8e31f45b4d4f27838f56
              • Instruction Fuzzy Hash: B090022130140407D140B29854586464006D7E1301FA5D051E1418558CDA15895A5223
              Function 03873D70 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ea8203e8300aa5611b6be6a6840f48c9b396102cb319a7f46b64d9b28e82cda2
              • Instruction ID: 94146a427177c63766d660424cb4a3f956412a79c975dc7ce541c184d570ca2f
              • Opcode Fuzzy Hash: ea8203e8300aa5611b6be6a6840f48c9b396102cb319a7f46b64d9b28e82cda2
              • Instruction Fuzzy Hash: 2E90023520140806D510B2985844686004787D0301FA5D451A142855CD875489A5A122
              Function 03872CA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4501a37d8a086e0d2ccd81c338eb596380b658047d45a674dd4cdc612c1edae4
              • Instruction ID: 7f95b53d0430a81cbac8962aed0cccc017eb08aaad18d6c03b4be93260020524
              • Opcode Fuzzy Hash: 4501a37d8a086e0d2ccd81c338eb596380b658047d45a674dd4cdc612c1edae4
              • Instruction Fuzzy Hash: EC90023120140806D100B6D85448686000687E0301FA5D051A6028559EC76589956132
              Function 03872CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5cf6f3c2cdf0c19c16fcb578ef0226b179eba4ba16445f7f72c109b21f73c01a
              • Instruction ID: 834d4467449375ab606000c28458e3513473d5d1f8e33c35b56ed8cb33dc7df4
              • Opcode Fuzzy Hash: 5cf6f3c2cdf0c19c16fcb578ef0226b179eba4ba16445f7f72c109b21f73c01a
              • Instruction Fuzzy Hash: 0890022160540806D140B2985458746001687D0301FA5D051A1028558DC7598B5966A2
              Function 03872CF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fbf1962174ed7d3ac9a097de8b218fab332cb9d3571c3872dd65d92fef56f702
              • Instruction ID: 2d98841639d2641092ff048de1d98bed1cbc1344d77ca4e208a592ad208d82f7
              • Opcode Fuzzy Hash: fbf1962174ed7d3ac9a097de8b218fab332cb9d3571c3872dd65d92fef56f702
              • Instruction Fuzzy Hash: 1D90023120140807D100B2985548747000687D0301FA5D451A142855CDD75689556122
              Function 03872C60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b0c0bd9cf8ee4f414bb70e704e7b0d6ad487f6696c921e51c26a4fce7931aa41
              • Instruction ID: 62055f8a4a62b05dfafdeafe201549b50fc202b2b80ed4548d3f554b64592c51
              • Opcode Fuzzy Hash: b0c0bd9cf8ee4f414bb70e704e7b0d6ad487f6696c921e51c26a4fce7931aa41
              • Instruction Fuzzy Hash: 5790023120140C46D100B2984444B86000687E0301FA5C056A1128658D8715C9557522
              Function 03872C70 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a8595e53248563fb9b11f9c14fb7678433c00c91a8260877eac96fa032b0d65f
              • Instruction ID: 725ff3065874a0cb7581fd670df5d6917cfadb3ec04f454cd1351a7b2b59b057
              • Opcode Fuzzy Hash: a8595e53248563fb9b11f9c14fb7678433c00c91a8260877eac96fa032b0d65f
              • Instruction Fuzzy Hash: C390023120148C06D110B298844478A000687D0301FA9C451A542865CD879589957122
              Function 03872C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction ID: be7fb967ab264efbad7884ff8963197c3efcedc6d9b9756293c0ae460048449a
              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction Fuzzy Hash:
              Function 03872890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
              • API String ID: 48624451-2108815105
              • Opcode ID: c49b10e7484e304360b164e7a8039be2190f65ad936d00172572865a8469e5c4
              • Instruction ID: ea44d7a64406965c424ba81e8d099c5c2cf2a810920a2023199f903122d77852
              • Opcode Fuzzy Hash: c49b10e7484e304360b164e7a8039be2190f65ad936d00172572865a8469e5c4
              • Instruction Fuzzy Hash: 0C5109B5A0451ABFDF14DBDCC890A7EF7B9BB08204B1885E9E4A5D7641D338DE40CBA0
              Function 03867630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
              Download Yara Rule
              Strings
              • Execute=1, xrefs: 038A4713
              • CLIENT(ntdll): Processing section info %ws..., xrefs: 038A4787
              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 038A4655
              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 038A46FC
              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 038A4742
              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 038A4725
              • ExecuteOptions, xrefs: 038A46A0
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
              • API String ID: 0-484625025
              • Opcode ID: b1bd6af37f2659520d0fe2cfc3b85f425ed3ea9f02cda2722d9371748d27511c
              • Instruction ID: e52ea1b735e5ff404884de1d62f372543d7f53243a0cd35683fb27422a2c9b85
              • Opcode Fuzzy Hash: b1bd6af37f2659520d0fe2cfc3b85f425ed3ea9f02cda2722d9371748d27511c
              • Instruction Fuzzy Hash: 5951D93560071D6AEF20EAEDDC85FAE77BDAF04308F1400E9E505EB291E7719A45CB91
              Function 0387B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-$0$0
              • API String ID: 1302938615-699404926
              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
              • Instruction ID: 3316ce423bce16ca7a93c9f3c8cb72fd2850bd08a0de00fba1bff738255dfaf4
              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
              • Instruction Fuzzy Hash: 24817D74E052499BDF26CEE8C8917EEBBA7AF45390F1C42D9D861EB390C634D940CB51
              Function 0385F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
              Download Yara Rule
              Strings
              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 038A02BD
              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 038A02E7
              • RTL: Re-Waiting, xrefs: 038A031E
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
              • API String ID: 0-2474120054
              • Opcode ID: 6ab6b3b2f8dee82805a31c8fa55b754634dfd4bc2facec305b44bd54ff0d7297
              • Instruction ID: b4963e099d299ce799e09d7217ddc9e50fc3a5a67f077213b7d3343ea066b151
              • Opcode Fuzzy Hash: 6ab6b3b2f8dee82805a31c8fa55b754634dfd4bc2facec305b44bd54ff0d7297
              • Instruction Fuzzy Hash: 88E1AE70608B41DFE725CFA8C884B2AB7E5BF84314F184A99FAA5CB2D1D774D944CB42
              Function 0386BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
              Download Yara Rule
              Strings
              • RTL: Re-Waiting, xrefs: 038A7BAC
              • RTL: Resource at %p, xrefs: 038A7B8E
              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 038A7B7F
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 0-871070163
              • Opcode ID: 8d5cc2b34add04f66e3299f7f8cd25a35efaba9a5a4c91d5856404e741c3e82a
              • Instruction ID: 9219514e924e12696a4a7af0d1eb93e0aa122d13dddbf6632ae0cfa50b7e7579
              • Opcode Fuzzy Hash: 8d5cc2b34add04f66e3299f7f8cd25a35efaba9a5a4c91d5856404e741c3e82a
              • Instruction Fuzzy Hash: CB41F2353007029FD725DEAACC40B6AB7E9EF88714F140AADF95ADB290DB30E405CB91
              Function 0386B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              APIs
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 038A728C
              Strings
              • RTL: Re-Waiting, xrefs: 038A72C1
              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 038A7294
              • RTL: Resource at %p, xrefs: 038A72A3
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 885266447-605551621
              • Opcode ID: ff61c9f397059b33bb4f171095d1bbc45bae6f7094b0dae384deaf21fb318b6c
              • Instruction ID: f594f0b8acdde9b0d9b4e696bb51a9e2c1b22c610083e727e5974862240ec29d
              • Opcode Fuzzy Hash: ff61c9f397059b33bb4f171095d1bbc45bae6f7094b0dae384deaf21fb318b6c
              • Instruction Fuzzy Hash: 34412035700B46ABD721CEE9CC41B6AB7A5FF84718F1406A9F956EB240DB30E842C7D1
              Function 03877D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-
              • API String ID: 1302938615-2137968064
              • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
              • Instruction ID: 959df31c333e438215706cea0b2c4b36607ce99f27616b24cbaa405f23541278
              • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
              • Instruction Fuzzy Hash: 8891C271E0020A9BDF24DEE9C981ABEB7A7EF44720F1845AAF865E72D0D730C941C750
              Function 03839126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000002.00000002.2285810566.0000000003800000.00000040.00001000.00020000.00000000.sdmp, Offset: 03800000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_2_2_3800000_svchost.jbxd
              Similarity
              • API ID:
              • String ID: $$@
              • API String ID: 0-1194432280
              • Opcode ID: 92eb790c79927d514117cfdd601353dc8ead7cecd239b9ee5e06f638073f1e5a
              • Instruction ID: 0c82d0d49e48d688fc46f782253f15b9a9d859c4dd4245f2ce52013bc282fc4c
              • Opcode Fuzzy Hash: 92eb790c79927d514117cfdd601353dc8ead7cecd239b9ee5e06f638073f1e5a
              • Instruction Fuzzy Hash: 3F811976D002699BDB31DF94CC44BEEB6B8AB08710F0445EAE919F7680D7709E84CFA1